What is Linux Kernel Live Patching and When it shall be done?
New version of kernel is released whenever a vulnerability is detected in the previous version. In addition to that, patches for the existing kernels will also be released. In normal cases, once the patches are applied to the running kernel, the system needs to be rebooted or any process needs to be restarted so that the applied patches will come into effect. We can avoid such reboot or restart using Linux Kernel Live Patching. It is a procedure which helps in updating the running kernel by applying the security updates without system reboot or restart of any process. This helps in applying the patches immediately to the kernel thereby avoiding waiting for the scheduled reboots or users to log off or waiting for long running process to complete. It also helps in attaining security and stability without compromising uptime.
Different companies has come up with software which help in attaining live patching of kernel automatically. Some of the most commonly heard and used softwares are:
* Ksplice of Oracle
* Kpatch of RedHat
* Kgraft of SUSE
* Canonical Livepatch for Ubuntu
* KernelCare commonly supported by all OS
Kernel Live patching can be achieved with the following steps:
- Obtain the source tree of the running kernel
- Prepare the patch against the kernel
- Apply some tools (as above) to help transform and load the patch
By using live patching, old functions will be replaced with new functions. Live patching contains a core kernel module which executes the live patching mechanism by altering kernel’s inner workings.
To allow live patching to work, several requirements need to be met. First of all, the kernel itself requires to support livepatch. Initial support was added in 4.x, so you need an up-to-date kernel. Secondly, your system needs a client tool to retrieve kernel patches and load them. To allow loading the kernel patches, your system needs to be configured to allow loading kernel modules. The kernel patches are typically created by the Linux distribution. It requires some expertise to know how to redirect instruction sets.
The main linux distributions that support live patching currently are:
* Arch Linux (livepatch, kpatch-git tool)
* Debian (unknown, maybe Debian 9)
* Gentoo (kpatch or ksplice)
* Oracle Linux (ksplice)
* Red Hat Enterprise Linux 7 (kpatch or ksplice)
* SUSE (kGraft)
* Ubuntu 16.04 and higher (livepatch)
March 20, 2020
March 20, 2020