Is live kernel patch (kpatch) supported in Red Hat Enterprise Linux ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7.9
  • Red Hat Enterprise Linux 7.7
  • Red Hat Enterprise Linux 7.6
  • kpatch
  • AMD64, Intel 64 and ppc64le architectures

Issue

  • Does Red Hat offer a live kernel patching mechanism?
  • What is kpatch, and when will it be available?

Resolution

Live kernel patches (kpatches) avoid the need for a reboot when patching the kernel for select important and critical Common Vulnerabilities and Exposures (CVEs).

Scope and limitations of kpatch

  • Starting with RHEL 8.1, RHEL 7.7; RHEL-7.6, and the kernel-3.10.0-957.35.1.el7 -- live kernel patches are available on the Red Hat Content Delivery Network(CDN) and can be installed via the yum command.
  • There are no live patches released for RHEL 8.3, 7.8, RHEL 6, and RHEL 5. Kernel live patches are not provided during Extended Life Phase(ELP) and are not provided with the Extended Life-cycle Support(ELS) add-on entitlement.
    • Note EUS Red Hat Enterprise Linux versions (like 7.9 or 8.4) will receive kpatch releases until either their ELS period starts or their respective EUS period ends, whichever comes first. After which, new kpatch releases will not occur with few exceptions (such as potential Important and Critical CVEs).
    • For example, Red Hat Enterprise Linux 8.4's EUS period ends May 30 2025 and will not receive further kpatch releases afterwards except for potential Important and Critical CVEs.
    • Similarly, Red Hat Enterprise Linux 7.9 entered ELS June 30 2024 and has received no further kpatch releases after that date.
  • Live kernel patch is supported for customers who have an active subscription.
  • Live kernel patches will be available for selected Important and Critical CVEs.
  • Live kernel patches are cumulative. It means that when you get a new live kernel patch for the kernel, it will have all the fixes of the previous live kernel patch, along with the new fixes. You can safely upgrade the loaded live kernel patch to a newer version.
  • Live kernel patches for CVEs that occur between minor kernel releases are available with standard subscriptions. Customers who purchase Extended Update Support (EUS) will be able to use live patching for the entire EUS support window: 2 years for EUS subscriptions and 4 years for Update Services for SAP Solutions Add-on. Each kernel errata stops receiving live kernel patches 6 months after the kernel errata was released. In order to continue to receive kpatch updates, customers will need to upgrade the kernel and reboot at least twice per year.
  • Unloading a kpatch from the running kernel is not supported. The workaround is to
    • first uninstall the kpatch-patch rpm
    • and then reboot. This will lead to that kpatch module no longer be loaded after booting the system.

Access and delivery of live kernel patches

  • The live kernel patch capability is implemented as a kernel module (kmod) that is delivered as an RPM.

For more information, see:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments