Elivepatch

Sponsor
東京工科大学 - server sponsor

Introduction
Flexible Distributed Linux Kernel Live Patching



Why?

 * Distributed live patch building
 * Works as client server live patch build model
 * Incremental live patch
 * You can build live patch over the previous one
 * Automatic live patch for security CVE
 * Getting kernel CVE from https://github.com/nluedtke/linux_kernel_cves

How?

 * elivepatch-client
 * Client to be run on the machine where we want to install the live patch.
 * elivepatch-server
 * RESTful API for building the live patch. Using kpatch for building the live patch object.

Elivepatch-server
This is for the machine that will build the live patch.

Installation:

This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch. From the conf.d file you can change the elivepatch daemon user and permission (by default is root). You can start elivepatch-server on machine startup with:

Elivepatch-client
This is for the machine that will request to build the live patch.

Installation:

CVE livepatch
CVE live patch is the command for live patching the current kernel with last security cve.

Can also be used as a cronjob command.

Creating Live patch
Not all patch can be converted to live patch using kpatch.
 * Patch that change data structure
 * Change content of existing variable
 * Add field to existing data structure
 * Init code changes are incompatible with kpatch
 * Header file changes
 * Dealing with unexpected changed functions
 * Removing references to static local variables
 * Code removal

GSoC 2017
This project is part of GSoC 2017 and the code is written by User:Alicef mentored by User:Gokturk

Written code: Reports:
 * kpatch ebuild merged in the Gentoo official repository
 * elivepatch client
 * elivepatch server
 * Official Gentoo repository elivepatch merge pull-request
 * half term report
 * half term presentation
 * Some public reports