Kernel Live Patching: Concept
1 Environment #
This document applies to the following products and product versions:
SUSE Linux Enterprise Server 15 SP5, 15 SP4, 15 SP3, 15 SP2, 12 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP5, 15 SP4, 15 SP3, 15 SP2, 12 SP5
SUSE Linux Enterprise High Availability 15 SP5, 15 SP4, 15 SP3, 15 SP2, 12 SP5
SUSE Linux Enterprise High Performance Computing 15 SP5, 15 SP4, 15 SP3, 15 SP2
SUSE Linux Enterprise Desktop 15 SP5
SUSE Linux Enterprise Real Time 15 SP5
2 What is Kernel Live Patching? #
KLP (Kernel Live Patching) makes it possible to apply the latest security updates to Linux kernels without rebooting. This maximizes system uptime and availability, which is especially important for mission-critical systems.
3 How does Kernel Live Patching work? #
Kernel live patches are delivered as packages with modified code that are separate from the main kernel package. The live patches are cumulative, so the latest patch contains all fixes from the previous ones for the kernel package. Each kernel live package is tied to the exact kernel revision for which it is issued. The live patch package version number increases with every addition of fixes.
Live patches contain only critical fixes, and they do not replace regular kernel updates that require a reboot. Consider live patches as temporary measures that protect the kernel until a proper kernel update and a reboot are performed.
The diagram below illustrates the overall relationship between live patches
and kernel updates. The list of Common Vulnerabilities and Exposures (CVEs) and defect reports addressed by the
currently active live patch can be viewed using the klp -v
patches
command.
It is possible to have multiple versions of the kernel package installed along with their live patches. These packages do not conflict. You can install updated kernel packages along with live patches for the running kernel. In this case, you may be prompted to reboot the system. Users with SLE Live Patching subscriptions are eligible for technical support as long as there are live patch updates for the running kernel.
With KLP activated, every kernel update comes with a live patch package.
This live patch does not contain any fixes and serves as a seed for future
live patches for the corresponding kernel. These empty seed patches are
called initial patches
.
4 Benefits of Kernel Live Patching #
KLP offers several benefits.
Keeping a large number of servers automatically up to date is essential for organizations obtaining or maintaining certain compliance certifications. KLP can help achieve compliance, while reducing the need for costly maintenance windows.
Companies that work with service-level agreement contracts must guarantee a specific level of their system accessibility and uptime. Live patching makes it possible to patch systems without incurring downtime.
Since KLP is part of the standard system update mechanism, there is no need for specialized training or introduction of complicated maintenance routines.