Upstream Live Patching -- Are We There Yet? | SUSE Communities
< Back to Blog

Upstream Live Patching — Are We There Yet?

May 29, 2017 | By: SUSE

Share
Share

Year 2014. SUSE and Red Hat submit their live patching solutions to upstream — kGraft and kpatch. A discussion between developers on a common implementation takes place at Linux Plumbers conference in Dusseldorf.

Year 2015. Linus Torvalds merges their effort to the mainline kernel. The version number of the kernel is promoted to 4.0 (well, it was only a coincidence that the major version changed with the live patching merge, but why not to mention it).

Year 2017, May. A consistency model becomes a part of the kernel in 4.12.

When the initial implementation was merged in 2015, with a bit of exaggeration it was not much more than a simple redirection of functions, architecture support and basic infrastructure around that. But even that could be used for a majority of security fixes we normally deal with.

It has improved a lot since then and many new features have been added. However the consistency model was still missing. We need it to be able to patch another class of security fixes which contain semantic interdependence between multiple functions. Calling a patched function from an unpatched one or vice versa has to be avoided at all times.

It took more than two years of work to get from the design proposal to the final implementation which was merged. It is a hybrid of original solution from both SUSE and Red Hat. The model combines kGraft’s per-task consistency and syscall barrier switching with kpatch’s stack trace switching. Thus, it picks up advantages from both approaches. Even the kernel itself benefits from the work. For example, compile-time stack metadata validation was implemented in the process, stack dumping was rewritten and improved.

There is a question to be asked though. Is the upstream live patching complete now? No, it is not. We cannot deal with data structure changes (or state transformation generally) yet. We need a tool to build the live patches automatically. Also, there is a need to support more architectures.

We are not there yet, but we have just made another significant step to get there.

Share

Related Articles

Jul 20th, 2022

What is a kernel thread?

Jul 08th, 2023

From CentOS to openSUSE Leap: How to Feel at Home

Jun 15th, 2022

SAP HANA Cockpit with SUSE HA integration greatly improves data integrity

Jun 20th, 2022

Innovation Without Disruption: Introducing SUSE Linux Enterprise 15 SP4 and Resilience

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo
4,549 views
SUSE
Back

IT Modernization


SAP Solutions


AI and Analytics


Hybrid Cloud Solutions


Nonstop IT


Exit Federal Government

Back

Business-Critical Linux

Enterprise Container Management

Edge

All Products
Back

Solutions

Hybrid Cloud IT
Business-critical Linux

Run & secure cloud and on-prem workloads
Run SAP
Run SAP

Deliver mission-critical SAP solutions
Enterprise Container Management
Enterprise Container Management

Orchestrate cloud-native apps
IT Operations at the Edge
Edge

Deploy intelligent devices to the edge
Public Cloud
SUSE for Public Cloud

Accelerate innovation across your clouds
Security
Security

Secure your digital enterprise

Industries

Back

Support

Product Support
Premium Support Services

Dedicated support services from a premium team


Long Term Service Support

Stay on your existing product version


Renew Your Support Subscription

Services

Consulting Services
Training & Certification
Premium Technical Advisory Services

Resources

SUSE Support User Guide
Patches & Updates
Product Documentation
Knowledgebase
SUSE Customer Center
Product Support Life Cycle
Licensing
Package Hub

Community packages for SUSE Linux Enterprise Server


Driver Search
Support Forums
Developer Services
Beta Program
Security
Back

Partners

Partner Program


Find a Partner


Become a Partner


Login to the SUSE Partner Portal

Back

Communities

Community

Blog


Forum


Open Source Projects


openSUSE.org



SUSE Polska

Back

About

About Us


Leadership


Careers


Newsroom


Success Stories


Investor Relations


Social Impact


SUSE Logo and Brand


Events & Webinars


Merchandise Store


Communications Preferences