Livepatch is a valuable tool for fixing critical and high security kernel Common Vulnerabilities and Exposures, CVEs, at run-time, without the need for an immediate system reboot. However, it should not be used as a replacement for regular maintenance windows and rebooting. A good enterprise policy should include both livepatching and regular reboots to ensure the system remains stable and secure.

This is because some system CVEs, such as firmware or device driver updates, will still require a system reboot. Additionally, Livepatch does not include kernel updates for non-security bug fixes, lower-priority security fixes, and performance improvements. 

Furthermore, there may be instances where critical kernel CVEs cannot be addressed through livepatching and will require a standard system update. Last but not the least, It is important to recognise that Livepatch is not a viable solution for upgrading to the next kernel release. To do so, a traditional system update is required which entails a reboot.

For all these reasons, Canonical has always strongly recommended its customers to follow good enterprise policies for regular maintenance windows, and to use Livepatch to bridge the gap until their next scheduled maintenance window.

Sliding support window

In order to ensure that our customers adhere to the industry’s best-practices and that livepatch does not hinder their maintenance schedules, Canonical has decided to introduce a sliding support window of 13 months for every version revision of the GA kernels of all its Ubuntu LTS releases. This change is scheduled to take effect on April 20, 2023, coinciding with the release of Ubuntu 23.04, also known as Lunar Lobster.

Does this mean that we are reducing the overall Livepatch maintenance period of LTS releases? Absolutely not. They are still going to be supported for 5 years as part of Canonical’s LTS commitments, and 10 years if you have an Ubuntu  Pro subscription.

So what does this mean after all? If a customer has not rebooted their system in 13 months and they want to continue using Livepatch, they will need to install the latest kernel update and then reboot. This will bring them to a new revision of that same kernel version. This will also restart the clock for another 13 months of Livepatch support for that version.

Let’s take an example: if  you are running 5.4.0-60 GA kernel with your Ubuntu 20.04 LTS, and you have not rebooted for 13 months since its release date in April, 2020, you will simply need to update and  reboot your system and come back to the latest update which will be 5.4.0-80. This will start the clock for another 13 months for this kernel version revision. Without such a reboot, you will not receive further livepatches.

Within every 13-month support window, you have the flexibility to reboot your systems whenever it suits you. 

Furthermore, our latest exciting addition of livepatch support on Hardware Enablement (HWE) kernels offers even more flexibility for those who prefer to use newer hardware. If you choose to reboot, you will now have the option to upgrade to the latest available HWE kernel. This means that, regardless of the kernel you choose to run on your Ubuntu LTS release, you can still take advantage of Livepatch.

If your regular maintenance windows are already shorter than 13 months, this change will not affect you. However, if your maintenance windows are longer than 13 months, you will need to adjust them to ensure that you continue to receive livepatches for that particular kernel version.

We understand that this announcement requires a detailed understanding of our Linux kernel maintenance and update cycle. If you have any questions or uncertainties about this process, please read on as we provide further explanations of the concepts and rationale behind it.

Understand Ubuntu kernel versions

Let’s say that you are running Ubuntu 22.04 with the “Ubuntu 5.15.0-35-generic” GA kernel. Each piece of this string carries a meaning. Let us explore it:

• “Ubuntu” identifies the Linux distribution on which the kernel is running.
• “5.15.0” represents the upstream kernel’s version number:
  The “-35” at the end is the revision number of the kernel. It tells you how many times the kernel has been updated since its initial release, and in this case, the kernel has undergone 35 revisions as part of Canonical’s security maintenance process.
• Lastly, “generic” refers to the kernel flavor, and Ubuntu offers various kernel flavors, such as generic and lowlatency.

How does Canonical maintain every kernel version?

Ensuring the kernel is up-to-date is critical for system security. Canonical addresses kernel vulnerabilities by releasing Stable Release Updates (SRUs) every few weeks, which primarily focus on fixing specific issues rather than introducing new features or major system changes. These patches undergo extensive testing and verification to ensure that they effectively fix the intended issues without introducing new problems or regressions.

As a result, you have the option to either update your kernel to its next revision by rebooting every few weeks, or to livepatch it instead. Opting for livepatching means that you can address critical and high kernel vulnerabilities while your system is still running, and save the reboot for your next scheduled maintenance window. With the 13-month sliding support window, you have the flexibility  to  continue using the same kernel revision for up to 13 months while benefiting from Livepatch.

What if I don’t reboot after 13 months?

Canonical strongly advises adhering to industry best practices, including not having unreasonably long maintenance windows. Not following these practices may lead to system instability and security vulnerabilities. If you choose to not reboot your system for more than 13 months, you will no longer receive livepatches for that particular kernel version revision. However, after updating to a more recent kernel revision of the same or newer kernel version and rebooting, you can once again take advantage of Livepatch support.

Conclusion

Livepatch is a vital technology that presents numerous advantages to organisations seeking to ensure the security of their kernel while minimising the impact of reboots caused by software updates. By reducing downtime, Livepatch saves valuable time on unplanned work, allowing your team to focus on true business innovation that can make a difference to your organisation.

To fully experience all these great benefits, it is crucial to make optimal use of Livepatch. With the newly announced 13-month sliding support window, you have the flexibility to continue using the same kernel revision for up to 13 months while benefiting from Livepatch.

If you would like to know more about livepatch and the Canonical approach of security at large, contact us or reach out to us through our discourse channels. We would love to hear from you!

Additional resources

• Is Linux Secure?
• Watch our webinar “Is Linux Secure”
• https://ubuntu.com/blog/linux-security-frequently-asked-questions
• Watch our webinar to learn more about confidential computing
• Read our blog post for “What is confidential computing? A high-level explanation for CISOs”
• Do you need a certified Ubuntu? 
• Ubuntu: What’s the security story?
• Learn about Learn about how confidential computing can help you better utilize security-sensitive data within the financial-services industry
• Ubuntu Pro | product page
• Ubuntu Pro | plans and pricing
• Buy Ubuntu Pro