Canonical Livepatch gets even better – Now supporting Hardware Enablement Kernels
ijlal-loutfi
on 13 April 2023
Tags: livepatch , livepatch-on-prem
You have been telling us how much you love Livepatch’s ability to fix your kernel’s high and critical vulnerabilities at run-time, and how it significantly reduces your unplanned reboots. And many of you have requested that we make it available on Hardware Enablement (HWE) kernels, alongside the Long-Term Release (LTS) kernels we already support.
We’ve listened to your feedback and are pleased to announce that Livepatch will now be available on HWE kernels. This will debut with the release of kernel version 6.2, which will initially accompany Ubuntu’s interim release of 23.04 Lunar Lobster, in April 2023. Thereafter, it will be made accessible as an HWE kernel for the 22.04 LTS release, Jammy Jellyfish, starting July 2023.
This change means that you’ll be able to keep your kernel updated and secure with Livepatch, regardless of which kernel you choose to run with your Ubuntu LTS release.
What are Ubuntu LTS releases?
Ubuntu is known for LTS releases which come every two years and are designed to provide a stable and secure operating system. They are supported for up to 10 years with an Ubuntu Pro subscription and this makes them ideal for enterprises and production environments.
One of the key components of an LTS release is the LTS kernel, which is a kernel version that is selected and maintained for the duration of the entire LTS release. This is made possible because the Canonical security teams actively maintain it throughout its lifespan with regular security updates and bug fixes.
However, as time goes on, and new hardware features are released, the LTS kernel would not have support for them. This is where HWE kernels come in.
What are Ubuntu HWE kernels?
HWE kernels are designed to provide support for newer hardware that wasn’t available when the Ubuntu GA kernel was originally released. This is particularly useful for those who want to use the latest hardware but still need the stability and support of an LTS release.
HWE kernels are released by Canonical every 6 months, using the kernels from the interim releases. As such, they are supported for a shorter period of time compared to the GA kernel, usually from 6 to 9 months. The final HWE kernel for a release is special, as it is the GA kernel of the following LTS release and, as such, is supported for the remaining life of that LTS release. You can see this graphically in the kernel release cycle.
However, up until this announcement, Livepatch was not available for HWE kernels, except for the fourth one.
So how do I get from a GA kernel to an HWE kernel on my LTS release, you might ask? You would be happy to know the HWE kernel is available as a package that can be simply installed through Ubuntu’s package manager, just like any other package.
How long will livepatch be supported on HWE kernels?
Livepatch can be used for the entire lifetime of the HWE kernel. But what should one do after the HWE end of life? Just update it! the Linux HWE kernel metapackage “rolls” onto the next HWE kernel by default.
Roll with Ubuntu
Rolling with HWE kernels simply means that you are always updating the kernel of your LTS release to the latest HWE kernel version, released by Canonical every 6 months until the final HWE, which lasts for the rest of the LTS release’s lifetime. This ensures that you always have the latest hardware and software support, and you don’t have to worry about upgrading to a new LTS release every time you need that support.
Rolling with HWE kernels is available for Ubuntu LTS releases starting with Ubuntu 16.04. For cloud deployments, rolling is the default behavior. For all others, users who want to enable it can install the HWE kernel package using Ubuntu’s package manager, and then the kernel will be transitioned to the latest available HWE whenever one is available and you update the package (or automatically, if you have automatic updates enabled).
A rolling example
To better understand the concept of rolling, let’s look at the following example. Let’s say you are running Ubuntu 22.04 LTS. The GA kernel that comes with this release is version 5.15. However, you have a new piece of hardware that was released in early April 2023 and you need the latest device driver support in order for it to work properly on your Ubuntu system.
Instead of upgrading to the next LTS release, which won’t be available until 2024, you can choose to install the 6.2 HWE kernel package, which is released with Lunar Lobster 23.04. Once 6.2 comes to its end of life, you can then continue to roll kernels by installing the HWE kernel which is yet to be selected for the 23.10 release. 6 months after that, in April 2024, the next Ubuntu LTS release, 24.04, will be available. And that’s it. You’ve made it to the next GA kernel, and you can choose whether to upgrade to the next 24.04 LTS release or run just its GA kernel with your older beloved 22.04 LTS.
This way, you would have ensured that you always have the latest hardware and software support on your Ubuntu system, without sacrificing stability or compatibility with your existing applications and software.
What does this mean for Ubuntu public cloud customers?
