Kernel Live Patching on AL2
Kernel Live Patching for AL2 allows you to apply specific security vulnerability and critical bug patches to a running Linux kernel, without reboots or disruptions to running applications. This allows you to benefit from improved service and application availability, while applying these fixes until the system can be rebooted.
For information about Kernel Live Patching for AL2023, see Kernel Live Patching on AL2023 in the Amazon Linux 2023 User Guide.
AWS releases two types of kernel live patches for AL2:
-
Security updates – Include updates for Linux common vulnerabilities and exposures (CVE). These updates are typically rated as important or critical using the Amazon Linux Security Advisory ratings. They generally map to a Common Vulnerability Scoring System (CVSS) score of 7 and higher. In some cases, AWS might provide updates before a CVE is assigned. In these cases, the patches might appear as bug fixes.
-
Bug fixes – Include fixes for critical bugs and stability issues that are not associated with CVEs.
AWS provides kernel live patches for an AL2 kernel version for up to 3 months after its release. After the 3-month period, you must update to a later kernel version to continue to receive kernel live patches.
AL2 kernel live patches are made available as signed RPM packages in the existing AL2 repositories. The patches can be installed on individual instances using existing yum workflows, or they can be installed on a group of managed instances using AWS Systems Manager.
Kernel Live Patching on AL2 is provided at no additional cost.
Topics
Supported configurations and prerequisites
Kernel Live Patching is supported on Amazon EC2 instances and on-premises virtual machines running AL2.
To use Kernel Live Patching on AL2, you must use:
-
Kernel version
4.14or5.10on thex86_64architecture -
Kernel version
5.10on theARM64architecture
Policy Requirements
To download packages from Amazon Linux repositories, Amazon EC2 needs access to service-owned Amazon S3 buckets. If you are using a Amazon Virtual Private Cloud (VPC) endpoint for Amazon S3 in your environment, you need to ensure that your VPC endpoint policy allows access to those public buckets.
The table describes each of the Amazon S3 buckets that EC2 might need to access for Kernel Live Patching.
| S3 bucket ARN | Description |
|---|---|
arn:aws:s3:::packages.region.amazonaws.com/* |
Amazon S3 bucket containing Amazon Linux AMI packages |
arn:aws:s3:::repo.region.amazonaws.com/* |
Amazon S3 bucket containing Amazon Linux AMI repositories |
arn:aws:s3:::amazonlinux.region.amazonaws.com/* |
Amazon S3 bucket containing AL2 repositories |
arn:aws:s3:::amazonlinux-2-repos-region/* |
Amazon S3 bucket containing AL2 repositories |
The following policy illustrates how to restrict access to identities and resources that
belong to your organization and provide access to the Amazon S3 buckets required for
Kernel Live Patching. Replace region, principal-org-id and resource-org-id with your
organization’s values.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "principal-org-id",
"aws:ResourceOrgID": "resource-org-id"
}
}
},
{
"Sid": "AllowAccessToAmazonLinuxAMIRepositories",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::packages.region.amazonaws.com/*",
"arn:aws:s3:::repo.region.amazonaws.com/*",
"arn:aws:s3:::amazonlinux.region.amazonaws.com/*",
"arn:aws:s3:::amazonlinux-2-repos-region/*"
]
}
]
}
Work with Kernel Live Patching
You can enable and use Kernel Live Patching on individual instances using the command line on the instance itself, or you can enable and use Kernel Live Patching on a group of managed instances using AWS Systems Manager.
The following sections explain how to enable and use Kernel Live Patching on individual instances using the command line.
For more information about enabling and using Kernel Live Patching on a group of managed instances, see Use Kernel Live Patching on AL2 instances in the AWS Systems Manager User Guide.
Topics
Enable Kernel Live Patching
Kernel Live Patching is disabled by default on AL2. To use live patching, you must install the yum plugin for Kernel Live Patching and enable the live patching functionality.
Prerequisites
Kernel Live Patching requires binutils. If you do not have binutils
installed, install it using the following command:
$sudo yum install binutils
To enable Kernel Live Patching
-
Kernel live patches are available for the following AL2 kernel versions:
-
Kernel version
4.14or5.10on thex86_64architecture -
Kernel version
5.10on theARM64architecture
To check your kernel version, run the following command.
$sudo yum list kernel -
-
If you already have a supported kernel version, skip this step. If you do not have a supported kernel version, run the following commands to update the kernel to the latest version and to reboot the instance.
$sudo yum install -y kernel$sudo reboot -
Install the yum plugin for Kernel Live Patching.
$sudo yum install -y yum-plugin-kernel-livepatch -
Enable the yum plugin for Kernel Live Patching.
$sudo yum kernel-livepatch enable -yThis command also installs the latest version of the kernel live patch RPM from the configured repositories.
-
To confirm that the yum plugin for kernel live patching has installed successfully, run the following command.
$rpm -qa | grep kernel-livepatchWhen you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM. The following is example output.
yum-plugin-kernel-livepatch-1.0-0.11.amzn2.noarch kernel-livepatch-5.10.102-99.473-1.0-0.amzn2.x86_64 -
Install the kpatch package.
$sudo yum install -y kpatch-runtime -
Update the kpatch service if it was previously installed.
