Kernel Live Patching on SUSE Linux Enterprise Server
- WHAT?
Understanding and using Kernel Live Patching on SUSE Linux Enterprise Server.
- WHY?
Because you want to keep mission-critical systems secure, without downtime.
- EFFORT
20 minutes reading time.
- GOAL
Understand how Kernel Live Patching works.
- REQUIREMENTS
Working knowledge of Linux.
1 Introduction to Kernel Live Patching #
Kernel Live Patching (KLP) makes it possible to apply the latest security updates to Linux kernels without rebooting. This maximizes system uptime and availability, which is particularly important for mission-critical systems. As such, KLP offers several benefits.
Keeping a large number of servers automatically up-to-date is essential for organizations obtaining or maintaining certain compliance certifications. KLP can help achieve compliance, while reducing the need for maintenance windows.
Companies that work with service-level agreement contracts must guarantee a certain level of the system accessibility and uptime. Live patching makes it possible to patch systems without incurring downtime.
Since KLP is part of the standard system update mechanism, there is no need for specialized training or introduction of additional maintenance routines.
1.1 Kernel Live Patching scope #
The scope of SLES Live Patching includes fixes for SUSE Common Vulnerability Scoring System (CVSS) level 7+ vulnerabilities and bug fixes related to system stability or data corruption. However, it may not be technically feasible to create live patches for all fixes that fall under the specified categories. SUSE therefore reserves the right to skip fixes in situations where creating a kernel live patch is not possible for technical reasons. Currently, over 95% of qualifying fixes are released as live patches. SUSE CVSS is based on the CVSS v3.0 system. For more information on CVSS, see Common Vulnerability Scoring System SIG.
1.2 Kernel Live Patching limitations #
KLP involves replacing functions and gracefully handling replacement of interdependent function sets. This is done by redirecting calls to old code to updated code in a different memory location. Changes in data structures make the situation more complicated, as the data remain in place and cannot be extended or reinterpreted. While there are techniques that allow indirect alteration of data structures, certain fixes cannot be converted to live patches. In this situation, a system restart is the only way to apply the fixes.
2 Understanding kernel live patches #
Kernel live patches are installed as part of regular system updates. Kernel
live patches are delivered as packages with modified code that are separate
from the main kernel package. The live patches are cumulative, so the latest
patch contains all fixes from the previous ones for the kernel package. Each
kernel live package is tied to the exact kernel revision for which it is
issued. The live patch package version number increases with every addition
of fixes. To determine the kernel patching status, use the
klp -v patches command.
Live patches contain only critical fixes, and they do not replace regular kernel updates that require a reboot. Consider live patches as temporary measures that protect the kernel until a proper kernel update and a reboot are performed.
The diagram below illustrates the overall relationship between live
patches and kernel updates. The list of CVEs and defect reports addressed
by the currently active live patch can be viewed using the klp
-v patches command.
It is possible to have multiple versions of the kernel package installed along with their live patches. These packages do not conflict. You can install updated kernel packages along with live patches for the running kernel. In this case, you may be prompted to reboot the system. Users with SLES Live Patching subscriptions are eligible for technical support as long as there are live patch updates for the running kernel.
With KLP activated, every kernel update comes with a live patch
package. This live patch does not contain any fixes and serves as a seed
for future live patches for the corresponding kernel. These empty seed
patches are called initial patches.
Keep in mind that while there may be multiple kernel packages installed on the system, only one of them is running at any given time. Similarly, there may be multiple live patch packages installed, but only one live patch is loaded into the kernel.
The active live patch is included in the initrd. This
means that in case of an unexpected reboot, the system comes up with the
live patch fixes applied, so there is no need to perform patching again.
3 Activating Kernel Live Patching using YaST #
To activate KLP on your system, you need to have active SLES and SLES Live Patching subscriptions. Visit SUSE Customer Center to check the status of your subscriptions and obtain a registration code for the SLES Live Patching subscription.
To activate Kernel Live Patching on your system, follow these steps:
Run the
yast2 registrationcommand and click .Select in the list of available extensions and click .
Confirm the license terms and click .
Enter your SLES Live Patching registration code and click .
Check the and selected . The patterns
Live PatchingandSLE Live Patching Lifecycle Datashould be automatically selected for installation along with additional packages to satisfy dependencies.Click to complete the installation. This installs the base Kernel Live Patching components on your system, the initial live patch, and the required dependencies.
4 Activating Kernel Live Patching from the command line #
To activate Kernel Live Patching, you need to have active SLES and SLES Live Patching subscriptions. Visit SUSE Customer Center to check the status of your subscriptions and obtain a registration code for the SLES Live Patching subscription.
Run
sudo SUSEConnect --list-extensions. Note the exact activation command for SLES Live Patching. Example command output (abbreviated):$ SUSEConnect --list-extensions ... SUSE Linux Enterprise Live Patching 16.0 x86_64 Activate with: SUSEConnect -p sle-module-live-patching//x86_64 \ -r ADDITIONAL REGCODEActivate SLES Live Patching using the obtained command followed by
-r LIVE_PATCHING_REGISTRATION_CODE, for example:SUSEConnect -p sle-module-live-patching//x86_64 \ -r LIVE_PATCHING_REGISTRATION_CODE
Install the required packages and dependencies using the command
zypper install -t pattern lp_sles
At this point, the system has already been live-patched.
Here is how the process works behind the scenes: when the package installation system detects that there is an installed kernel that can be live-patched, and that there is a live patch for it in the software channel, the system selects the live patch for installation. The kernel then receives the live patch fixes as part of the package installation. The kernel gets live-patched even before the product installation is complete.
5 Troubleshooting Kernel Live Patching issues #
5.1 Checking expiration date of the live patch #
Make sure that the
lifecycle-data-sle-module-live-patching is installed,
then run the zypper lifecycle command. You should see
expiration dates for live patches in the Package end of support
if different from product section of the output.
Every live patch receives updates for 13 months from the release of the underlying kernel package. The Maintained kernels, patch updates and lifecycle page allows you to check expiration dates based on the running kernel version without installing the product extension.
5.2 Checking what kernel live patch packages are installed #
The kernel is live-patched if a kernel-livepatch-*
package has been installed for the running kernel. You can use the command
zypper se --details kernel-livepatch-* to check what
kernel live patch packages are installed on your system.
5.3 Preventing reboot #
When the kernel-default package is installed, the update manager prompts you to reboot the system. To prevent this message from appearing, you can filter out kernel updates from the patching operation. This can be done by adding package locks with Zypper. SUSE Manager also makes it possible to filter channel contents (see Live Patching with SUSE Manager).
5.4 Check patching status #
You can check patching status using the klp status
command. To examine installed patches, run the klp -v
patches command.
5.5 Downgrading a kernel patch #
If you find the latest live patch problematic, you can downgrade the currently installed live patch back to its previous version. Keep in mind that a system with kernel warnings or kernel error traces in the system log may not be suitable for the patch downgrade procedure. If you are unsure whether the system meets the requirements for a patch downgrade, contact SUSE Technical Support for help.
To downgrade the latest kernel live patch, use the klp
downgrade command. This command automatically detects the
version of the latest live patch and installs the preceding one.
6 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.