Why not set CONFIG_LIVEPATCH=Y for Manjaro kernel (amd64)

Hello.
I’ve been playing with kernel live patch subsystem, but found out that kernels shipped with Manjaro don’t have CONFIG_LIVEPATCH enabled.

I think this is a cool mechanism that would allow making small kernel patches as side modules without having to compile a brand new kernel from scratch.

This is enabled in Ubuntu stock kernels.

Maybe there are some side effects? Or any other thoughts against enabling that feature?

Security springs to mind. With CONFIG_LIVEPATCH=Y, once an attacker has gained access to a machine, they could patch the kernel, e.g. as part of a rootkit.

1 Like

A note of caution: Kernel live patching is risky. Count on hard freezing or panics to become normal…

https://wiki.gentoo.org/wiki/Live_patching

2 Likes

@Zesko @Aragorn thank you for your replies. Those a good points.

But I have another arguments. As for freezing or panics it seems “you don’t apply livepatches - you don’t have problems” still holds with livepatch subsystem enabled. As a user, if you CAN use that feature doesn’t necessarily means you MUST use this feature.

Regarding security issues. To apply patches one has to gain root access. And as long as attacker has root access, attacker anyway could reboot into any other kernel and compromise system in any desired way.

So I still can’t see any real way enabling livepatch subsystem extends attack perimeter or impacts system performance.

Gaining root access is not same as having physical access to the machine, which would allow the attacker to reboot into a new kernel…

Also keep in mind that live patching in this context is meant for developers to increase their development cycles/speed by eliminating as much as possible the need to reboot after each change of the code they are working on.
A regular user does not benefit from this “feature”, that’s why it isn’t enabled in most distro’s…

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.