Is live patching now available for HWE kernels?

canonical-livepatch

Since live patching has been released only LTS kernels were supported with a note that live patching for HWE is in the works and likely to be available in 2017. I thought there would be an announcement when HWE support is ready but I must have missed it. I'm certain that there was no support for the 17.04 based HWE kernel, but I had to use mainline kernels for a while on this machine in the past months.

I just installed 4.13.0-16.19~16.04.3-generic through linux-image-generic-hwe-16.04-edge but I'm not exactly sure if this kernel is supported by canonical-livepatch:

$ canonical-livepatch status
client-version: "7.23"
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz
last-check: 2017-11-08T21:16:29.971688844+01:00
boot-time: 2017-11-08T19:16:12+01:00
uptime: 2h54m26s
status:
- kernel: 4.13.0-16.19~16.04.3-generic
  running: true
  livepatch:
    checkState: checked
    patchState: nothing-to-apply
    version: ""
    fixes: ""

How do I know if a kernel is supported? Is there a support or wiki page where I can look this up? Or did someone find a URL in their networking logs showing some kind of hierarchy where these updates are fetched from?


Solution 1:

HWE Kernels are supported by canonical-livepatch. In the link https://wiki.ubuntu.com/Kernel/RollingLTSEnablementStack#Kernel_Livepatching at the bottom it states:

For clarity, the Canonical Livepatch Service is only available and supported against the generic and lowlatency GA kernel flavours for 64-bit Intel/AMD (aka, x86_64, amd64) builds of the Ubuntu 16.04 (Xenial) and 18.04 (Bionic) LTS releases.

canonical-livepatch only supports the running kernel at the time and will not patch any other kernels that are installed on the system unless you reboot to the desired kernel.

When you install a HWE kernel, you install a generic kernel, i.e. linux-generic-hwe-20.04. However, not all generic kernels are supported by canonical-livepatch. Through a test of my own I installed a mainline kernel of 5.11 (I know it is the newest but it was just to show that it is unsupported).

terrance@terrance-ubuntu:~$ canonical-livepatch status
last check: 23 minutes ago
kernel: (unsupported)

On my 20.04 LTS installation I have both the default kernel of 5.4x installed as well as the HWE 5.8x. When checking the canonical-livepatch against them they both show the same output other than the kernel version.

terrance@terrance-ubuntu:~$ canonical-livepatch status
last check: 17 seconds ago
kernel: 5.4.0-65.73-generic
server check-in: succeeded
patch state: ✓ no livepatches needed for this kernel yet

terrance@terrance-ubuntu:~$ uname -a
Linux terrance-ubuntu 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


terrance@terrance-ubuntu:~$ canonical-livepatch status
last check: 27 seconds ago
kernel: 5.8.0-43.49~20.04.1-generic
server check-in: succeeded
patch state: ✓ no livepatches needed for this kernel yet

terrance@terrance-ubuntu:~$ uname -a
Linux terrance-ubuntu 5.8.0-43-generic #49~20.04.1-Ubuntu SMP Fri Feb 5 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


terrance@terrance-ubuntu:~$ apt-cache policy linux-generic-hwe-20.04
linux-generic-hwe-20.04:
  Installed: 5.8.0.43.49~20.04.29
  Candidate: 5.8.0.43.49~20.04.29
  Version table:
 *** 5.8.0.43.49~20.04.29 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     5.4.0.26.32 500
        500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages

Solution 2:

It doesn't look like kernel live patching for hwe-edge is supported at the moment:

$ canonical-livepatch status
client-version: "7.23"
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz
last-check: 2017-11-22T01:02:00.691553956+01:00
boot-time: 2017-11-08T19:16:12+01:00
uptime: 318h15m52s
status:
- kernel: 4.13.0-16.19~16.04.3-generic
  running: true
  livepatch:
    checkState: checked
    patchState: nothing-to-apply
    version: ""
    fixes: ""

$ ll /boot/vmlinuz-4.13*generic
-rw------- 1 root root 7649456 Okt 16 23:17 /boot/vmlinuz-4.13.0-16-generic
-rw------- 1 root root 7656048 Nov  6 17:16 /boot/vmlinuz-4.13.0-17-generic

Or that there is really nothing worth to patch at the moment, not sure though when looking at the respective changelog via packages.ubuntu.com.

Edit: 4.10 kernels probably received a patch in the last hours, 4.13 is not listed in the latest USNs:

  • https://usn.ubuntu.com/usn/usn-3485-2/
  • https://usn.ubuntu.com/usn/usn-3484-2/

Solution 3:

HWE kernel is not supported, see link.

It says:

For clarity, the Canonical Livepatch Service is only available and supported against the generic and lowlatency GA kernel flavours for 64-bit Intel/AMD (aka, x86_64, amd64) builds of the Ubuntu 16.04 (Xenial) and 18.04 (Bionic) LTS releases.

updated @ 19.05.13

Related

Whats the difference between the 12.04 CD and DVD versions?
Windows USB drive from ubuntu failing repeteadly
Not able to Open Desktop Icons & Folders but able to open Files
Dual Boot on XPS 15
How to uninstall ubuntu and grub from pre-installed windows 8?
Juju debug-hooks, how to run hook in debug terminal or get more information?
Problems running Ubuntu 12.10 in VMWare Player 5 [duplicate]
How to replace GRUB with Windows NT Bootloader?
Why multi-monitor support doesn't permit to move Launcher in 12.04? [closed]
VMWare Player 15 Unable to Start on Fresh Install of 19.04? [duplicate]
How do I flash Snappy Ubuntu Core onto a BeagleBone Black's eMMC?
Java noob: generics over objects only?