I recently enabled Kernel Livepatch on my Ubuntu 22.04.3 desktop system. Livepatch is intended for systems that you don’t want to reboot. It’s completely overkill for a desktop that I can reboot whenever I need to but I wanted to understand it better.
Kernel Livepatch is part of the Ubuntu Pro offering that is free for a limited number of systems - five systems currently. That seems like a pretty smart play by Ubuntu to differentiate their offering a little bit and get a premium service into the hands of more users who might then go on to buy a package later.
Kernel livepatching has been around in the Linux world for a while and the techniques in use vary somewhat, but essentially, if there is a patch available (and only highly critical patches are made available), the system checks for sleeping tasks that need to be updated and swaps out the code while they are asleep by looking at a stack trace. Otherwise, they wait for a task to return from a call and patches it before it is next called. Since this relies on a consistent stacktrace, this can only be done on kernels that provide that capability.
For Ubuntu, there is a limited set of kernels that allow livepatch to be enabled. When I last updated my system kernel, I moved to one of those kernels and turned on the service.
It’s unobtrusive, but does provide an icon in the top toolbar to let you know it’s running. If an issue can’t be livepatched,you get a security notice that will let you know to reboot. I’ve only been on it a week or so and haven’t had any notifications of patches.
There are no observable changes in performance of the system or other issues so I’ll keep it on and see what happens over time.