SUSE has released kGraft to the public, the technology it developed to deliver live runtime patching of the Linux kernel.
Uniquely (although we use the term carefully and with some trepidation), kGraft doesn't require stopping the kernel (even for short periods), making it (theoretically) easier for IT staff to install critical security and other patches without system downtime.
"Originally a research project from SUSE Labs, kGraft has quickly shown its promise as a live patching Linux tool for enterprise users," said Vojtěch Pavlík, director of SUSE Labs. "Providing quick and reliable response to unscheduled patching needs without requiring the shutting down or rebooting of any number of servers will increase the stability, cost efficiency, and security of enterprise customers' environments. This technology will enhance uptime in mission-critical environments."
kGraft is based on modern Linux technologies, including INT3/IPI-NMI self-modifying code, an RCU-like update mechanism, mcount-based NOP space allocation, and standard kernel module loading/linking mechanisms.
By combining and using other Linux technologies, kGraft requires only a small amount of code to run.
Going forward now, SUSE will submit kGraft upstream while working with the Linux community to create a common, standard kernel live patching solution.