HOME

TheInfoList



Click Here for Items Related To - kpatch
OR:
kpatch on:   [Wikipedia]   [Google]   [Amazon]

kpatch is a feature of the
Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system
uptime Uptime is a Measurement, measure of system reliability, expressed as the period of system time, time a machine, typically a computer, has been continuously working and available. Uptime is the opposite of downtime. It is often used as a measure ...
and
availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...
. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to
scheduled downtime In computing and telecommunications, downtime (also (system) outage or (system) drought colloquially) is a period when a system is unavailable. The unavailability is the proportion of a time-span that a system is unavailable or offline. This is u ...
s. Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed. kpatch is developed by
Red Hat Red Hat, Inc. (formerly Red Hat Software, Inc.) is an American software company that provides open source software products to enterprises and is a subsidiary of IBM. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North ...
, with its
source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...
licensed under the terms of the GNU General Public License version 2 (GPLv2). In May 2014, kpatch was submitted for inclusion into the Linux kernel mainline, and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015.


Internals

Internally, kpatch consists of two parts the core
kernel module A loadable kernel module (LKM) is an executable library that extends the capabilities of a running kernel, or so-called ''base kernel'', of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or ...
executes the live patching mechanism by altering kernel's inner workings, while a set of
userspace A modern computer operating system usually uses virtual memory to provide separate address spaces or regions of a single address space, called user space and kernel space. This separation primarily provides memory protection and hardware prote ...
utilities prepares individual hot patch kernel modules from source diffs and manages their application. Live kernel patching is performed at the function level, meaning that kpatch can replace entire functions in the running kernel with their patched versions by using facilities provided by ftrace to "route around" old versions of functions; that way, hot patches can also easily be undone. No changes to the kernel's internal
data structure In computer science, a data structure is a data organization and storage format that is usually chosen for Efficiency, efficient Data access, access to data. More precisely, a data structure is a collection of data values, the relationships amo ...
s are possible; however, security patches, which are one of the natural candidates to be used with kpatch, rarely contain changes to the kernel's data structures. kpatch ensures that hot patches are applied atomically and safely by stopping all running processes while the hot patch is applied, and by ensuring that none of the stopped processes is running inside the functions that are to be patched. Such an approach simplifies the whole live patching mechanism and prevents certain issues associated with the way data structures are used by original and patched versions of functions. As the downside, this approach also leaves the possibility for a hot patch to fail, and introduces a small amount of latency required for stopping all running processes.


History

Red Hat Red Hat, Inc. (formerly Red Hat Software, Inc.) is an American software company that provides open source software products to enterprises and is a subsidiary of IBM. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North ...
announced and publicly released kpatch in February 2014 under the terms of the GNU General Public License version 2 (
GPLv2 The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or copyleft, ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was th ...
), shortly before SUSE released its own live kernel patching implementation called kGraft. kpatch was merged into the Linux kernel mainline, and it was submitted for the inclusion in May 2014. kpatch has been included in
Red Hat Enterprise Linux Red Hat Enterprise Linux (RHEL) is a commercial Linux distribution developed by Red Hat. Red Hat Enterprise Linux is released in server versions for x86-64, Power ISA, ARM64, and IBM Z and a desktop version for x86-64. Fedora Linux and ...
 7.0, released on June 10, 2014, as a
technology preview The software release life cycle is the process of developing, testing, and distributing a software product (e.g., an operating system). It typically consists of several stages, such as pre-alpha, alpha, beta, and release candidate, before the fi ...
. Minimalistic foundations for live kernel patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015. Those foundations, based primarily on the kernel's ftrace functionality, form a common core capable of supporting hot patching by both kpatch and kGraft, by providing an
application programming interface An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...
(API) for kernel modules that contain hot patches and an
application binary interface An application binary interface (ABI) is an interface exposed by software that is defined for in-process machine code access. Often, the exposing software is a library, and the consumer is a program. An ABI is at a relatively low-level of a ...
(ABI) for the userspace management utilities. However, the common core included into Linux kernel 4.0 supports only the
x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...
architecture and does not provide any mechanisms for ensuring function-level consistency while the hot patches are applied. Since April 2015, there i
ongoing
work on porting kpatch to the common live patching core provided by the Linux kernel mainline. However, implementation of the required function-level consistency mechanisms has been delayed because the
call stack In computer science, a call stack is a Stack (abstract data type), stack data structure that stores information about the active subroutines and block (programming), inline blocks of a computer program. This type of stack is also known as an exe ...
s provided by the Linux kernel may be unreliable in situations that involve
assembly code In computing, assembly language (alternatively assembler language or symbolic machine code), often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence bet ...
without proper
stack frame In computer science, a call stack is a stack data structure that stores information about the active subroutines and inline blocks of a computer program. This type of stack is also known as an execution stack, program stack, control stack, run- ...
s; as a result, the porting work remains in progress . In an attempt to improve the reliability of kernel's call stacks, a specialized sanity-check userspace utility has also been developed.


See also

* Dynamic software updating, a field of research focusing on upgrading programs while they are running *
kexec kexec (kernel execute), analogous to the Unix/Linux kernel call Exec (system call), exec, is a mechanism of the Linux kernel that allows booting of a new kernel (operating system), kernel from the currently running one. Details Essentially, kexe ...
, a method for loading a whole new Linux kernel from a running system * Ksplice and KernelCare, other Linux kernel live patching technologies developed by Ksplice, Inc. (later acquired by Oracle) and CloudLinux, respectively


References


External links


kpatch source code
on
GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
{{Operating system Free security software programmed in C Linux kernel live patching Linux-only free software