Livepatch

Differences between revisions 9 and 34 (spanning 25 versions)
Revision 9 as of 2017-11-22 21:50:05
Size: 1570
Editor: alexmoldovan
Comment:
Revision 34 as of 2019-01-29 15:50:33
Size: 4371
Editor: azzar1
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= What is Livepatch = ## page was copied from Kernel/Livepatch
#acl canonicalTeamACL:read,write,delete,revert All:read
Line 3: Line 4:
The Canonical Livepatch Service is Available to all Ubuntu Advantage customers, and also for personal use for free up to a maximum of three Ubuntu 16.04 LTS and 14.04 LTS systems. It updates your Ubuntu your systems with the highest and most critical security vulnerabilities, without requiring a reboot in order to take effect. = Kernel Livepatch =
This is a collection of notes and FAQs for the [[https://www.ubuntu.com/server/livepatch | Canonical Livepatch Service]]. That page has a general introduction, data sheet and the ability to sign up for the service.
Line 5: Line 7:
= System Requirements = == System Requirements ==
Line 7: Line 9:
The Livepatch service is available for the generic flavour of the 64-bit Intel/AMD (aka, x86_64, amd64) builds of the Ubuntu 16.04 LTS (Xenial) kernel, which is a Linux 4.4 kernel, as well as Ubuntu 14.04 LTS running the Linux 4.4 [[https://wiki.ubuntu.com/Kernel/LTSEnablementStack|Hardware Enablement kernel]]. It works on Ubuntu 16.04 LTS and 14.04 LTS Servers and Desktops, on physical machines, virtual machines, and in the cloud. As mentioned before, Ubuntu 14.04 LTS systems must use the Hardware Enablement kernel. || Ubuntu release || Arch || Kernel Version || Kernel Variants ||
|| Ubuntu 18.04 LTS || 64-bit x86 || 4.15 || GA generic and lowlatency kernel variants only ||
|| Ubuntu 16.04 LTS || 64-bit x86 || 4.4 || GA generic and lowlatency kernel variants only ||
|| Ubuntu 14.04 LTS || 64-bit x86 || 4.4 || [[https://wiki.ubuntu.com/Kernel/LTSEnablementStack|Hardware Enablement kernel]] only ||
Line 9: Line 14:
= How to enable Livepatch =
First install the canonical-livepatch daemon:
Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed.
Line 12: Line 16:
`sudo snap install canonical-livepatch` == Security Notices ==
Livepatch Security Notices (LSN) are only available by subscribing to the [[https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce|Ubuntu Security Announcements]] mailing list. LSNs will be released for:
 * Announcing a new livepatch.
 * An alert if a livepatch cannot be released describing why and possible mitigation notes.
   * a standard [[https://usn.ubuntu.com/usn/|Ubuntu security notice]] (USN) will be released with packages along side it to fix the issue.
   * the livepatch client will start issuing a warning that an update and reboot is necessary.
Line 14: Line 23:
And then you need to enable it: '''NOTE'''
You must subscribe to the mailing list. The USN RSS Feed, CVE tracker, and other services do not know about Livepatch Security Notices.
Line 16: Line 26:
`sudo canonical-livepatch enable` == Common Issues ==
<<Anchor(CommonIssues)>>
This part describes known issues with Canonical Livepatch Service.
Line 18: Line 30:
This command will first ask you if this system is covered under an Ubuntu Advantage support contract with Canonical, and if so, you’ll be directed to the [[https://auth.livepatch.canonical.com/|Canonical Livepatch portal]] where you’ll provision your credentials, then paste them into the dialog.
For further information on how to enable the Canonical Livepatch Service please read the documentation.
=== Secure Boot ===
If you are using secure boot, you will also need to import the Livepatch public keys into your keyring.
Line 21: Line 33:
= How to get security notices for Livepatch = This can be done with the following command:
{{{sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509}}}
Line 23: Line 36:
= FAQ = After this enter a password if necessary for MOK, then reboot. Your BIOS will then guide you through enrolling a new key in MOK. At this point, you will be able to verify the module signatures.

=== Tanned Kernel ===

== FAQ ==

=== What kinds of updates will be provided by the Canonical Livepatch Service? ===

The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the [[https://people.canonical.com/~ubuntu-security/cve/|CVE]] tracker. Since there are limitations to the [[https://github.com/torvalds/linux/blob/master/Documentation/livepatch/livepatch.txt|kernel livepatch technology]], some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.

=== How do you rate a CVE? ===
We do not use an external rating system, but rate based on these qualifications:
|| '''negligible''' || Something that is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backport from upstreams, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update.||
|| '''low''' || Something that is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up.||
|| '''medium''' || Something is a real security problem, and is exploitable for many people. Includes network daemon denial of service attacks, cross-site scripting, and gaining user privileges. Updates should be made soon for this priority of issue.||
|| '''high''' || A real problem, exploitable for many people in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss.||
|| '''critical''' || A world-burning problem, exploitable for nearly all people in a default installation of Ubuntu. Includes remote root privilege escalations, or massive data loss.||

Kernel Livepatch

This is a collection of notes and FAQs for the Canonical Livepatch Service. That page has a general introduction, data sheet and the ability to sign up for the service.

System Requirements

Ubuntu release

Arch

Kernel Version

Kernel Variants

Ubuntu 18.04 LTS

64-bit x86

4.15

GA generic and lowlatency kernel variants only

Ubuntu 16.04 LTS

64-bit x86

4.4

GA generic and lowlatency kernel variants only

Ubuntu 14.04 LTS

64-bit x86

4.4

Hardware Enablement kernel only

Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed.

Security Notices

Livepatch Security Notices (LSN) are only available by subscribing to the Ubuntu Security Announcements mailing list. LSNs will be released for:

  • Announcing a new livepatch.
  • An alert if a livepatch cannot be released describing why and possible mitigation notes.
    • a standard Ubuntu security notice (USN) will be released with packages along side it to fix the issue.

    • the livepatch client will start issuing a warning that an update and reboot is necessary.

NOTE You must subscribe to the mailing list. The USN RSS Feed, CVE tracker, and other services do not know about Livepatch Security Notices.

Common Issues

This part describes known issues with Canonical Livepatch Service.

Secure Boot

If you are using secure boot, you will also need to import the Livepatch public keys into your keyring.

This can be done with the following command: sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509

After this enter a password if necessary for MOK, then reboot. Your BIOS will then guide you through enrolling a new key in MOK. At this point, you will be able to verify the module signatures.

Tanned Kernel

FAQ

What kinds of updates will be provided by the Canonical Livepatch Service?

The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.

How do you rate a CVE?

We do not use an external rating system, but rate based on these qualifications:

negligible

Something that is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backport from upstreams, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update.

low

Something that is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up.

medium

Something is a real security problem, and is exploitable for many people. Includes network daemon denial of service attacks, cross-site scripting, and gaining user privileges. Updates should be made soon for this priority of issue.

high

A real problem, exploitable for many people in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss.

critical

A world-burning problem, exploitable for nearly all people in a default installation of Ubuntu. Includes remote root privilege escalations, or massive data loss.

azzar1/Kernel/Livepatch (last edited 2019-01-29 15:51:42 by azzar1)