Kpatch

Last updated

kpatch
Developer(s) Red Hat
Initial releaseFebruary 26, 2014 (2014-02-26) [1]
Stable release
0.9.3 [2] / 20 April 2021;3 months ago (20 April 2021)
Repository
OOjs UI icon edit-ltr-progressive.svg
Operating system Linux
Type Kernel extension
License GNU GPL version 2
Website github.com/dynup/kpatch

kpatch is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system uptime and availability. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to scheduled downtimes. [1] [3] Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed. [4]

Contents

kpatch is developed by Red Hat, with its source code licensed under the terms of the GNU General Public License version 2 (GPLv2). [1] In May 2014, kpatch was submitted for inclusion into the Linux kernel mainline, [5] and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015. [6]

Internals

With live patching in place, calls to patched kernel functions invoke their replacement counterparts. Linux kernel live patching kpatch.svg
With live patching in place, calls to patched kernel functions invoke their replacement counterparts.

Internally, kpatch consists of two parts  the core kernel module executes the live patching mechanism by altering kernel's inner workings, while a set of userspace utilities prepares individual hot patch kernel modules from source diffs and manages their application. Live kernel patching is performed at the function level, meaning that kpatch can replace entire functions in the running kernel with their patched versions by using facilities provided by ftrace to "route around" old versions of functions; that way, hot patches can also easily be undone. No changes to the kernel's internal data structures are possible; however, security patches, which are one of the natural candidates to be used with kpatch, rarely contain changes to the kernel's data structures. [4] [5] [7]

kpatch ensures that hot patches are applied atomically and safely by stopping all running processes while the hot patch is applied, and by ensuring that none of the stopped processes is running inside the functions that are to be patched. Such an approach simplifies the whole live patching mechanism and prevents certain issues associated with the way data structures are used by original and patched versions of functions. As the downside, this approach also leaves the possibility for a hot patch to fail, and introduces a small amount of latency required for stopping all running processes. [4] [5] [7]

History

Red Hat announced and publicly released kpatch in February 2014 under the terms of the GNU General Public License version 2 (GPLv2), [1] shortly before SUSE released its own live kernel patching implementation called kGraft. [8] kpatch was merged into the Linux kernel mainline, and it was submitted for the inclusion in May 2014. [5] [9]

kpatch has been included in Red Hat Enterprise Linux  7.0, released on June 10, 2014, as a technology preview. [10] [11]

Minimalistic foundations for live kernel patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015. Those foundations, based primarily on the kernel's ftrace functionality, form a common core capable of supporting hot patching by both kpatch and kGraft, by providing an application programming interface (API) for kernel modules that contain hot patches and an application binary interface (ABI) for the userspace management utilities. However, the common core included into Linux kernel 4.0 supports only the x86 architecture and does not provide any mechanisms for ensuring function-level consistency while the hot patches are applied. [6] [12] [13]

Since April 2015, there is ongoing work on porting kpatch to the common live patching core provided by the Linux kernel mainline. [13] However, implementation of the required function-level consistency mechanisms has been delayed because the call stacks provided by the Linux kernel may be unreliable in situations that involve assembly code without proper stack frames; as a result, the porting work remains in progress as of September 2015. In an attempt to improve the reliability of kernel's call stacks, a specialized sanity-check stacktool userspace utility has also been developed. [14] [15]

See also

Related Research Articles

In computing, a futex is a kernel system call that programmers can use to implement basic locking, or as a building block for higher-level locking abstractions such as semaphores and POSIX mutexes or condition variables.

The device mapper is a framework provided by the Linux kernel for mapping physical block devices onto higher-level virtual block devices. It forms the foundation of the logical volume manager (LVM), software RAIDs and dm-crypt disk encryption, and offers additional features such as file system snapshots.

Greg Kroah-Hartman American Linux kernel developer

Greg Kroah-Hartman (GKH) is a major Linux kernel developer. As of April 2013 he is the Linux kernel maintainer for the -stable branch, the staging subsystem, USB, driver core, debugfs, kref, kobject, and the sysfs kernel subsystems, Userspace I/O, and TTY layer. He also created linux-hotplug, the udev project, and the Linux Driver Project. He worked for Novell in the SUSE Labs division and, as of 1 February 2012, works at the Linux Foundation.

Oracle Linux Linux distribution by Oracle

Oracle Linux is a Linux distribution packaged and freely distributed by Oracle, available partially under the GNU General Public License since late 2006. It is compiled from Red Hat Enterprise Linux (RHEL) source code, replacing Red Hat branding with Oracle's. It is also used by Oracle Cloud and Oracle Engineered Systems such as Oracle Exadata and others.

Kernel-based Virtual Machine Virtualization module in the Linux kernel

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor. It was merged into the mainline Linux kernel in version 2.6.20, which was released on February 5, 2007. KVM requires a processor with hardware virtualization extensions, such as Intel VT or AMD-V. KVM has also been ported to other operating systems such as FreeBSD and illumos in the form of loadable kernel modules.

nouveau (software) Open source software driver for Nvidia GPU

nouveau is a free and open-source graphics device driver for Nvidia video cards and the Tegra family of SoCs written by independent software engineers, with minor help from Nvidia employees.

