What kinds of updates will be provided by the Ubuntu Livepatch Service?
The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.
Livepatches are developed and released based on kernel SRU releases, and contain a subset of the CVEs fixed by that kernel SRU. Livepatches are cumulative, so when a new livepatch is released, it contains both the new CVE fixes, as well as all of the CVE fixes from the previous release of that livepatch.
What kinds of updates are not provided by the Livepatch service?
The livepatch service provides patches exclusively for Canonical-released kernels, addressing security issues that have been assigned a CVE and are rated as high or critical priority.
Livepatches are intended to address significant security issues in the kernel, and provide customers with protection from serious vulnerabilities until they can schedule a reboot. All CVEs that are rated as either a high or critical issue will always be livepatched if possible, and, if it is not possible, a notification that a reboot is required will be issued by the Livepatch client.
There are frequently patches included in kernel updates that are not included in the Livepatch service, such as:
- bug fixes that are not security issues
- performance improvements
- driver updates
- new features
To receive these updates, it is necessary to upgrade the kernel package using the package manager for the system (apt for Ubuntu desktop or server, or snapd if running on Ubuntu Core) and then reboot into the upgraded kernel.
When should I expect updates?
Livepatches are related to and are ‘‘usually’’ derived from, but are not the same as, the kernel SRU updates for CVEs. While the vulnerabilities being addressed by both kernel SRU updates and livepatches are the same, the process for development and testing are not. A livepatch for a vulnerability can be significantly more complex than an ordinary kernel patch, and due to the additional complexity, can take more time to develop and test.
Canonical is committed to livepatching every high or critical rated CVE possible as quickly as we can, and in ideal circumstances, a livepatch will be available at the same time as the corresponding kernel SRU update.
If we determine that we cannot livepatch a high or critical CVE, we will inform our livepatch users at the same time an SRU kernel update that does fix the issue becomes available, in two ways:
- The livepatch client will indicate that the system must be rebooted by reporting a state of “reboot required.” This will be accompanied by a notification in the desktop, on desktop systems, and a notification in the MOTD on the terminal.
- A LSN will be released containing instructions to reboot into a new SRU kernel that contains a fix for the CVE. LSNs are released on both the security website and via email.
This is great. Now I never have to reboot!
That is not the case. Livepatches include only high and critical kernel vulnerabilities. The service provides protection from serious security issues, but this is just one aspect of keeping your system secure and well maintained. There are a number of other software components that can require you to reboot your system, including, but not limited to:
- CPU firmware and microcode updates
- Updates to shared libraries and low-level dependencies (glibc, for example)
- System BIOS and EFI updates
Enabling the Livepatch service does not turn on automatic installation of security updates in APT.
For best security, you should enable security updates using APT, subscribe to the security announcement mailing list, follow all advised security updates, and reboot your system at your earliest convenience when any software component requires it.
Additionally, kernel SRU updates include non-security bugfixes and lower-priority security fixes that may be important to your specific circumstances, and these fixes are only available by rebooting into an updated kernel.
How do you rate a CVE?
We do not use an external rating system, but rate based on these qualifications:
| negligible | Something that is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backport from upstreams, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update. |
| low | Something that is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up. |
| medium | Something is a real security problem, and is exploitable for many people. Includes network daemon denial of service attacks, cross-site scripting, and gaining user privileges. Updates should be made soon for this priority of issue. |
| high | A real problem, exploitable for many people in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss. |
| critical | A world-burning problem, exploitable for nearly all people in a default installation of Ubuntu. Includes remote root privilege escalations, or massive data loss. |
What happens when a problem occurs that can’t be patched?
When an un-patchable security issue occurs, users must upgrade to a version of the kernel that is fixed, and reboot. Problems of this type are announced on the mailing list via LSN. Kernels prior to the levels named in that announcement will no longer be livepatched.
The Livepatch client will report a state of “kernel-upgrade-required” if you are running a kernel that is no longer livepatched due to an earlier un-patchable kernel security issue. This notice will appear in the user’s desktop notifications, and in the text-based message of the day (MOTD) if logged into a terminal.
Why was there no livepatch for some particular high or critical CVE?
Livepatches are only produced for supported kernels, and only for CVEs that require a Linux kernel modification to fix the problem (for example, a CPU bug may not have a kernel fix). Further, livepatches do not address security problems in Ubuntu software packages, on in third-party drivers that do not ship as part of the Linux kernel (i.e. NVIDIA GPU drivers).
Livepatch is intended to provide protection from security issues in addition to regular kernel security updates, so be sure to read and follow the security advisories published in Ubuntu Security Notifications (USNs) for your kernel.
I cannot access the livepatch service.
Network access to the Ubuntu Livepatch Service (https://livepatch.canonical.com:443) is necessary as well as snapd 2.15 or later are needed.
Why isn’t Livepatch working on my machine?
UNSUPPORTED KERNELS
Livepatch supports only kernels that have been released by the kernel team to the updates pocket, i.e. officially-released kernels acquired through APT using Canonical’s repository for system updates, or Snap-based kernels released by Canonical to stable Snap channels.
While a livepatch might successfully apply to a kernel acquired from other sources, only kernels released by Canonical are supported. Kernels from other sources are not supported, including but not limited to:
- kernels acquired from the development (proposed) kernel PPA
- kernels acquired from the kernel team’s build PPA
- test kernels acquired from the kernel team’s development PPAs
- personally-rebuilt kernels using the source debian package
- personally-rebuilt kernels using snapcraft
- kernels acquired from a Ubuntu-derived distribution
Please be aware that while it may be possible to build a kernel with the same version markings as an officially-supported kernel, and to attempt to load a Canonical-generated livepatch into that kernel, it will likely not work, and can potentially crash your system or corrupt your data.
Also note that a kernel running unsigned, out-of-tree drivers will be tainted, and the kernel will refuse to apply livepatches in this state.
SECUREBOOT
If you are using secure boot with a kernel older than April 1 2021, you will also need to import the livepatch public keys into your keyring. If your kernel is newer, there is no need to import keys as the key is included in the kernel, but doing so will not cause any harm.
Use the following command to import the livepatch key:
sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509
After this enter a password if necessary for MOK, then reboot.
Your BIOS will then guide you through enrolling a new key in MOK. At this point you will be able to verify the module signatures.
How do I get more help?
To access Livepatch see the Ubuntu Advantage subscription.
Ubuntu Advantage customers should file support tickets at:
Reporting bugs
Please file bugs at the canonical-livepatch launchpad project.
When you open a bug, please provide the output from the following commands, so that we can troubleshoot your issue:
snap info canonical-livepatchcanonical-livepatch statuslsb_release -auname -ajournalctl -u snap.canonical-livepatch.canonical-livepatchd(this can be long, so maybe| tail -100for recent issues)
Recommend marking the bug as private if any of the above contains personal information that you do not want publicly available and searchable.