From Gentoo Wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.


Flexible Distributed Linux Kernel Live Patching

elivepatch diagram


  • Distributed live patch building
    • Works as client server live patch build model
  • Incremental live patch
    • You can build live patch over the previous one
  • Automatic live patch for security CVE


  • elivepatch-client
    • Client to be run on the machine where we want to install the live patch.
  • elivepatch-server
    • RESTful API for building the live patch. Using kpatch for building the live patch object.



This is for the machine that will build the live patch.


root #emerge --ask elivepatch-server

This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:

root #rc-config add elivepatch-server default

This is for the machine that will request to build the live patch.


root #emerge --ask elivepatch-client
One time livepatch build
root #elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>
CVE livepatch

CVE live patch is the command for live patching the current kernel with last security cve.

root #elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>

Can also be used as a cronjob command.

Creating Live patch

Not all patch can be converted to live patch using kpatch.

GSoC 2017

This project is part of GSoC 2017 and the code is written by User:Alicef mentored by User:Gokturk

Written code: