Tokyo University of Technology - server sponsor
Flexible Distributed Linux Kernel Live Patching
livepatch is a Linux kernel facility that allows to build a kernel module to update a running kernel without requiring a reboot.
Elivepatch is a client-server infrastructure to automate the creation and distribution of those modules.
- Resource-constrained updates
- Distributed live patch building
- Incremental live patch (You can build live patch over the previous one)
- Automatic no-reboot updates for security CVE
The software is mainly two components:
- elivepatch-client: Client to be run on the machines to be updated.
- elivepatch-server: Server in charge of building the livepatch modules.
The two use a RESTful API for receiving the kernel configuration and a source 'diff' and generate a livepatch module out of it using kpatch
emerge --ask sys-apps/elivepatch-server
This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:
rc-config add elivepatch-server default
The machine will need to have enough space to build several kernels and the toolchains used to build the original kernel.
emerge --ask sys-apps/elivepatch-client
The client is as well a Python program.
One time livepatch build
elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>
The example.patch is a diff from the original kernel sources the file.config belongs to (the elivepatch-client figures out the kernel version from it).
The command will contact the elivepatch server and request a livepatch module matching the patch provided.
elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>
It will automatically produce a cve.patch from the CVE advisories for the current running kernel and request a livepatch module.
It could be used as a cron job command to keep an always-on machine up to date security-wise.
elivepatch uses kpatch under the hood and the system has the following limitations:
- Patch that change data structure
- Change content of existing variable
- Add field to existing data structure
- Init code changes are incompatible with kpatch
- Header file changes
- Dealing with unexpected changed functions
- Removing references to static local variables
- Code removal
The livepatch generation process needs a toolchain matching the one used to build the original kernel. Depending on the number of system to serve, this will require a large collection of gcc.
Automated live patching creation needs to trust the diff provided. It is advised to keep the process containerized. For this purpose Docker images are being worked on.
- kpatch ebuild merged in the Gentoo official repository
- elivepatch client
- elivepatch server
- Official Gentoo repository elivepatch merge pull-request