Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

ijlal-loutfi
on 13 April 2023

Livepatch has a new 13-month sliding support window – What does it mean for you?


Livepatch is a valuable tool for fixing critical and high security kernel Common Vulnerabilities and Exposures, CVEs, at run-time, without the need for an immediate system reboot. However, it should not be used as a replacement for regular maintenance windows and rebooting. A good enterprise policy should include both livepatching and regular reboots to ensure the system remains stable and secure.

This is because some system CVEs, such as firmware or device driver updates, will still require a system reboot. Additionally, Livepatch does not include kernel updates for non-security bug fixes, lower-priority security fixes, and performance improvements. 

Furthermore, there may be instances where critical kernel CVEs cannot be addressed through livepatching and will require a standard system update. Last but not the least, It is important to recognise that Livepatch is not a viable solution for upgrading to the next kernel release. To do so, a traditional system update is required which entails a reboot.

For all these reasons, Canonical has always strongly recommended its customers to follow good enterprise policies for regular maintenance windows, and to use Livepatch to bridge the gap until their next scheduled maintenance window.

Sliding support window

In order to ensure that our customers adhere to the industry’s best-practices and that livepatch does not hinder their maintenance schedules, Canonical has decided to introduce a sliding support window of 13 months for every version revision of the GA kernels of all its Ubuntu LTS releases. This change is scheduled to take effect on April 20, 2023, coinciding with the release of Ubuntu 23.04, also known as Lunar Lobster.

Does this mean that we are reducing the overall Livepatch maintenance period of LTS releases? Absolutely not. They are still going to be supported for 5 years as part of Canonical’s LTS commitments, and 10 years if you have an Ubuntu  Pro subscription.

So what does this mean after all? If a customer has not rebooted their system in 13 months and they want to continue using Livepatch, they will need to install the latest kernel update and then reboot. This will bring them to a new revision of that same kernel version. This will also restart the clock for another 13 months of Livepatch support for that version.

Let’s take an example: if  you are running 5.4.0-60 GA kernel with your Ubuntu 20.04 LTS, and you have not rebooted for 13 months since its release date in April, 2020, you will simply need to update and  reboot your system and come back to the latest update which will be 5.4.0-80. This will start the clock for another 13 months for this kernel version revision. Without such a reboot, you will not receive further livepatches.

Within every 13-month support window, you have the flexibility to reboot your systems whenever it suits you. 

Furthermore, our latest exciting addition of livepatch support on Hardware Enablement (HWE) kernels offers even more flexibility for those who prefer to use newer hardware. If you choose to reboot, you will now have the option to upgrade to the latest available HWE kernel. This means that, regardless of the kernel you choose to run on your Ubuntu LTS release, you can still take advantage of Livepatch.

If your regular maintenance windows are already shorter than 13 months, this change will not affect you. However, if your maintenance windows are longer than 13 months, you will need to adjust them to ensure that you continue to receive livepatches for that particular kernel version.

We understand that this announcement requires a detailed understanding of our Linux kernel maintenance and update cycle. If you have any questions or uncertainties about this process, please read on as we provide further explanations of the concepts and rationale behind it.

Understand Ubuntu kernel versions

Let’s say that you are running Ubuntu 22.04 with the “Ubuntu 5.15.0-35-generic” GA kernel. Each piece of this string carries a meaning. Let us explore it:

  • “Ubuntu” identifies the Linux distribution on which the kernel is running.
  • “5.15.0” represents the upstream kernel’s version number:
    The “-35” at the end is the revision number of the kernel. It tells you how many times the kernel has been updated since its initial release, and in this case, the kernel has undergone 35 revisions as part of Canonical’s security maintenance process.
  • Lastly, “generic” refers to the kernel flavor, and Ubuntu offers various kernel flavors, such as generic and lowlatency.

How does Canonical maintain every kernel version?

Image from Unsplash by Dani

Ensuring the kernel is up-to-date is critical for system security. Canonical addresses kernel vulnerabilities by releasing Stable Release Updates (SRUs) every few weeks, which primarily focus on fixing specific issues rather than introducing new features or major system changes. These patches undergo extensive testing and verification to ensure that they effectively fix the intended issues without introducing new problems or regressions.

As a result, you have the option to either update your kernel to its next revision by rebooting every few weeks, or to livepatch it instead. Opting for livepatching means that you can address critical and high kernel vulnerabilities while your system is still running, and save the reboot for your next scheduled maintenance window. With the 13-month sliding support window, you have the flexibility  to  continue using the same kernel revision for up to 13 months while benefiting from Livepatch.

What if I don’t reboot after 13 months?

Canonical strongly advises adhering to industry best practices, including not having unreasonably long maintenance windows. Not following these practices may lead to system instability and security vulnerabilities. If you choose to not reboot your system for more than 13 months, you will no longer receive livepatches for that particular kernel version revision. However, after updating to a more recent kernel revision of the same or newer kernel version and rebooting, you can once again take advantage of Livepatch support.

Conclusion

Livepatch is a vital technology that presents numerous advantages to organisations seeking to ensure the security of their kernel while minimising the impact of reboots caused by software updates. By reducing downtime, Livepatch saves valuable time on unplanned work, allowing your team to focus on true business innovation that can make a difference to your organisation.

To fully experience all these great benefits, it is crucial to make optimal use of Livepatch. With the newly announced 13-month sliding support window, you have the flexibility to continue using the same kernel revision for up to 13 months while benefiting from Livepatch.

If you would like to know more about livepatch and the Canonical approach of security at large, contact us or reach out to us through our discourse channels. We would love to hear from you!

Additional resources

Related posts


Canonical
19 September 2023

라이브패치(Livepatch)에 새로운 13개월 슬라이딩 지원 기간이 있습니다. 여러분에게 어떤 의미가 있을까요?

Security Security

라이브패치는 시스템을 즉시 재부팅할 필요 없고 런타임에 중요하고 높은 보안 커널 공통 보안 취약성 및 노출(CVE)을 수정하는 유용한 툴입니다. 그러나 정기적인 유지 관리 기간 및 재부팅을 대체하는 용도로 사용해서는 안 됩니다. 좋은 기업 정책에는 시스템이 안정적이고 안전하게 유지되도록 라이브패치와 정기적인 재부팅이 모두 포함되어야 합니다. 그 이유는 펌웨어 또는 장치 드라이버 업데이트와 같은 일부 시스템 CVE는 ...


ijlal-loutfi
13 April 2023

Canonical Livepatch gets even better – Now supporting Hardware Enablement Kernels

Security Livepatch

Livepatch allows Ubuntu users to fix critical and high kernel vulnerabilities at runtime, which reduces the need for unplanned reboots. Until now, Livepatch has only been available for Long-Term Release (LTS) kernels, but starting with the release of Ubuntu’s interim release of 23.04 Lunar Lobster in April 2023, it will also be available ...


Canonical
14 September 2021

Ubuntu Livepatch on-prem reduces downtime and unplanned work on enterprise environments!

Canonical announcements Article

London, United Kingdom – Canonical announces Ubuntu Livepatch on-prem, an enhancement to its Ubuntu Livepatch service enabling organisations to take control of their kernel livepatching policy. Designed for complex enterprise environments that follow their own patch rollout policy, Ubuntu Livepatch on-prem provides the basis for an effici ...