Compile-time stack validation for Livepatch

最新推荐文章于 2022-05-12 20:55:26 发布
转载 最新推荐文章于 2022-05-12 20:55:26 发布 · 242 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:https://lwn.net/Articles/658333/
文章标签:

#kernel

本文讨论了实时内核补丁的困境,特别是关于一致性模型的不确定性。在确保补丁安全应用到运行内核的过程中,需要验证受影响函数在补丁应用时是否执行。提出了冻结所有进程以检查调用堆栈的方法,但由于内核调用堆栈信息的不可靠性,这种方法受到质疑。作者提出了一种名为'编译时栈元数据验证'的方法,通过新的工具stacktool在构建过程中检查整个内核,确保所有代码都遵循维护调用栈的规则,每个汇编函数都标记为可调用函数,从而增强对实时补丁系统的信心。

Compile-time stack validation

original

In order to get their code upstream, they must first invest considerable effort into
fixing a related subsystem. Live patching is exactly a case in point.

Live patch’s dilemma

Consistecy Model

“Consistecy model” remained unsettled, even ther core code had been merged.
Ensuring that a patch is applied to a live kernel if it is safe to do so;

  1. that job includes checking to be sure that the affected functions are not
    executing at the time the patch is applied.
  2. Don’t cause crash during patching.

Atempts

  • Freeze all:
    One way of ensuring that a given function is not executing is to freeze all processes
    on the system, then examine the call stack of each to see which functions are active
    all the time. – used by kPatch and kGraft.
    But, strong opposition came for a simple reason: the information in the kernel’s
    call stack is often not reliable.
    for example: assembly code that does not set up proper stack frames

At the time, 100% reliable stack traces were not widely seen as an attainable goal. It is certainly possible to fix up all of the assembly code that does not set up proper stack frames (assuming it could all be found), but, since nothing in the kernel’s normal operation depends on good call-stack information, there was nothing preventing things from breaking again at any time. In the absence of some sort of ongoing assurance that the kernel’s call stack will always remain valid, it is hard to be confident that a live-patching system won’t do the wrong thing.

Conclusion

In the absence of some sort of ongoing assurance that the kernel’s call stack
will always remain valid, it is hard to be confident that a live-patching system won’t do the wrong thing.

  • Assembly code calls another function without setting up new stack frame.
    The validation tool checks to make sure that function calls are surrounded by the appropriate frame-maintenance code.
    There are currently assembly macros to do this work, but they are unused; Josh’s patch renames them to FRAME_BEGIN and FRAME_END and puts them into use.
    Versions of these macros for inline assembly in C code have also been added; they can be found in <asm/frame.h>.
  • Dynmamic jumps
    for the most part, they are only allowed as part of a C switch statement.
    for “siling calls”, where the end of one function jumps to the beginning of another and the frame pointer hasn’t changed.

Validating the call stack

Josh Poimboeuf find a wat to make the call stack valid at all times and keep it
that way, named “compile-time stack metadata validation”.
This work adds a new tool (called stacktool)
that checks the entire kernel as part of the build process to be sure that all
code obeys the rules for maintaining the call stack.

Every function in assembly code must be marked aas a callable function(ELF function type)

