Jump to: content

Elivepatch

From Gentoo Wiki

Jump to:navigation Jump to:search

This page contains changes which are not marked for translation.

Resources

elivepatch-client

elivepatch-server

elivepatch-server-docker

Sponsor

Tokyo University of Technology - server sponsor

Introduction

Flexible Distributed Linux Kernel Live Patching

livepatch is a Linux kernel facility that allows to build a kernel module to update a running kernel without requiring a reboot.

Elivepatch is a client-server infrastructure to automate the creation and distribution of those modules.

👁 Image

elivepatch diagram

Use cases

Resource-constrained updates
- Distributed live patch building
- Incremental live patch (You can build live patch over the previous one)
Automatic no-reboot updates for security CVE

Setup

The software is mainly two components:

elivepatch-client: Client to be run on the machines to be updated.
elivepatch-server: Server in charge of building the livepatch modules.

The two use a RESTful API for receiving the kernel configuration and a source 'diff' and generate a livepatch module out of it using kpatch

Server setup

root #emerge --ask sys-apps/elivepatch-server

This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:

root #rc-config add elivepatch-server default

The machine will need to have enough space to build several kernels and the toolchains used to build the original kernel.

Client setup

root #emerge --ask sys-apps/elivepatch-client

The client is as well a Python program.

Usage examples

One time livepatch build

root #elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>

The example.patch is a diff from the original kernel sources the file.config belongs to (the elivepatch-client figures out the kernel version from it).

The command will contact the elivepatch server and request a livepatch module matching the patch provided.

CVE livepatch

root #elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>

It will automatically produce a cve.patch from the CVE advisories for the current running kernel and request a livepatch module.

It could be used as a cron job command to keep an always-on machine up to date security-wise.

Limitations

Patch creation

elivepatch uses kpatch under the hood and the system has the following limitations:

Patch that change data structure
Change content of existing variable
Add field to existing data structure
Init code changes are incompatible with kpatch
Header file changes
Dealing with unexpected changed functions
Removing references to static local variables
Code removal

Toolchain pinning

The livepatch generation process needs a toolchain matching the one used to build the original kernel. Depending on the number of system to serve, this will require a large collection of gcc.

Security concerns

Automated live patching creation needs to trust the diff provided. It is advised to keep the process containerized. For this purpose Docker images are being worked on.

Background

This project is part of GSoC 2017 and the code is written by User:Alicef mentored by User:Gokturk

Written code:

Reports:

Retrieved from "https://wiki.gentoo.org/index.php?title=Elivepatch&oldid=1375837"

Categories:

URL: https://wiki.gentoo.org/wiki/Elivepatch

⇱ Elivepatch - Gentoo wiki