On Mon, 11 May 2026 15:07:51 +0200 Michal Hocko <[email protected]> wrote:
> > 2) It's common to run hundreds of different kernel versions across a > > fleet. Since livepatch is kernel-specific, a single CVE suddenly > > requires building and deploying hundreds of individual livepatches— > > far less practical than a simple sysfs write. > > LP is certainly a more laborous solution. <another please-educate-akpm email> Does a livepatch *have* to be distributed as a ready-to-load kernel module? Is it not possible to distribute a "livepatch" to the fleet as a single string? Send out "make function some_bad_function() return -EINVAL" and let scripting on each machine figure out how to locally write, build, sign and install such a livepatch? That would require that each machine locally contains enough data for it to be able to build a kernel for the currently-running kernel, and that each machine contains a build environment. I *think* this is feasible on distro-based machines? But perhaps not on stripped-down hyperscalar boxen?
