How to enable live kernel patching on Linux

The core of the Linux operating system is the kernel. It handles the primary interaction between the hardware and the software. It also accomplishes tasks such as memory management, process management, system security, and hardware interactions, to name a few. Such an essential piece of the operating system inevitably has flaws or vulnerabilities that need to be patched and maintained.

As a key component of the operating system, updating the kernel traditionally required a system restart. That changed with the release of version 5.10 of the Linux kernel in December 2020. (Some Linux distributions supported live patching before version 5.10.)

If you're running a kernel version that supports it, you can (and should) take advantage of live kernel patching. This code execution method works alongside kernel probes and function tracing. Instead of relying on redirection using a breakpoint for kernel probes or a predefined location (in the case of function tracing), live patching is generally done by redirecting the code as close to the function entry as possible.

This new method allows for a function to be immediately redirected through a ftrace handler, so instead of calling an older, vulnerable function, it is redirected to a patched version of the function.

Your patching cadence might involve running something like an Ansible playbook or manually patching servers with package commands like dnf or apt. No matter the circumstance, you'll probably appreciate live kernel patching.

How to enable live kernel patching

Enabling live kernel patching varies depending on your Linux distribution but is generally straightforward.

First, check your kernel version. You can do this with your package manager:

$ sudo dnf list kernel
Installed Packages
kernel.x86_64      3.10.0-1062.1.2.el7     @anaconda/7.7

Alternately, use the uname command:

$ uname -r
3.10.0-1062.1.2.el7.x86_64

If you're on a version of Linux that supports live kernel patching, you can continue enabling live kernel patching.

[ Ready to move up? Download RHEL 9 for free through the Red Hat Developer program​​​​​​. ]

If you aren't on a supported kernel version, you must update the kernel and restart the server:

$ sudo dnf install -y kernel
...
$ sudo reboot 

Live patching on RHEL 8.1+

Live kernel patching is already enabled in Red Hat Enterprise Linux (RHEL) versions starting with version 8.1. You can check by ensuring that kpatch is installed:

$ sudo dnf install kpatch
...
Package kpatch-0.9.2-5.el8.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Next, install kpatch-dnf, which enables the automated installation of kpatch patches:

$ sudo dnf install kpatch-dnf
Installed:
  kpatch-dnf-0.2-5.el8.noarch

[ Download the Linux commands cheat sheet. ]

With the plugin installed, enable the subscription to kernel live patches:

$ sudo dnf kpatch auto

Live patching on RHEL 7.7+

Live kernel patching is also ready to go on RHEL 7.7 and above, although kpatch-dnf is not available. After installing kpatch, you must manually install the kernel patches. Here's a quick method to install all live kernel patches for the current kernel:

$ sudo dnf install -y "kpatch-patch = $(uname -r)"
...
Installed:
  kpatch-patch-3_10_0-1062_1_2.x86_64 0:1-9.el7

Complete!

Live kernel patching utilities

Between the dnf and kpatch commands, you have very good utilities for gathering information about which patches are installed and which CVEs have patches available.

The kpatch list command displays loaded and installed live kernel patches. This is extremely valuable for auditing and tracking:

$ kpatch list
Loaded patch modules:
kpatch_3_10_0_1062_1_2_1_9 [enabled]

Installed patch modules:
kpatch_3_10_0_1062_1_2_1_9 (3.10.0-1062.1.2.el7.x86_64)

While this next command isn't solely related to kernel patching, it is a useful one to know. This command shows a list of CVEs, the severity of each, and the affected package (including the kernel):

$ dnf updateinfo list cves

With some filtering, you can display just what you care about:

$ sudo yum updateinfo list cves | grep -i kernel | grep CVE
CVE-2021-32399 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-33909 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-3609  Important/Sec. kernel-4.18.0-305.12.1.el8_4.x86_64
...

The dnf update --security command does a dnf update but only runs updates tied to security patching, including kernel patches.

The kpatch info command along with a kpatch module name as an argument displays details such as the full path for the patch, its license, whether it's a live patch, and more. This is another useful command when digging into details on specific patches applied to a system or for audit tracking.

Wrap up

As with any vulnerability fix, you need to either do the updates, schedule a cronjob, or use some other mechanism (such as systemd timers), to have the updates run. Live kernel patching just prevents the need for a reboot. An effective cron job can be a simple one-line script with the required update command, but it's up to you to schedule it. I recommend doing it weekly at least, although daily is even better. You can find some example code for regularly updating the kernel in my GitHub repo.

Leveraging kernel live patching is a great way to keep your infrastructure updated and minimize the amount of manual work required. You can learn more in the Linux Kernel's Livepatch documentation and in RHEL's Applying patches with kernel live patching documentation.