Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Our partner program is designed with flexibility in mind for partners who are at various stages of their business lifecycle. With financial investment and dedicated resources, you will continue to grow with TuxCare.
Would you like to work with a leader in open source and Linux security that values innovation and partnerships?
Partners receive benefits that are designed to reward the commitment that they have made to the sale of our products and services.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
Live patching allows you to update Linux kernel without rebooting your system. This approach is definitely a perfect solution for huge enterprises with interruption-sensitive services when pauses can cause toxic effects to the whole business. But kernel update is a must in today’s world full of vulnerabilities, security issues and gaps. Only a forehanded kernel update can guarantee trouble-free smooth operation of your business.
You might have already read our live kernel patching tutorials: Live patching Debian 10 Linux kernel with Kpatch and Live patching Ubuntu 20.04 LTS Focal Fossa Linux kernel with Kpatch. And if not, consider them as useful materials to share with your colleagues and friends.
In this tutorial, I’ll show you how to patch Oracle Enterprise Linux 7 – UEK4 Linux kernel using Kpatch without rebooting it.
Kpatch is a Red Hat project and works on RHEL and its derivatives. Red Hat offers a commercial live patch service for RHEL customers, as do the following companies, who each focus on different distributions:
We have chosen Kpatch for this tutorial because its source code is available for free and is regularly updated.
Here are the system prerequisites for following this tutorial.
grep LIVEPATCH /boot/config-$(uname -r)
gcc --version (if gcc not installed run ”sudo apt install gcc”)
apt-get install sudo
adduser <user> sudo
where <user> is the username for a normal user. (All subsequent commands should be done as this user.)
sudo yum install elfutils elfutils-devel
sudo yum install pesign yum-utils zlib-devel binutils-devel newt-devel python-devel
perl-ExtUtils-Embed audit-libs numactl-devel pciutils-devel bison patchutils bc rpm-build glib2-devel
rpm -ivh libdtrace-ctf-0.8.0-1.el7.x86_64.rpm libdtrace-ctf-devel-0.8.0-1.el7.x86_64.rpm
rpm -ivh kernel-uek-4.1.12-220.127.116.11.el7uek.x86_64.rpm --nodeps
rpm -ivh --nodeps kernel-uek-devel-4.1.12-18.104.22.168.el7uek.x86_64.rpm
rpm -ivh kernel-uek-debuginfo-4.1.12-22.214.171.124.el7uek.x86_64.rpm kernel-uek-debuginfo-common-4.1.12-126.96.36.199.el7uek.x86_64.rpm
git clone https://github.com/dynup/kpatch.git
cd kpatch && make && sudo make install
cd kmod && make
mkdir /lib/modules/`uname -r`/extra/kpatch
cp core/kpatch.ko /lib/modules/`uname -r`/extra/kpatch
cp core/Module.symvers /lib/modules/`uname -r`/extra/kpatch
Unpack kernel sources:
tar xfj linux-4.1.12.tar.bz2
The Linux kernel is compiled using settings in a configuration file supplied with your distribution. Take a copy and change some settings so kpatch-build can compile a Linux kernel with the same settings as your running kernel.
cp /boot/config-$(uname -r) .config
Check that the required kernel settings are enabled for using Kpatch. All should return ‘y’.
scripts/config -s DYNAMIC_FTRACE_WITH_REGS
scripts/config -s FUNCTION_TRACER
scripts/config -s HAVE_DYNAMIC_FTRACE_WITH_REGS
scripts/config -s HAVE_FENTRY
scripts/config -s HAVE_LIVEPATCH
scripts/config -s KALLSYMS_ALL
scripts/config -s KALLSYMS
scripts/config -s LIVEPATCH
scripts/config -s MODULES
scripts/config -s MODULE_SIG
scripts/config -s SYSFS
scripts/config -s SYSTEM_TRUSTED_KEYRING
Change the value of one kernel configuration item.
scripts/config --set-str SYSTEM_TRUSTED_KEYS ""
Leave the source directory.
A patch source file is the output from the diff command run on the original and the changed source code files.
The patching example shown in the ‘Quick start’ section of the kpatch github page changes the output of /proc/meminfo. Many other Kpatch articles reproduce this example, so I wanted something different and a little more interesting, yet still safe.
This example changes the output of the uptime command to give them illusion that your server’s uptime has increased by a decade.
1. Still in your working directory, copy a file.
cp linux-4.1.12/fs/proc/uptime.c .
2. Edit it. At line 26, change:
(unsigned long) uptime.tv_sec,
(unsigned long) uptime.tv_sec + 315576000,
Save the file.
3. Create the patch file.
diff -u linux-source-5.4.0/fs/proc/uptime.c ./uptime.c > uptime.patch
4. Create the patch module. (The first time you do this, it will take some hours, as the kernel source code must be compiled. Subsequent builds are significantly faster, in the order of minutes.)
kpatch-build -t vmlinux -v /usr/lib/debug/boot/vmlinux-5.4.0-37-generic uptime.patch
5. When done, you will have a Linux Loadable Kernel Module file kpatch-uptime.ko for the patch.
cat /proc/uptime && uptime -p
# kpatch load kpatch-uptime.ko
loading patch module: kpatch-uptime.ko
# kpatch unload kpatch-uptime.ko
disabling patch module: kpatch_uptime
unloading patch module: kpatch_uptime
# cat /proc/uptime && uptime -p
up 2 hours
We have worked through the Oracle Enterprise Linux 7 – UEK4 Linux kernel live patching process with Kpatch. You can see that the process itself is quite simple but it is not easy. And a patch development presents the main difficulty. The patch should not break the system down, it should be compatible with the previous and next packages. Add here different kernel distributions and versions, testing and support, and you can end up with a notable price for a live patching tool.
Get a FREE 7-Day Supported Trial of KernelCare
You can explore three different ways of applying Linux kernel security patches in our explicit guide. The article explains how to update Linux kernels without rebooting, covering three different methods for some of the most popular Linux kernels.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
Operational Technology (OT) and Industrial Control Systems (ICS) technologies help...
What Is an Embedded System? Before diving into embedded Linux,...
Linux kernel updates are a fact of life–as dull as...
Mozilla is promoting the upcoming Firefox 105 with amazing features...
Kai-Heng Feng released a patch on Tuesday that allows users’...
The Kubuntu Focus team has unveiled the new Kubuntu Focus...