Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Our partner program is designed with flexibility in mind for partners who are at various stages of their business lifecycle. With financial investment and dedicated resources, you will continue to grow with TuxCare.
Would you like to work with a leader in open source and Linux security that values innovation and partnerships?
Partners receive benefits that are designed to reward the commitment that they have made to the sale of our products and services.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
Live patching is a way of updating a Linux kernel without interruption. Because kernel updates don’t take effect until the system is rebooted, Linux kernel live patching is most commonly used to patch severe Linux kernel vulnerabilities without rebooting servers.
Aside from improved service continuity and uptime, organizations with large server fleets also use live patching to avoid the administrative overhead associated with the coordination and planning needed to reboot multiple systems.
This tutorial will show how to use Kpatch to change the behavior of a running Ubuntu 20.04 LTS Focal Fossa kernel without stopping it, changing the contents of /proc/uptime (and the uptime command) so that the system’s reported uptime is 10 years greater.
Kpatch was created by Red Hat and works on RHEL and its derivatives. Red Hat offer a commercial live patch service for RHEL customers, as do the following companies, who each focus on different distributions:
Get a FREE 7-Day Supported Trial of KernelCare
We have chosen Kpatch for this tutorial because it is one of the few solutions whose source code is freely available and regularly updated. We have another tutorial on Live patching Debian 10 Linux kernel with Kpatch – check it out too.
Here are the system prerequisites for following this tutorial.
grep LIVEPATCH /boot/config-$(uname -r)
gcc --version (if gcc not installed run ”sudo apt install gcc”)
apt-get install sudo
adduser <user> sudo
where <user> is the username for a normal user. (All subsequent commands should be done as this user.)
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install build-essential devscripts
gawk libelf-dev libssl-dev linux-source flex bison
Focal Fossa’s kpatch package is out of date, so you must install it from source.
git clone https://github.com/dynup/kpatch.git
cd kpatch && make && sudo make install
mkdir kernel && cd $_
tar xaf /usr/src/linux-source-5.4.0.tar.bz2
Note: 5.4.0 is the Linux kernel version for Ubuntu 20.04 at the time of writing. You should check and substitute the most recent version present in /usr/src.
cp /boot/config-$(uname -r) .config
scripts/config -s DYNAMIC_FTRACE_WITH_REGS
scripts/config -s FUNCTION_TRACER
scripts/config -s HAVE_DYNAMIC_FTRACE_WITH_REGS
scripts/config -s HAVE_FENTRY
scripts/config -s HAVE_LIVEPATCH
scripts/config -s KALLSYMS_ALL
scripts/config -s KALLSYMS
scripts/config -s LIVEPATCH
scripts/config -s MODULES
scripts/config -s MODULE_SIG
scripts/config -s SYSFS
scripts/config -s SYSTEM_TRUSTED_KEYRING
scripts/config --set-str SYSTEM_TRUSTED_KEYS ""
A patch source file is the output from the diff command run on the original and the changed source code files.
The patching example shown in the ‘Quick start’ section of the kpatch github page changes the output of /proc/meminfo. Many other Kpatch articles reproduce this example, so I wanted something different and a little more interesting, yet still safe.
This example changes the output of the uptime command to give them illusion that your server’s uptime has increased by a decade.
cp linux-source-5.4.0/fs/proc/uptime.c .
(unsigned long) uptime.tv_sec,
(unsigned long) uptime.tv_sec + 315576000,
Save the file.
diff -u linux-source-5.4.0/fs/proc/uptime.c ./uptime.c > uptime.patch
sudo apt install linux-image-$(uname -r)-dbgsym
kpatch-build -t vmlinux -v /usr/lib/debug/boot/vmlinux-5.4.0-37-generic uptime.patch
ls -l *.ko
cat /proc/uptime && uptime -p
sudo kpatch load livepatch-uptime.ko
You should see your uptime is ten years better. (The internal value hasn’t been changed, only what is printed.)
sudo kpatch unload livepatch-uptime.ko
Live patching the Linux kernel with Kpatch isn’t hard. The difficult lies in writing a patch that won’t crash the system and will work with other patches that come later. Most patches are created from more than a simple diff and need thorough testing across multiple kernel versions running on various distributions.
Patch writers need to be both accomplished C programmers and experienced Linux kernel developers, and compiling the kernel and testing patches for every kernel version takes a big investment in hardware and automation tools. The rarity of skills and the cost of infrastructure means that vendors must charge for live patching services.
And don’t forget to read our explicit guide on How to Apply Linux Kernel Security Patches: 3 Different Ways. The article explains how to update Linux kernels without rebooting, covering three different methods for some of the most popular Linux kernels.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
Operational Technology (OT) and Industrial Control Systems (ICS) technologies help...
What Is an Embedded System? Before diving into embedded Linux,...
Linux kernel updates are a fact of life–as dull as...
Mozilla is promoting the upcoming Firefox 105 with amazing features...
Kai-Heng Feng released a patch on Tuesday that allows users’...
The Kubuntu Focus team has unveiled the new Kubuntu Focus...