Kernel Live Patching on AL2023 - Amazon Linux 2023
LimitationsSupported configurations and prerequisitesWork with Kernel Live Patching
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Kernel Live Patching on AL2023

You can use Kernel Live Patching for AL2023 to apply security vulnerability and critical bug patches to a running Linux kernel without rebooting or disrupting running applications. In addition, Kernel Live Patching can help improve your application's availability while also keeping your infrastructure secure and up to date.

Amazon releases two types of kernel live patches for AL2023:

  • Security updates – Include updates for Linux common vulnerabilities and exposures (CVE). These updates are typically rated as important or critical using the Amazon Linux Security Advisory ratings. They generally map to a Common Vulnerability Scoring System (CVSS) score of 7 and higher. In some cases, Amazon might provide updates before a CVE is assigned. In these cases, the patches might appear as bug fixes.

  • Bug fixes – Include fixes for critical bugs and stability issues that aren't associated with CVEs.

Amazon provides kernel live patches for an AL2023 kernel version for up to 3 months after its release. After this period, you must update to a later kernel version to continue to receive kernel live patches.

AL2023 kernel live patches are made available as signed RPM packages in the existing AL2023 repositories. The patches can be installed on individual instances using existing DNF package manager workflows. Or, they can be installed on a group of managed instances using Amazon Systems Manager.

Kernel Live Patching on AL2023 is provided at no additional cost.

Limitations

While applying a kernel live patch, you can't perform hibernation, use advanced debugging tools (such as SystemTap, kprobes, and eBPF-based tools), or access ftrace output files used by the Kernel Live Patching infrastructure.

Supported configurations and prerequisites

Kernel Live Patching is supported on Amazon EC2 instances and on-premises virtual machines that run AL2023.

To use Kernel Live Patching on AL2023, you must use the following:

  • A 64-bit x86_64 or ARM64 architecture

  • Kernel version 6.1

Policy requirements

To download packages from AL2023 repositories, Amazon EC2 needs access to service owned Amazon S3 buckets. If you are using a Amazon Virtual Private Cloud (VPC) endpoint for Amazon S3 in your environment, ensure that your VPC endpoint policy allows access to those public buckets. The following table describes the Amazon S3 bucket that Amazon EC2 might need to access for Kernel Live Patching.

S3 bucket ARN Description

arn:aws:s3:::al2023-repos-region-de612dc2/*

Amazon S3 bucket containing AL2023 repositories

Work with Kernel Live Patching

You can enable and use Kernel Live Patching on individual instances using the command line on the instance itself. Alternatively, you can enable and use Kernel Live Patching on a group of managed instances using Amazon Systems Manager.

The following sections explain how to enable and use Kernel Live Patching on individual instances using the command line.

For more information about enabling and using Kernel Live Patching on a group of managed instances, see Use Kernel Live Patching on AL2023 instances in the Amazon Systems Manager User Guide.

Enable Kernel Live Patching

Kernel Live Patching is disabled by default on AL2023. To use live patching, you must install the DNF plugin for Kernel Live Patching and enable the live patching functionality.

To enable Kernel Live Patching

  1. Kernel live patches are available for AL2023 with kernel version 6.1. To check your kernel version, run the following command.

    $ sudo dnf list kernel

  2. Install the DNF plugin for Kernel Live Patching.

    $ sudo dnf install -y kpatch-dnf

  3. Enable the DNF plugin for Kernel Live Patching.

    $ sudo dnf kernel-livepatch -y auto

    This command also installs the latest version of the kernel live patch RPM from the configured repositories.

  4. To confirm that the DNF plugin for kernel live patching installed successfully, run the following command.

    When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM.