Btrfs is a computer storage format that combines a file system based on the copy-on-write (COW) principle with a logical volume manager, developed together. It was initially designed at Oracle Corporation in 2007 for use in Linux, and since November 2013, the file system's on-disk format has been declared stable in the Linux kernel. According to Oracle, Btrfs "is not a true acronym".

kexec, abbreviated from kernel execute and analogous to the Unix/Linux kernel call exec, is a mechanism of the Linux kernel that allows booting of a new kernel from the currently running one. Essentially, kexec skips the bootloader stage and hardware initialization phase performed by the system firmware, and directly loads the new kernel into main memory and starts executing it immediately. This avoids the long times associated with a full reboot, and can help systems to meet high-availability requirements by minimizing downtime.

Ksplice

Ksplice is an open-source extension of the Linux kernel that allows security patches to be applied to a running kernel without the need for reboots, avoiding downtimes and improving availability. Ksplice supports only the patches that do not make significant semantic changes to kernel's data structures.

Linux kernel Free and open-source Unix-like operating system kernel

The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was conceived and created in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU operating system, which was created as a free replacement for UNIX. Since then, it has spawned a large number of operating system distributions, commonly also called Linux.

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes.

In computer science, dynamic software updating (DSU) is a field of research pertaining to upgrading programs while they are running. DSU is not currently widely used in industry. However, researchers have developed a wide variety of systems and techniques for implementing DSU. These systems are commonly tested on real-world programs.

perf is a performance analyzing tool in Linux, available from Linux kernel version 2.6.31 in 2009. Userspace controlling utility, named perf, is accessed from the command line and provides a number of subcommands; it is capable of statistical profiling of the entire system.

Open vSwitch

Open vSwitch, sometimes abbreviated as OVS, is an open-source implementation of a distributed virtual multilayer switch. The main purpose of Open vSwitch is to provide a switching stack for hardware virtualization environments, while supporting multiple protocols and standards used in computer networks.

zswap is a Linux kernel feature that provides a compressed write-back cache for swapped pages, as a form of virtual memory compression. Instead of moving memory pages to a swap device when they are to be swapped out, zswap performs their compression and then stores them into a memory pool dynamically allocated in the system RAM. Later, writeback to the actual swap device is deferred or even completely avoided, resulting in a significantly reduced I/O for Linux systems that require swapping; the tradeoff is the need for additional CPU cycles to perform the compression.

kGraft is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kGraft aims to maximize the system uptime and availability. At the same time, kGraft allows kernel-related security updates to be applied without deferring them to scheduled downtimes. Internally, kGraft allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by selectively using original versions of functions to ensure per-process consistency while the live patching is performed.

ftrace is a tracing framework for the Linux kernel. Although its original name, Function Tracer, came from ftrace's ability to record information related to various function calls performed while the kernel is running, ftrace's tracing capabilities cover a much broader range of kernel's internal operations.

kdump is a feature of the Linux kernel that creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image that can be analyzed for the purposes of debugging and determining the cause of a crash. The dumped image of main memory, exported as an Executable and Linkable Format (ELF) object, can be accessed either directly through /proc/vmcore during the handling of a kernel crash, or it can be automatically saved to a locally accessible file system, to a raw device, or to a remote system accessible over network.

KernelCare is a live kernel patching service that provides security patches and bugfixes for a range of popular Linux kernels that can be installed without rebooting the system.

References

  1. 1 2 3 4 Josh Poimboeuf; Seth Jennings (February 26, 2014). "Introducing kpatch: Dynamic Kernel Patching". redhat.com. Retrieved July 23, 2014.
  2. "Release 0.9.3". April 20, 2021. Retrieved May 14, 2021.
  3. Sean Michael Kerner (June 6, 2014). "Linux Kernel Patching Gets Dynamic". ServerWatch. Retrieved July 23, 2014.
  4. 1 2 3 Jonathan Corbet (May 7, 2014). "The first kpatch submission". LWN.net . Retrieved July 23, 2014.
  5. 1 2 3 4 Josh Poimboeuf (May 1, 2014). "kpatch: dynamic kernel patching". LWN.net . Retrieved July 23, 2014.
  6. 1 2 "Linux kernel 4.0, Section 1.2. Live patching". kernelnewbies.org. April 26, 2015. Retrieved April 27, 2015.
  7. 1 2 3 Seth Jennings; Josh Poimboeuf (June 10, 2014). "Dynamic Kernel Patching". Red Hat . Retrieved July 23, 2014.
  8. "SUSE Releases kGraft for Live Patching of Linux Kernel". SUSE. March 27, 2014. Retrieved February 11, 2015.
  9. Michael Larabel (May 1, 2014). "SUSE Posts kGraft, Red Hat Posts Kpatch Patches". Phoronix . Retrieved July 23, 2014.
  10. "Red Hat Enterprise Linux 7.0 Release Notes, Chapter 5. Kernel". Red Hat. July 15, 2014. Retrieved July 23, 2014.
  11. Carlos Sanchez (June 26, 2014). "Red Hat Releases Red Hat Enterprise Linux 7 with Increased Linux Containers Support". infoq.com. Retrieved July 23, 2014.
  12. Jonathan Corbet (February 25, 2015). "A rough patch for live patching". LWN.net . Retrieved April 27, 2015.
  13. 1 2 "Linux kernel source tree: kernel/git/torvalds/linux.git: Pull live patching infrastructure from Jiri Kosina". kernel.org. February 11, 2015. Retrieved April 27, 2015.
  14. Jonathan Corbet (September 30, 2015). "Compile-time stack validation". LWN.net . Retrieved October 2, 2015.
  15. Josh Poimboeuf (September 24, 2015). "Linux kernel documentation: Documentation/stack-validation.txt (from the v13 patch)". LWN.net . Retrieved October 2, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.