kpatch is a feature of the Linux kernel that implements

live patching A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patche ...

of a running

kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learn ...

, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system

uptime Uptime is a measure of system reliability, expressed as the percentage of time a machine, typically a computer, has been working and available. Uptime is the opposite of downtime. It is often used as a measure of computer operating system reliab ...

and

availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...

. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to scheduled downtimes. Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed. kpatch is developed by Red Hat, with its

source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the w ...

licensed under the terms of the

GNU General Public License version 2 The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...

(GPLv2). In May 2014, kpatch was submitted for inclusion into the

Linux kernel mainline The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU o ...

, and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015.

Internals

Internally, kpatch consists of two parts the core

kernel module In computing, a loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called ''base kernel'', of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/o ...

executes the live patching mechanism by altering kernel's inner workings, while a set of

userspace A modern computer operating system usually segregates virtual memory into user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kernel ...

utilities prepares individual hot patch kernel modules from source diffs and manages their application. Live kernel patching is performed at the

function Function or functionality may refer to: Computing * Function key, a type of key on computer keyboards * Function model, a structured representation of processes in a system * Function object or functor or functionoid, a concept of object-oriente ...

level, meaning that kpatch can replace entire functions in the running kernel with their patched versions by using facilities provided by

ftrace ftrace (Function Tracer) is a tracing framework for the Linux kernel. Although its original name, Function Tracer, came from ftrace's ability to record information related to various function calls performed while the kernel is running, ftr ...

to "route around" old versions of functions; that way, hot patches can also easily be undone. No changes to the kernel's internal data structures are possible; however,

security patch A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches ...

es, which are one of the natural candidates to be used with kpatch, rarely contain changes to the kernel's data structures. kpatch ensures that hot patches are applied atomically and safely by stopping all running processes while the hot patch is applied, and by ensuring that none of the stopped processes is running inside the functions that are to be patched. Such an approach simplifies the whole live patching mechanism and prevents certain issues associated with the way data structures are used by original and patched versions of functions. As the downside, this approach also leaves the possibility for a hot patch to fail, and introduces a small amount of latency required for stopping all running processes.

History

Red Hat announced and publicly released kpatch in February 2014 under the terms of the GNU General Public License version 2 (

GPLv2 The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general us ...

), shortly before SUSE released its own live kernel patching implementation called kGraft. kpatch was merged into the Linux kernel mainline, and it was submitted for the inclusion in May 2014. kpatch has been included in

Red Hat Enterprise Linux Red Hat Enterprise Linux (RHEL) is a commercial open-source Linux distribution developed by Red Hat for the commercial market. Red Hat Enterprise Linux is released in server versions for x86-64, Power ISA, ARM64, and IBM Z and a desktop ...

7.0, released on June 10, 2014, as a technology preview. Minimalistic foundations for live kernel patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015. Those foundations, based primarily on the kernel's

functionality, form a common core capable of supporting hot patching by both kpatch and kGraft, by providing an application programming interface (API) for kernel modules that contain hot patches and an

application binary interface In computer software, an application binary interface (ABI) is an interface between two binary program modules. Often, one of these modules is a library or operating system facility, and the other is a program that is being run by a user. An ...

(ABI) for the userspace management utilities. However, the common core included into Linux kernel 4.0 supports only the

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was intr ...

architecture and does not provide any mechanisms for ensuring function-level consistency while the hot patches are applied. Since April 2015, there i
ongoing
work on porting kpatch to the common live patching core provided by the Linux kernel mainline. However, implementation of the required function-level consistency mechanisms has been delayed because the

call stack In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or m ...

s provided by the Linux kernel may be unreliable in situations that involve

assembly code In computer programming, assembly language (or assembler language, or symbolic machine code), often referred to simply as Assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence b ...

without proper

stack frame In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or mach ...

s; as a result, the porting work remains in progress . In an attempt to improve the reliability of kernel's call stacks, a specialized sanity-check userspace utility has also been developed.

References

External links

kpatch source code
on

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continu ...

{{Operating system Free security software programmed in C Linux kernel live patching Linux-only free software

Internals

History

See also

References

External links