Flexible Distributed Linux Kernel Live Patching
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


elivepatch - Flexible Distributed Linux Kernel Live Patching


  • 3rd-party trust.
    • Trust on a third-party service can be eliminated by deploying Elivepatch in-house.
  • Custom kernel configurations.
    • Live patches can be created for different kernel versions and configurations by varying the parameters to Elivepatch.
  • Modified kernels.
    • Support is extended to locally modified kernels (e.g. out-of-tree patch sets) by sending the server a list of patches that should be applied before the live patch creation process starts.
  • Client-generated patches.
    • In Elivepatch, clients specify the live patches to be created whereas current systems only support vendor-generated patches.
  • Security auditing.
    • Elivepatch is completely open source and thus fully auditable.


User's guide


On Gentoo based distros:

client install

emerge --ask sys-kernel/kpatch
emerge --ask sys-apps/elivepatch-client

server install

emerge --ask sys-kernel/kpatch
emerge --ask sys-apps/elivepatch-server

on Debian based distros:

client install

apt-get install git
apt-get install python3-pip

git clone  https://github.com/gentoo/elivepatch-client
cd elivepatch-client
pip3 install -r requirements.txt
PYTHONPATH=. python3 bin/elivepatch

Install from source

client install

git clone  https://github.com/gentoo/elivepatch-client
cd elivepatch-client
pip3 install -r requirements.txt
PYTHONPATH=. python3 bin/elivepatch

server install

git clone  https://github.com/gentoo/elivepatch-server
cd elivepatch-server
pip3 install -r requirements.txt
PYTHONPATH=. python3 elivepatch_server/elivepatch-server



Server start

PYTHONPATH=. python3 elivepatch_server/elivepatch-server

Client start

PYTHONPATH=. python3 bin/elivepatch
usage: elivepatch [-h] [-c FILE] [-e] [-p PATCH] [-k CONFIG]
                  [-a KERNEL_VERSION] [-l] [-u URL] [-d] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -c FILE, --conf_file FILE
                        Specify config file
  -e, --cve             Check for secutiry problems in the kernel.
  -p PATCH, --patch PATCH
                        patch to convert.
  -k CONFIG, --config CONFIG
                        set kernel config file manually.
  -a KERNEL_VERSION, --kernel_version KERNEL_VERSION
                        set kernel version manually.
  -l, --clear           Clear the already installed cve db (Use with
  -u URL, --url URL     set elivepatch server url.
  -d, --debug           set the debug option.
  -v, --version         show the version.

Creating Live patch

Not all patch can be converted to live patch using kpatch.

Developer's guide

Creating elivepatch-overlay

elivepatch overlay example


Fork this repo and make a pull request. We are happy to merge it.

Commit message should look like

[category/packagename] short decription

Long description

This makes reading history easier. GPG signing your changes is a good idea.

If you have push access to this repo it is a good idea to still create a pull request, so at least one more person have reviewed your code. Exceptions are trivial changes and urgent changes (that fix something completely broken).


  • Join #gentoo-kernel channel on Freenode
  • Open issues here