thoughts on livepatch?
Joseph Reynolds
jrey at linux.ibm.com
Sat Oct 24 07:35:48 AEDT 2020
On 10/22/20 8:00 PM, Nancy Yuen wrote:
> And I was trigger happy. Meant to include...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> And I was trigger happy. Meant to include
> https://www.kernel.org/doc/Documentation/livepatch/livepatch.txt
>
> On Thu, Oct 22, 2020 at 5:59 PM Nancy Yuen <yuenn at google.com
> <mailto:yuenn at google.com>> wrote:
>
> Anyone tried it with OpenBMC? Any thoughts?
>
What is the use case? I assume this is to patch an OpenBMC-based
firmware image without having to rebuild and distribute the entire
image. What is the benefit of using livepatching compared to creating a
new image that has the fix included, and rebooting the BMC to apply it?
Benefits?
- Smaller patch requires less bandwidth to distribute.
- Possible increased ability to apply patches sooner (compared to
installing entire image then rebooting the BMC).
- Quicker apply times means less BMC downtime.
What is the cost?
- More complicated infrastructure to train staff and to create, track
test, distribute, and apply patches.
- You have to test the patched image and test the image that has the
permanent fix.
- Does patching work and play nicely with secure boot and attestation
schemes?
Kernel livepatching is similar to immediate PTFs on IBM i. As
developers, we were encouraged to develop patches that could be applied
immediately (meaning no reboot required). These sometimes took extra
time to develop, and it was not always possible to develop such a fix,
required additional testing, and sometimes caused customer problems.
My 2 cents worth,
- Joseph
>
> Nancy Yuen
>
>
>
> •
>
>
>
> Google Platforms
>
>
>
> •
>
>
>
> yuenn at google.com <mailto:yuenn at google.com>
>
>
>
> •
>
>
>
> Google LLC
>
>
>
> --
>
> Nancy Yuen
>
>
>
> •
>
>
>
> Google Platforms
>
>
>
> •
>
>
>
> yuenn at google.com <mailto:yuenn at google.com>
>
>
>
> •
>
>
>
> Google LLC
>
More information about the openbmc
mailing list