Live kernel patching

Live kernel patching

There are situations where users are reluctant to reboot a system. Typically with good reasons, like computations that are running for weeks to process big sets of data. Livepatching gives users the ability to keep running their system, while still allowing security issues to be solved.

What is kernel patching?

The GNU/Linux kernel is the guardian of your hardware. It provides processes with the required resources like processor time, temporary memory, and disk space. As the kernel itself is software, it can have software flaws that lead to security vulnerabilities. Like normal software packages, the kernel needs to be updated to resolve these vulnerabilities.

The challenge with updates for the kernel is that it can't be easily restarted. So if there is an update, the system needs to be restarted to active the new kernel. Live kernel patching or livepatching, is a newer technology that allows the kernel to be patched while it is running. Any used functions or system calls that are affected by the patch will have to be updated. Sort of an open heart surgery, where precision and timing is crucial.


By applying patches to the running kernel, the system can continue to run. This will increase its availability and reduces the downtime. It also means that security updates can be applied quicker. Since the system does not to be rebooted, the required system maintenance can be delayed or combined with other activities.

How does live kernel patching work?

The ability to do live patching requires three main features: kernel probes, function tracing, and livepatching. Let's start with the first one, the kernel probes.

The kernel has an ability that allows to break into all kernel routines and at almost all code addresses. This ability is named Kprobes. Kprobes, or kernel probes, can be used for debugging. When it is used, it sets a breakpoint at a particular location. So where normally an instruction is located, it encounters the breakpoint. A new set of instructions can be executed. It even has the option to run actions before (pre_handler) and after this breakpoint (post_handler).

The second feature is Function Tracer or Ftrace. It allows tracking information from functions like events, interrupts, and more. This is done with plugins and Ftrace is more of a framework than just a single function. With the tracing valuable data can be retrieved, like performance such as the latency of specific areas. It is Ftrace that can call the particular code used by the next component, Livepatch.

Livepatch is the latest addition to the kernel. The mix between Red Hat's kpatch and kGraft from SUSE. With a custom Ftrace handler, they can redirect routines that are considered to be vulnerable and redirect them to patched routines.

Livepatch support

To allow live kernel patching, the kernel needs to have livepatch support. The initial implementation came in 4.x branch. So older kernel versions won't support it.