$sudo yum update kpatch-runtime -
Start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot.
$sudo systemctl enable kpatch.service -
Enable the Kernel Live Patching topic in the AL2 Extras Library. This topic contains the kernel live patches.
$sudo amazon-linux-extras enable livepatch
View the available kernel live patches
Amazon Linux security alerts are published to the Amazon Linux Security Center. For more information about
the AL2 security alerts, which include alerts for kernel live patches, see the
Amazon Linux Security CenterALASLIVEPATCH. The Amazon Linux Security Center
might not list kernel live patches that address bugs.
You can also discover the available kernel live patches for advisories and CVEs using the command line.
To list all available kernel live patches for advisories
Use the following command.
$yum updateinfo list
The following shows example output.
Loaded plugins: extras_suggestions, kernel-livepatch, langpacks, priorities, update-motd
ALAS2LIVEPATCH-2020-002 important/Sec. kernel-livepatch-5.10.102-99.473-1.0-3.amzn2.x86_64
ALAS2LIVEPATCH-2020-005 medium/Sec. kernel-livepatch-5.10.102-99.473-1.0-4.amzn2.x86_64
updateinfo list doneTo list all available kernel live patches for CVEs
Use the following command.
$yum updateinfo list cves
The following shows example output.
Loaded plugins: extras_suggestions, kernel-livepatch, langpacks, priorities, update-motdamzn2-core/2/x86_64 | 2.4 kB 00:00:00
CVE-2019-15918 important/Sec. kernel-livepatch-5.10.102-99.473-1.0-3.amzn2.x86_64
CVE-2019-20096 important/Sec. kernel-livepatch-5.10.102-99.473-1.0-3.amzn2.x86_64
CVE-2020-8648 medium/Sec. kernel-livepatch-5.10.102-99.473-1.0-4.amzn2.x86_64
updateinfo list doneApply kernel live patches
You apply kernel live patches using the yum package manager in the same way that you would apply regular updates. The yum plugin for Kernel Live Patching manages the kernel live patches that are available to be applied.
Tip
We recommend that you update your kernel regularly using Kernel Live Patching to ensure that it receives specific important and critical security fixes until the system can be rebooted. Please also check if additional fixes have been made available to the native kernel package that cannot be deployed as live patches and update and reboot into the kernel update for those cases.
You can choose to apply a specific kernel live patch, or to apply any available kernel live patches along with your regular security updates.
To apply a specific kernel live patch
-
Get the kernel live patch version using one of the commands described in View the available kernel live patches.
-
Apply the kernel live patch for your AL2 kernel.
$sudo yum install kernel-livepatch-kernel_version.x86_64For example, the following command applies a kernel live patch for AL2 kernel version
5.10.102-99.473.$sudo yum install kernel-livepatch-5.10.102-99.473-1.0-4.amzn2.x86_64
To apply any available kernel live patches along with your regular security updates
Use the following command.
$sudo yum update --security
Omit the --security option to include bug fixes.
Important
-
The kernel version is not updated after applying kernel live patches. The version is only updated to the new version after the instance is rebooted.
-
An AL2 kernel receives kernel live patches for a period of three months. After the three month period has lapsed, no new kernel live patches are released for that kernel version. To continue to receive kernel live patches after the three-month period, you must reboot the instance to move to the new kernel version, which will then continue receiving kernel live patches for the next three months. To check the support window for your kernel version, run
yum kernel-livepatch supported.
View the applied kernel live patches
To view the applied kernel live patches
Use the following command.
$kpatch list
The command returns a list of the loaded and installed security update kernel live patches. The following is example output.
Loaded patch modules:
livepatch_cifs_lease_buffer_len [enabled]
livepatch_CVE_2019_20096 [enabled]
livepatch_CVE_2020_8648 [enabled]
Installed patch modules:
livepatch_cifs_lease_buffer_len (5.10.102-99.473.amzn2.x86_64)
livepatch_CVE_2019_20096 (5.10.102-99.473.amzn2.x86_64)
livepatch_CVE_2020_8648 (5.10.102-99.473.amzn2.x86_64)Note
A single kernel live patch can include and install multiple live patches.
Disable Kernel Live Patching
If you no longer need to use Kernel Live Patching, you can disable it at any time.
To disable Kernel Live Patching
-
Remove the RPM packages for the applied kernel live patches.
$sudo yum kernel-livepatch disable -
Uninstall the yum plugin for Kernel Live Patching.
$sudo yum remove yum-plugin-kernel-livepatch -
Reboot the instance.
$sudo reboot
Limitations
Kernel Live Patching has the following limitations:
-
While applying a kernel live patch, you can't perform hibernation, use advanced debugging tools (such as SystemTap, kprobes, and eBPF-based tools), or access ftrace output files used by the Kernel Live Patching infrastructure.
-
Note
Due to technical limitations, some issues cannot be addressed with live patching. Because of that, these fixes will not be shipped in the kernel live patch package but only in the native kernel package update. You can install the native kernel package update and reboot the system to activate the patches as usual.
Frequently asked questions
For frequently asked questions about Kernel Live Patching for AL2, see the
Amazon Linux 2 Kernel Live Patching FAQ
