Elivepatch

Introduction

Flexible Distributed Linux Kernel Live Patching

elivepatch diagram

Why?

• Distributed live patch building
  • Works as client server live patch build model
• Incremental live patch
  • You can build live patch over the previous one
• Automatic live patch for security CVE
  • Getting kernel CVE from https://github.com/nluedtke/linux_kernel_cves

How?

• elivepatch-client
  • Client to be run on the machine where we want to install the live patch.
• elivepatch-server
  • RESTful API for building the live patch. Using kpatch for building the live patch object.

What?

Elivepatch-server

This is for the machine that will build the live patch.

Installation:

This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:

Elivepatch-client

This is for the machine that will request to build the live patch.

Installation:

One time livepatch build

CVE livepatch

CVE live patch is the command for live patching the current kernel with last security cve.

Can also be used as a cronjob command.

Creating Live patch

Not all patch can be converted to live patch using kpatch.

• Patch that change data structure
• Change content of existing variable
• Add field to existing data structure
• Init code changes are incompatible with kpatch
• Header file changes
• Dealing with unexpected changed functions
• Removing references to static local variables
• Code removal

GSoC 2017

This project is part of GSoC 2017 and the code is written by User:Aliceinwire mentored by User:Gokturk

Written code:

• kpatch ebuild merged in the Gentoo official repository
• elivepatch client
• elivepatch server
• Official Gentoo repository elivepatch merge pull-request

Reports:

• half term report
• half term presentation
• Some public reports