    $ sudo rpm -qa | grep kernel-livepatch
dnf-plugin-kernel-livepatch-1.0-0.11.amzn2023.noarch
kernel-livepatch-6.1.12-17.42-1.0-0.amzn2023.x86_64

  5. Install the kpatch package.

    $ sudo dnf install -y kpatch-runtime

  6. Update the kpatch service if it was previously installed. 

    $ sudo dnf update kpatch-runtime

  7. Start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot. 

    $ sudo systemctl enable kpatch.service && sudo systemctl start kpatch.service

View the available kernel live patches

Amazon Linux security alerts are published to the Amazon Linux Security Center. For more information about the AL2023 security alerts, including alerts for kernel live patches, see the Amazon Linux Security Center. Kernel live patches are prefixed with ALASLIVEPATCH. The Amazon Linux Security Center might not list kernel live patches that address bugs.

You can also discover the available kernel live patches for advisories and CVEs using the command line.

To list all available kernel live patches for advisories

Use the following command.

$ sudo dnf updateinfo list
Last metadata expiration check: 1:06:23 ago on Mon 13 Feb 2023 09:28:19 PM UTC.
ALAS2LIVEPATCH-2021-123   important/Sec. kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
ALAS2LIVEPATCH-2022-124   important/Sec. kernel-livepatch-6.1.12-17.42-1.0-3.amzn2023.x86_64
To list all available kernel live patches for CVEs

Use the following command.

$ sudo dnf updateinfo list cves
Last metadata expiration check: 1:07:26 ago on Mon 13 Feb 2023 09:28:19 PM UTC.
CVE-2022-0123    important/Sec. kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
CVE-2022-3210    important/Sec. kernel-livepatch-6.1.12-17.42-1.0-3.amzn2023.x86_64

Apply kernel live patches

You apply kernel live patches using the DNF package manager in the same way that you apply regular updates. The DNF plugin for Kernel Live Patching manages the kernel live patches that you apply and eliminates the need to reboot.

Tip

We recommend that you update your kernel regularly using Kernel Live Patching to achieve that it remains secure and up to date.

You can choose to apply a specific kernel live patch, or to apply any available kernel live patches along with your regular security updates.

To apply a specific kernel live patch

  1. Get the kernel live patch version using one of the commands described in View the available kernel live patches.

  2. Apply the kernel live patch for your AL2023 kernel.

    $ sudo dnf install kernel-livepatch-kernel_version-package_version.amzn2023.x86_64

    For example, the following command applies a kernel live patch for AL2023 kernel version 6.1.12-17.42

    $ sudo dnf install kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
To apply any available kernel live patches along with your regular security updates

Use the following command.

$ sudo dnf update --security

Omit the --security option to include bug fixes.

Important

  • The kernel version isn't updated after applying kernel live patches. The version is only updated to the new version after the instance is rebooted.

  • An AL2023 kernel receives kernel live patches for 3 months. After this period, no new kernel live patches are released for that kernel version.

  • To continue to receive kernel live patches after 3 months, you must reboot the instance to move to the new kernel version. The instance continues to receive kernel live patches for the next 3 months after you update it.

  • To check the support window for your kernel version, run the following command:

    $ sudo dnf kernel-livepatch support

View the applied kernel live patches

To view the applied kernel live patches

Use the following command.

$ sudo kpatch list
Loaded patch modules:
livepatch_CVE_2022_36946 [enabled]

Installed patch modules:
livepatch_CVE_2022_36946 (6.1.57-29.131.amzn2023.x86_64)
livepatch_CVE_2022_36946 (6.1.57-30.131.amzn2023.x86_64)

The command returns a list of the loaded and installed security update kernel live patches. The following is example output.

Note

A single kernel live patch can include and install multiple live patches.

Disable Kernel Live Patching

If you no longer need to use Kernel Live Patching, you can disable it at any time.

  • Disable the use of livepatches:

    1. Disable the plugin: 

      $ sudo dnf kernel-livepatch manual

    2. Disable the kpatch service: 

      $ sudo systemctl disable --now kpatch.service

  • Fully remove the livepatch tools:

    1. Remove the plugin:

      $ sudo dnf remove kpatch-dnf

    2. Remove kpatch-runtime:

      $ sudo dnf remove kpatch-runtime

    3. Remove any installed livepatches:

      $ sudo dnf remove kernel-livepatch\*