The concept of «Livepatch is nothing new and it has not even been implemented in Linux for a few years, since Red Hat, Oracle, Canonical and SUSE are some of those that have implemented this technology for their distributions.
And although they have established themselves as an excellent solution, this It usually depends on closed processes in the creation of the patches, limiting transparency and adaptability. Previous open source projects, such as Gentoo's elivepatch and Debian's linux-livepatching, have been marked by long periods of inactivity or stagnation in their prototype phases.
Faced with this series of problems who are still facing the process of generating, compiling, deploying and installing active Linux kernel patches, TuxTape presents itself as a solution independent, designed to be adaptable to any version of the Linux kernel, without being limited to packages specific to each distribution.
TuxTape, a solution for live patching in Linux
TuxTape, is a new solution that allows administrators of systems implement your own infrastructure to create, assemble, and deploy live patches to the Linux kernel.
The main objective TuxTape's is to offer a comprehensive system that automates the creation and delivery of live patchesIts architecture allows generating patches compatible with existing tools such as Red Hat's kpatch, SUSE's kGraft, Oracle's Ksplice and other universal solutions.
The patches They are implemented as kernel modules that replace existing functions by using the ftrace subsystem, which redirects execution to new functions included in the module. In addition, TuxTape has the ability to track vulnerability updates published on the linux-cve-announce mailing list and in Git repositories.
Using this information, the system classifies vulnerabilities by severity, assesses the applicability of each patch through a detailed analysis of the kernel build profile, and discards those fixes that do not affect the target environment. This selective approach ensures that only relevant fixes are implemented, minimizing risk and optimizing performance.
Project components and architecture
The TuxTape Kit It consists of multiple integrated tools ranging from detection to live patching:
- Vulnerability Tracking System: This is responsible for detecting and recording new threats in real time.
- Database Generator: It is responsible for providing information on patches and vulnerabilities in a structured database.
- Metadata Server with gRPC: Manages communication and coordination of services related to patch generation.
- Dispatch system and kernel construction: Facilitates the compilation of the kernel on specific configurations by generating a detailed compilation profile.
- Generator and patch file: Transforms regular patches into dynamically loadable kernel modules.
- Client for end hosts: Allows the reception and application of patches on production systems.
- Interactive interface (Dashboard): Provides an administration console for the user where he can review, manage and create live patches based on the received sources.
It is worth mentioning that the TuxTape project and development is currently in an experimental prototype phase, so at the moment it is only recommended for initial testing with its different components.
For those interested in testing the project, testing is currently recommended only on specific tools such as:
- tuxtape-cve-parser: Analyzes vulnerability information and builds a patch database.
- tuxtape-server: Implements a gRPC interface for patch generation and distribution.
- tuxtape-kernel-builder: It is responsible for building the kernel with a given configuration and generating the corresponding compilation profile.
- tuxtape-dashboard: Provides a console interface for reviewing and creating live patches based on received source patches.
Finally, it is important to mention that the project is being developed in Rust and is distributed under the Apache 2.0 license. You can find more information or the source code from the following link.