* thoughts on livepatch? @ 2020-10-23 0:59 Nancy Yuen 2020-10-23 1:00 ` Nancy Yuen 0 siblings, 1 reply; 4+ messages in thread From: Nancy Yuen @ 2020-10-23 0:59 UTC (permalink / raw) To: OpenBMC Maillist [-- Attachment #1: Type: text/plain, Size: 135 bytes --] Anyone tried it with OpenBMC? Any thoughts? Nancy Yuen • Google Platforms • yuenn@google.com • Google LLC [-- Attachment #2: Type: text/html, Size: 3084 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: thoughts on livepatch? 2020-10-23 0:59 thoughts on livepatch? Nancy Yuen @ 2020-10-23 1:00 ` Nancy Yuen 2020-10-23 20:35 ` Joseph Reynolds 0 siblings, 1 reply; 4+ messages in thread From: Nancy Yuen @ 2020-10-23 1:00 UTC (permalink / raw) To: OpenBMC Maillist [-- Attachment #1: Type: text/plain, Size: 443 bytes --] And I was trigger happy. Meant to include https://www.kernel.org/doc/Documentation/livepatch/livepatch.txt On Thu, Oct 22, 2020 at 5:59 PM Nancy Yuen <yuenn@google.com> wrote: > Anyone tried it with OpenBMC? Any thoughts? > > Nancy Yuen > > • > > Google Platforms > > • > > yuenn@google.com > > • > > Google LLC > -- Nancy Yuen • Google Platforms • yuenn@google.com • Google LLC [-- Attachment #2: Type: text/html, Size: 6686 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: thoughts on livepatch? 2020-10-23 1:00 ` Nancy Yuen @ 2020-10-23 20:35 ` Joseph Reynolds 2020-10-23 20:52 ` [EXTERNAL] " Neeraj Ladkani 0 siblings, 1 reply; 4+ messages in thread From: Joseph Reynolds @ 2020-10-23 20:35 UTC (permalink / raw) To: openbmc, Nancy Yuen On 10/22/20 8:00 PM, Nancy Yuen wrote: > And I was trigger happy. Meant to include... > This Message Is From an External Sender > This message came from outside your organization. > > And I was trigger happy. Meant to include > https://www.kernel.org/doc/Documentation/livepatch/livepatch.txt > > On Thu, Oct 22, 2020 at 5:59 PM Nancy Yuen <yuenn@google.com > <mailto:yuenn@google.com>> wrote: > > Anyone tried it with OpenBMC? Any thoughts? > What is the use case? I assume this is to patch an OpenBMC-based firmware image without having to rebuild and distribute the entire image. What is the benefit of using livepatching compared to creating a new image that has the fix included, and rebooting the BMC to apply it? Benefits? - Smaller patch requires less bandwidth to distribute. - Possible increased ability to apply patches sooner (compared to installing entire image then rebooting the BMC). - Quicker apply times means less BMC downtime. What is the cost? - More complicated infrastructure to train staff and to create, track test, distribute, and apply patches. - You have to test the patched image and test the image that has the permanent fix. - Does patching work and play nicely with secure boot and attestation schemes? Kernel livepatching is similar to immediate PTFs on IBM i. As developers, we were encouraged to develop patches that could be applied immediately (meaning no reboot required). These sometimes took extra time to develop, and it was not always possible to develop such a fix, required additional testing, and sometimes caused customer problems. My 2 cents worth, - Joseph > > Nancy Yuen > > > > • > > > > Google Platforms > > > > • > > > > yuenn@google.com <mailto:yuenn@google.com> > > > > • > > > > Google LLC > > > > -- > > Nancy Yuen > > > > • > > > > Google Platforms > > > > • > > > > yuenn@google.com <mailto:yuenn@google.com> > > > > • > > > > Google LLC > ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [EXTERNAL] Re: thoughts on livepatch? 2020-10-23 20:35 ` Joseph Reynolds @ 2020-10-23 20:52 ` Neeraj Ladkani 0 siblings, 0 replies; 4+ messages in thread From: Neeraj Ladkani @ 2020-10-23 20:52 UTC (permalink / raw) To: Joseph Reynolds, openbmc, Nancy Yuen Few concerns are - Permutations and combinations of patches and validation chaos - Runtime security - resources needed( CPU + Storage) for a good package manager ! Looking fwd to this if there is a good momentum to design a good and secure package manager for OpenBMC. Neeraj -----Original Message----- From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Joseph Reynolds Sent: Friday, October 23, 2020 1:36 PM To: openbmc@lists.ozlabs.org; Nancy Yuen <yuenn@google.com> Subject: [EXTERNAL] Re: thoughts on livepatch? On 10/22/20 8:00 PM, Nancy Yuen wrote: > And I was trigger happy. Meant to include... > This Message Is From an External Sender This message came from outside > your organization. > > And I was trigger happy. Meant to include > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > kernel.org%2Fdoc%2FDocumentation%2Flivepatch%2Flivepatch.txt&data= > 04%7C01%7Cneladk%40microsoft.com%7C47fe9e57b2ac41c0894f08d877935ec4%7C > 72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637390822149465815%7CUnknow > n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC > JXVCI6Mn0%3D%7C1000&sdata=Xcrnj5%2BY1WWXZL9nGp90YTETufTkrAJlGdFoys > odDq4%3D&reserved=0 > > On Thu, Oct 22, 2020 at 5:59 PM Nancy Yuen <yuenn@google.com > <mailto:yuenn@google.com>> wrote: > > Anyone tried it with OpenBMC? Any thoughts? > What is the use case? I assume this is to patch an OpenBMC-based firmware image without having to rebuild and distribute the entire image. What is the benefit of using livepatching compared to creating a new image that has the fix included, and rebooting the BMC to apply it? Benefits? - Smaller patch requires less bandwidth to distribute. - Possible increased ability to apply patches sooner (compared to installing entire image then rebooting the BMC). - Quicker apply times means less BMC downtime. What is the cost? - More complicated infrastructure to train staff and to create, track test, distribute, and apply patches. - You have to test the patched image and test the image that has the permanent fix. - Does patching work and play nicely with secure boot and attestation schemes? Kernel livepatching is similar to immediate PTFs on IBM i. As developers, we were encouraged to develop patches that could be applied immediately (meaning no reboot required). These sometimes took extra time to develop, and it was not always possible to develop such a fix, required additional testing, and sometimes caused customer problems. My 2 cents worth, - Joseph > > Nancy Yuen > > > > • > > > > Google Platforms > > > > • > > > > yuenn@google.com <mailto:yuenn@google.com> > > > > • > > > > Google LLC > > > > -- > > Nancy Yuen > > > > • > > > > Google Platforms > > > > • > > > > yuenn@google.com <mailto:yuenn@google.com> > > > > • > > > > Google LLC > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-23 20:54 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-10-23 0:59 thoughts on livepatch? Nancy Yuen 2020-10-23 1:00 ` Nancy Yuen 2020-10-23 20:35 ` Joseph Reynolds 2020-10-23 20:52 ` [EXTERNAL] " Neeraj Ladkani
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).