Flexible Distributed Linux Kernel Live Patching
- Distributed live patch building
- Works as client server live patch build model
- Incremental live patch
- You can build live patch over the previous one
- Automatic live patch for security CVE
- Getting kernel CVE from https://github.com/nluedtke/linux_kernel_cves
- Client to be run on the machine where we want to install the live patch.
- RESTful API for building the live patch. Using kpatch for building the live patch object.
This is for the machine that will build the live patch.
emerge --ask elivepatch-server
This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:
rc-config add elivepatch-server default
This is for the machine that will request to build the live patch.
emerge --ask elivepatch-client
One time livepatch build
elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>
CVE live patch is the command for live patching the current kernel with last security cve.
elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>
Can also be used as a cronjob command.
Creating Live patch
Not all patch can be converted to live patch using kpatch.
- Patch that change data structure
- Change content of existing variable
- Add field to existing data structure
- Init code changes are incompatible with kpatch
- Header file changes
- Dealing with unexpected changed functions
- Removing references to static local variables
- Code removal
- kpatch ebuild merged in the Gentoo official repository
- elivepatch client
- elivepatch server
- Official Gentoo repository elivepatch merge pull-request