SUSE Linux Enterprise Live Patching


Recommended Posts

is this the next step for the linux world? live kernel patching?

 

 

 

SUSE Linux Enterprise Live Patching provides a stream of packages to update a running kernel without interruption. This subscription offering from SUSE is based on the kGraft project. It allows you to perform patching without rebooting your system, saving the cost of downtime and increasing service availability.

 

 

 
Zero execution interruption

Stopping the kernel is problematic for low-latency applications such as transactional databases. SUSE Linux Enterprise Live Patching doesn't stop the system during patching. The patching infrastructure is built directly intoSUSE Linux Enterprise Server 12, and SUSE Linux Enterprise Live Patching uses the familiar ftrace-based approach to perform the updates. This happens without ever stopping the kernel, not even for a moment.

 

 

Minimalist design

SUSE Linux Enterprise Live Patching uses a minimalist design approach to reduce the risk and burden of modifying your existing code base.

SUSE Linux Enterprise Live Patching builds on technologies and ideas already present in the upstream Linux kernel: ftrace and its mcount-based reserved space in function prologues, the INT3/IPI-NMI patching also used in jump labels, and read-copy-update (RCU)-like changes to the code that do not require stopping the kernel. A kernel live patch is a kernel module and relies on the in-kernel module loader to link the new code with the kernel.

 

 

Security

Because the kernel module is signed by SUSE, the SUSE Linux Enterprise Live Patching approach aligns with advanced technologies, such as UEFI secure boot, which require kernel modules signed by an approved signing key. Via this signature, you can minimize your exposure to security risks by verifying that a kernel live patch has been created by SUSE.

 

 

Familiar deployment methods

Like all maintenance updates, the patches within SUSE Linux Enterprise Live Patching are delivered as signed RPMs. Introducing the solution into your established administrative process is simple because you can reuse your existing deployment methods, including but not limited to YaST, Zypper, SMT and SUSE Manager.

 

 

 

 

 

source

 

any chance that if this goes well and develops further we might see it being applied as standard in most linux distros one time? if so wouldnt it be just awesome?  basically it could mean that besides the obvious exceptions when you install new hardware, you never ever gonna have to reboot again? 

 

 

 

 

 

Link to comment
Share on other sites

Have a look at the slides. This only attempts to solve the issue when an APIs implementation changes. So instead of executing a function's instructions they patch the function to jump to the corrected function and then back to the end of the buggy function after the fixed function is run. If the ABI changes then you are still going to need to restart.

 

The other immediate problem I see is that kGraft requires building the kernel with space for those jumps to be manually inserted. If malicious software got the right permissions it could also do this (e.g., insert a keylogger at the kernel level). Without kGraft (and if profiling is not enabled) that space isn't present in the functions, so this attack vector isn't possible. But I suppose that if malicious software gets permissions to do this you will be out of luck anyway.

Link to comment
Share on other sites

  • 1 month later...

it seems to happen guys!  :)

 

 

 

Live Patching Support Planned For Linux 3.20/4.0 Kernel

It looks like for the Linux 3.20 kernel is when the new kernel live patching technology will be integrated to mainline. 

This year there's been kGraft and Kpatch in development as new live kernel patching solutions to reduce downtime when applying maintenance/security updates to the kernel by avoiding system reboots, similar in nature to Ksplice. These solutions were devised independently by Red Hat and SUSE while more recently a unified infrastructure combining both kGraft and Kpatch was proposed. It looks like for Linux 3.20 is when that code will be merged. 

It's too late for the live patching code to enter Linux 3.19 and making known the Linux 3.20 merging plans was SUSE Labs' Jiri Kosina asking for the live patching tree to be added to linux-next, the sort of staging area for code planned to be merged into the mainline Linux kernel tree in the releases ahead. 

Kosina wrote, "a substantial amount of work has been invested into abstracting 'Live Patching' core functionality out of the already existing implementations, so that further improvements can be built on top of it in incremental steps. The core functionality (which is self-contained) now works and has been Reviewed/Acked by both interested parties (i.e. people working on kPatch and kGraft) and agreed to be a common ground on which further development will happen." 

This initial code, per Kosina's message, is planned to see a pull request for Linux 3.20. Though based upon earlier messages by Linus Torvalds, Linux 3.20 might become Linux 4.0 if his talk from 2013 holds true.

source

Link to comment
Share on other sites

  • 1 month later...

live patching for 3.20 is confirmed now and with 3.19 released a few days ago, it can't take that long anymore. never anymore having to reboot your linux pc or notebook how awesome is that? 

Link to comment
Share on other sites

This topic is now closed to further replies.