Ubuntu partners with all the major clouds to bring the best possible Ubuntu experience to Ubuntu instances (AWS, Azure, Google, Oracle OCI and IBM Cloud). Public cloud environments are known for their dynamic and rapidly changing nature. Therefore, our public cloud engineering teams often make use of the rolling HWE kernel model to ensure that Ubuntu guest instances on their cloud have the latest hardware support, new kernel features and bug fixes, without having to upgrade all instances to a new LTS release.
However, this meant that many Ubuntu users on public clouds would not be able to use Livepatch without manually downgrading their kernel to the previous GA kernel.
With this new extended support of Livepatch for HWE kernels, you will no longer need to choose between having the latest kernel and Livepatch. Our public cloud customers can now benefit from new cloud features enabled by HWE kernels and at the same time enjoy the security guarantees of Livepatch.
What should I do to get Livepatch on HWE kernels?
Livepatch is offered as part of Canonical’s Ubuntu Pro subscription. If you already launched an Ubuntu Pro instance on one of our public cloud partners (AWS, Azure or GCP) or subscribed to Ubuntu Pro and have attached the Pro token to your machine or VM, there’s no need to take any further action! Livepatch should be enabled by default and you can confirm its status by running the “pro status” command. You can then start using Livepatch on HWE kernels starting from version 6.2, which will first be released as an interim kernel with Lunar Lobster 23.04 in April 2023, and then made available as an HWE kernel on the 22.04 LTS release, Jammy Jellyfish, starting July 2023.
If you’re not a Pro subscriber yet, we invite you to learn more about it. Ubuntu Pro is a comprehensive subscription that expands Canonical’s ten-year security coverage and optional technical support to an additional 23,000 packages beyond the main operating system. This includes thousands of applications and toolchains such as Ansible, Apache Tomcat, Apache Zookeeper, Docker, Nagios, Node.js, phpMyAdmin, Puppet, PowerDNS, Python, Redis, Rust, WordPress, and more. Ubuntu Pro also includes compliance management tools for regulated and audited environments. For example, the Ubuntu Security Guide provides best-in-class hardening and compliance standards such as CIS benchmarks and DISA-STIG profiles. You can also access certified cryptographic packages necessary for all Federal Government agencies, as well as organisations operating under compliance regimes such as FedRAMP, HIPAA, and PCI-DSS.
Ubuntu Pro is free for up to 5 machines for personal and small-scale commercial use, or up to 50 machines for official Ubuntu Community members.
Conclusion
HWE kernels are particularly useful for users who always want the latest hardware support without having to wait for the next LTS release, for those who simply want to stay on the same LTS release, and for Ubuntu cloud images which, by default, come with the currently available HWE kernel.
With this extended support of Livepatch to HWE kernels, Ubuntu LTS users and customers can now fix their high and critical kernel vulnerabilities at run-time regardless of which kernel they are on. This will allow them to fully take advantage of Livepatch, further reduce their downtime and minimize the time spent on unplanned work, which can now be used on true business innovation.
If you would like to know more about Livepatch and the Canonical approach of security at large, contact us. We would love to hear from you.
Additional resources
- Is Linux Secure?
- Watch our webinar “Is Linux Secure”
- https://sne.bianheman.eu.org/blog/linux-security-frequently-asked-questions
- Watch our webinar to learn more about confidential computing
- Read our blog post for “What is confidential computing? A high-level explanation for CISOs”
- Do you need a certified Ubuntu?
- Ubuntu: What’s the security story?
- Learn about Learn about how confidential computing can help you better utilize security-sensitive data within the financial-services industry
- Ubuntu Pro | product page
- Ubuntu Pro | plans and pricing
- Buy Ubuntu Pro
Talk to us today
Interested in running Ubuntu in your organisation?
Newsletter signup
Related posts
Livepatch has a new 13-month sliding support window – What does it mean for you?
The Livepatch tool is a valuable solution for resolving critical and high-security kernel CVEs without requiring an immediate system reboot. However, it is...
Ubuntu Livepatch on-prem reduces downtime and unplanned work on enterprise environments!
London, United Kingdom – Canonical announces Ubuntu Livepatch on-prem, an enhancement to its Ubuntu Livepatch service enabling organisations to take control...
Managing Livepatch on-prem
Ubuntu Livepatch is the service and the software that enables organizations to quickly patch vulnerabilities on the Linux kernel. It enables uninterrupted...