{“error“:{“root_cause“:[{“type“:“script_exception“,“reason“:“compile error“,“script_stack“:[“... par
知识改变命运,ヾ(◍°∇°◍)ノ゙【求关注】
05-04 3182
ES更新时报错
[转]ubuntu Makefile:976: “Cannot use CONFIG_STACK_VALIDATION=y
qq_20252351的博客
06-02 5548
ubuntu 编译驱动是出现下面错误 xiao@xiao-virtual-machine:~/RTL8812AU_linux_v5.1.5_19247.20160830/driver/rtl8812AU_linux_v5.1.5_19247.20160830$ make make ARCH=x86_64 CROSS_COMPILE= -C /lib/modules/4.15.0-29-gener...
HTTP Status 500 - Unable to compile class for JSP
yskyj的专栏
06-26 8458
type Exception report message Unable to compile class for JSP: description The server encountered an internal error that prevented it from fulfilling this request. exception org.apache.jasper.Ja
Z-Stack Overview
weixin_38301637的博客
11-08 1503
Z-Stack Overview 1. Introduction 1.1 Purpose This document explains some of the components of the Texas Instruments Zigbee stack and their functioning. It explains the configurable parameters in the Z...
How to use Keras Models With Scikit-Learn For General Machine Learning
u011868279的博客
05-12 516
The scikit-learn library is the most popular library for general machine learning in Python. In this lesson you will discover how you can use deep learning models from Keras with the scikit-learn library in Python. After completing this lesson you will kn
4.maven项目 子模块启动报错 Non-resolvable parent POM for com.example:demo:0.0.1-SNAPSHOT: Failure to transfer
Sucker的小笔记
02-18 5202
Project build error: Non-resolvable parent POM for com.example:demo-1:0.0.1-SNAPSHOT: Failure to transfer org.springframework.boot:spring-boot-starter-parent:pom:1.5.2.RELEASE from https://repo.maven....
Vue 14v-for迭代数字
mqingo的博客
01-02 449
14v-for迭代数字.html &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;meta charset="UTF-8"&gt; &lt;title&gt;14v-for迭代数字&lt;/title&gt; &lt;script type="text/javascript" src=&quo
Vue 12v-for循环对象数组
mqingo的博客
01-02 522
12v-for循环对象数组.html &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;meta charset="UTF-8"&gt; &lt;title&gt;12v-for循环对象数组&lt;/title&gt; &lt;script type="text/javascript" src=
Vue 11v-for循环普通数组
mqingo的博客
01-02 1059
11v-for循环普通数组.html &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;meta charset="UTF-8"&gt; &lt;title&gt;11v-for循环普通数组&lt;/title&gt; &lt;script type="text/javascript" src=
"D:\Program Files\Java\jdk21\bin\java.exe" -Dmaven.multiModuleProjectDirectory=D:\project\zysczx -Djansi.passthrough=true -Dmaven.home=D:\apache-maven-3.6.1 -Dclassworlds.conf=D:\apache-maven-3.6.1\bin\m2.conf "-Dmaven.ext.class.path=D:\IntelliJ IDEA 2023.1.2\plugins\maven\lib\maven-event-listener.jar" "-javaagent:D:\IntelliJ IDEA 2023.1.2\lib\idea_rt.jar=64080:D:\IntelliJ IDEA 2023.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath D:\apache-maven-3.6.1\boot\plexus-classworlds-2.6.0.jar org.codehaus.classworlds.Launcher -Didea.version=2023.1.2 -s D:\apache-maven-3.6.1\conf\settings.xml -Dmaven.repo.local=D:\maven_repository install -P dev,!jdk-1.8 [INFO] Scanning for projects... [WARNING] [WARNING] Some problems were encountered while building the effective model for com.shou:zysczx:jar:1.0-SNAPSHOT [WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: org.springframework.boot:spring-boot-starter-validation:jar -> duplicate declaration of version (?) @ line 230, column 21 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] [INFO] --------------------------< com.shou:zysczx >--------------------------- [INFO] Building shou-center 1.0-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:3.3.1:resources (default-resources) @ zysczx --- [INFO] Copying 4 resources from src\main\resources to target\classes [INFO] Copying 64 resources from src\main\resources to target\classes [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.777 s [INFO] Finished at: 2025-07-15T13:01:04+08:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile (default-compile) on project zysczx: The plugin org.apache.maven.plugins:maven-compiler-plugin:3.13.0 requires Maven version 3.6.3 -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginIncompatibleException 进程已结束,退出代码1
07-16
在使用 Maven 构建项目时,可能会遇到如下错误: ``` Maven build failed: plugin org.apache.maven.plugins:maven-compiler-plugin:3.13.0 requires Maven version 3.6.3 ``` 该错误表明当前使用的 Maven 版本与 ...
