TuxTape: A Kernel Livepatching Solution

TuxTape is an in-development kernel livepatching ecosystem that aims to aid in the production and distribution of kpatch patches to vendor-independent kernels. This is done by scraping the Linux CNA mailing list, prioritizing CVEs by severity, and determining applicability of the patches to the configured kernel(s). Applicability of patches is determined by profiling kernel builds to record which files are included in the build process and ignoring CVEs that do not affect files included in kernel builds deployed on the managed fleet.

We will present a demo of a proof-of-concept of TuxTape, including the CNA scraper and database builder, the central server for storing CVE metadata and kernel build dispatching, the kernel builder itself, and the interactive dashboard where all of this is managed. We would also like to discuss with the community what a useful livepatch service would look like and how we should move forward with this project to best suit the needs of the community.