klp-build is the kernel livepatching creation tool. It is designed to automate the entire process of creating and testing livepatches for the Linux kernel (specifically SUSE Linux Enterprise editions).
In addition to building livepatches, klp-build reduces the development burden by checking which codestreams are vulnerable, batching multiple codestreams in parallel, and handling remote building and testing.
To install the project and its dependencies, use pipx:
pipx install .
Or via zypper on openSUSE distributions:
sudo zypper ar https://download.opensuse.org/repositories/home:/vmezzela:/klp-tools/openSUSE_Factory/ klp-tools
sudo zypper ref
sudo zypper in --repo klp-tools klp-buildklp-build supports a per-user configuration file located at ~/.config/klp-build/config. The file follows the standard key=value format.
| Variable | Description | Default |
|---|---|---|
| work_dir | Path to the directory where livepatch data and code will be placed (including generated artifacts). | ~/klp/livepatches |
| data_dir | Path to the directory where downloaded kernel sources and binaries will be placed. | ~/klp/data |
| kernel_dir | Path to the SUSE kernel local repository. | N/A |
| kernel_src_dir | Path to the SUSE kernel-source local repository. Used to check if codestreams already contain the fix. | N/A |
| kgr_patches_dir | Path to the SUSE kgraft_patches local repository. Contains all the released livepatches for each codestream. | N/A |
Example Config:
[Paths]
work_dir=/home/user/klp/livepatches
data_dir=/home/user/klp/data
kernel_dir=/home/user/repos/kernel
kernel_src_dir=/home/user/repos/kernel-source
kgr_patches_dir=/home/user/repos/kgr_patches
klp-build [-h] [-v] [-V] <command> [-h] [-n NAME] [--filter FILTER]
* -h, --help: Show the help message and exit.
* -v, --verbose: Produce more verbose output.
* -V, --version: Show the version number and exit.
* -n, --name NAME: The livepatch name. This corresponds to the directory name of the resulting livepatches.
* --filter FILTER: A regex list of accepted codestreams.
* *Example:* '15.3u[0-9]+|15.6u0'
* *Negative Regex Example:* '^(?!12.5u12).*' (filters out specific codestreams).
klp-build uses subcommands to handle different stages of the livepatch lifecycle.
- setup: Initialize a new livepatch project, identifying vulnerable codestreams and setting up the environment.
- extract: Extract affected functions using klp-ccp.
- push: Submit the livepatch project to the Internal Build Service (IBS) for remote building and publication.
- format-patches: Export the generated livepatches as git patches.
Use the setup command to create a new livepatch project. klp-build will scan all the backports fixing the given CVE and report all the information required for creating the livepatch: affected files, functions, kernel modules, configurations and target architectures.
klp-build setup --name bsc1197597 --cve 2022-1048
Otherwise, this information can also be provided manually. You must specify the CVE, the module, configuration, and the functions to be patched.
klp-build setup \\
--name bsc1197597 \\
--cve 2022-1048 \\
--mod snd-pcm \\
--conf CONFIG_SND_PCM \\
--file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream \\
--archs x86_64 ppc64le
What this does:
- Finds all the backports fixing the CVE and filters out the kernels already patched.
- Checks if the configuration
CONFIG_SND_PCMis enabled and the module supported. - Verifies if the symbol is present in the module being livepatched and if it's livepatchable.
- Performs these checks on all specified architectures (x86_64, ppc64le).
After setup, use klp-ccp (via the extract command) to extract the defective functions for the livepatch.
klp-build extract --name bsc1197597
Output:
The resulting livepatches will be placed in your configured work_dir.
<work_dir>/<lp-name>/ccp/<codestream>/lp
Once the livepatches have been successfully generated by extract, you can proceed to build them. To ensure a reproducible environment, klp-build uses IBS to remotely compile the livepatches for each supported architecture and kernel version.
klp-build push --name bsc1122334 --wait
Should a build fail, one can check the logs simply by running:
klp-build logs --name bsc112234 --filter "15.5u34" --arch s390x
Export generated livepatches as git patches from the kgraft-patches repository.
klp-build format-patches --name bsc112234 -v1
The patches will be placed in:
<workdir>/bsc112234/patches/
To run the test suite:
tox -e tests
- The official manpage.
- Kernel Livepatching at SUSE: Infrastructure and Tools (SUSE Labs 2025)
- Kernel Livepatching: An Introduction (Mentorship session 2024)
- Kernel Livepatching: Hands On (Mentorship session 2024)
This project is licensed under the GPL-2.0 license.