D:\004 newCoinInfo>mvn clean package [INFO] Scanning for projects... [INFO] [INFO] ------------------------< com.example:test_reg >------------------------ [INFO] Building test_reg 0.0.1-SNAPSHOT [INFO] from pom.xml [INFO] --------------------------------[ jar ]--------------------------------- [WARNING] The POM for com.alibaba:druid:jar:1.1.10 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details [INFO] [INFO] --- clean:3.2.0:clean (default-clean) @ test_reg --- [INFO] Deleting D:\004 newCoinInfo\target [INFO] [INFO] --- resources:3.2.0:resources (default-resources) @ test_reg --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Using 'UTF-8' encoding to copy filtered properties files. [INFO] Copying 1 resource [INFO] Copying 1 resource [INFO] [INFO] --- compiler:3.10.1:compile (default-compile) @ test_reg --- [INFO] Changes detected - recompiling the module! [INFO] Compiling 7 source files to D:\004 newCoinInfo\target\classes [INFO] ------------------------------------------------------------- [ERROR] COMPILATION ERROR : [INFO] ------------------------------------------------------------- [ERROR] No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK? [INFO] 1 error [INFO] ------------------------------------------------------------- [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 0.801 s [INFO] Finished at: 2023-07-19T18:15:08+08:00 [INFO] ------------------------------------------------------------------------ [WARNING] [WARNING] Plugin validation issues were detected in 2 plugin(s) [WARNING] [WARNING] * org.apache.maven.plugins:maven-resources-plugin:3.2.0 [WARNING] * org.apache.maven.plugins:maven-compiler-plugin:3.10.1 [WARNING] [WARNING] For more or less details, use 'maven.plugin.validation' property with one of the values (case insensitive): [BRIEF, DEFAULT, VERBOSE] [WARNING] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.10.1:compile (default-compile) on project test_reg: Compilation failure [ERROR] No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK? [ERROR] [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
07-20
根据你提供的日志信息,出现了以下错误: ``` [ERROR] No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK? ``` 这个错误提示表明你的环境中没有提供编译器,可能...
模仿小红书的小网页.html
11-25
模仿小红书的小网页.html
Docker部署GitLab指南[代码]
11-25
本文详细介绍了使用Docker-compose部署GitLab的完整步骤。首先从DockerHub拉取最新版GitLab镜像,然后创建必要的目录结构并编辑docker-compose.yml配置文件,其中包含了端口映射、卷挂载和环境变量等关键配置项。接着通过docker compose命令快速启动GitLab服务,并提供了访问GitLab仓库的方法。最后还说明了如何获取初始root用户密码进行登录。整个过程经过作者亲测有效,为需要搭建GitLab服务的用户提供了实用参考。
ByVision_Cutting_Laser_V6-1-0_操作说明.pdf
11-25
ByVision_Cutting_Laser_V6-1-0_操作说明.pdf
51单片机c源码-1个共阳数码管显示变化数字
最新发布
11-25
51单片机c源码-1个共阳数码管显示变化数字
【高速以太网物理层】1.6TbE PCS通道形成与对齐标记插入机制:面向IEEE 802.3dj标准的多通道数据分布及FEC降级监测方案设计
11-25
内容概要:本文档提出了1.6TbE PCS(物理编码子层)中PCS通道形成与对齐标记(AM)插入的基线方案,作为IEEE P802.3dj任务组标准制定的一部分。文档详细描述了1.6TbE系统中如何将RS-FEC符号按轮询方式分配到16个PCS通道中,每个通道速率为100Gbps,并定义了AM标记在各通道中的分布结构与插入机制。通过对齐标记的映射规则、填充方式、状态字段传输以及伪代码实现,确保发送端与接收端的数据对齐、解交错与正确恢复。此外,还涵盖了FEC误码劣化信号生成和HI_SER监控机制,并讨论了PMA层在不同接口配置下的符号复用要求。该提案与先前采纳的基线共同构成完整的1.6TbE PCS规范。; 适合人群:从事高速以太网物理层设计、通信协议开发或标准制定的工程师和技术专家,具备数字通信与FEC编码基础知识的研发人员; 使用场景及目标:①为1.6TbE以太网PCS层的设计提供标准化参考;②指导硬件实现中的AM插入/删除、通道形成、误码监测等功能模块开发;③支持多厂商设备互操作性的统一规范制定; 阅读建议:此文档技术性强,涉及大量底层符号映射与伪代码逻辑,建议结合IEEE 802.3现有标准(如CL119、CL172)对照阅读,并关注后续对时钟内容与基线漂移的分析补充。
基于SSM的小码创客教育教学资源库的设计与实现
11-25
随着信息技术在管理上越来越深入而广泛的应用,作为学校以及一些培训机构,都在用信息化战术来部署线上学习以及线上考试,可以与线下的考试有机的结合在一起,实现基于SSM的小码创客教育教学资源库的设计与实现在技术上已成熟。本文介绍了基于SSM的小码创客教育教学资源库的设计与实现的开发全过程。通过分析企业对于基于SSM的小码创客教育教学资源库的设计与实现的需求,创建了一个计算机管理基于SSM的小码创客教育教学资源库的设计与实现的方案。文章介绍了基于SSM的小码创客教育教学资源库的设计与实现的系统分析部分,包括可行性分析等,系统设计部分主要介绍了系统功能设计和数据库设计。 本基于SSM的小码创客教育教学资源库的设计与实现有管理员,校长,教师,学员四个角色。管理员可以管理校长,教师,学员等基本信息,校长角色除了校长管理之外,其他管理员可以操作的校长角色都可以操作。教师可以发布论坛,课件,视频,作业,学员可以查看和下载所有发布的信息,还可以上传作业。因而具有一定的实用性。 本站是一个B/S模式系统,采用Java的SSM框架作为开发技术,MYSQL数据库设计开发,充分保证系统的稳定性。系统具有界面清晰、操作简单,功能齐全的特点,使得基于SSM的小码创客教育教学资源库的设计与实现管理工作系统化、规范化。
CSS颜色代码大全[项目代码]
11-25
本文提供了CSS颜色代码的详细对照表,包括各种颜色的英文名称及其对应的十六进制代码。内容涵盖了从基本颜色如黑色、白色、红色、绿色、蓝色等,到更复杂的颜色如桃红、紫红、褐橘、米白、金黄、黄绿、蓝绿等多种颜色。此外,还列出了颜色的英文词汇和对应的代码,方便开发者在设计和开发过程中快速查找和使用。这些颜色代码适用于网页设计、UI开发等多个领域,是前端开发者的实用参考资料。
JS实现iframe数据传递[可运行源码]
11-25
本文详细介绍了在网页开发中使用JavaScript实现iframe间数据传递的多种方法,包括postMessage、window.name、location.hash、Web存储API以及window.parent和window.frames属性。文章首先分析了iframe数据传递的需求和挑战,特别是同源策略和跨域问题的影响。随后,深入探讨了每种方法的原理、适用条件和安全注意事项,如postMessage的通信机制和安全实践、window.name属性的特点及应用、location.hash的基本用法与限制,以及Web存储API在同源策略下的数据交换机制。通过代码示例、表格和流程图,文章为开发者提供了全面的技术选择和实现指南,帮助他们在跨域或同源环境下高效、安全地实现数据共享。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值