|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2018-12-20 21:27:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] Live patching for CPU vulnerabilities
The kernel's live-patching (KLP) mechanism can apply a wide variety of
fixes to a running kernel but, at a first glance, the sort of highly
intrusive changes needed to address vulnerabilities like Meltdown or L1TF
would not seem like likely candidates for live patches.
The most notable obstacles are the required
modifications of global semantics on a running system, as well as the
need for live patching the kernel's entry code. However, we at the SUSE live
patching team started working on proof-of-concept live patches for these
vulnerabilities as a
fun project and have been able to overcome these hurdles. The
techniques we developed are generic and might become handy again when
fixing future vulnerabilities.
The kernel's live-patching (KLP) mechanism can apply a wide variety of
fixes to a running kernel but, at a first glance, the sort of highly
intrusive changes needed to address vulnerabilities like Meltdown or L1TF
would not seem like likely candidates for live patches.
The most notable obstacles are the required
modifications of global semantics on a running system, as well as the
need for live patching the kernel's entry code. However, we at the SUSE live
patching team started working on proof-of-concept live patches for these
vulnerabilities as a
fun project and have been able to overcome these hurdles. The
techniques we developed are generic and might become handy again when
fixing future vulnerabilities.
