diff --git a/DC-klp b/DC-klp
new file mode 100644
index 000000000..9a22bb8ec
--- /dev/null
+++ b/DC-klp
@@ -0,0 +1,15 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="klp.asm.xml"
+SRC_DIR="articles"
+IMG_SRC_DIR="images"
+
+PROFOS="sles"
+#PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
+DOCBOOK5_RNG_URI="urn:x-suse:rng:v2:geekodoc-flat"
diff --git a/articles/klp.asm.xml b/articles/klp.asm.xml
new file mode 100644
index 000000000..9f827af4d
--- /dev/null
+++ b/articles/klp.asm.xml
@@ -0,0 +1,214 @@
+
+
+
+
+ %entities;
+]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Legal Notice
+
+
+ GNU Free Documentation License
+
+
+
+
+
+ &klp; on &sles;
+
+
+
+ 2024-02-21
+
+
+
+
+
+ Added sections:
+
+
+
+
+
+
+ New section on foo to resolve issue
+ bsc#12345
+
+
+
+
+
+ New section on foo bar
+
+
+
+
+
+
+ Removed sections:
+
+
+
+
+ Removed section on foo1 to resolve issue
+ bsc#12346
+
+
+
+
+ Removed section on foo1 bar
+
+
+
+
+
+
+ Changed sections:
+
+
+
+
+ Changed section on foo2 to resolve issue
+ bsc#12347
+
+
+
+
+ Changed section on foo2 bar
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ &productname;
+
+ &klp; on &slsa;
+ &klp; on &slsa;
+ &klp; on &slsa;
+
+
+
+
+ https://bugzilla.suse.com/enter_bug.cgi
+ Smart Docs
+ Documentation
+
+ dmitri.popov@suse.com
+
+ yes
+
+
+
+
+ WHAT?
+
+
+ Understanding and using &klp; on &sles;.
+
+
+
+
+ WHY?
+
+
+ Because you want to keep mission-critical systems secure,
+ without downtime.
+
+
+
+
+ EFFORT
+
+
+ 20 minutes reading time.
+
+
+
+
+ GOAL
+
+
+ Understand how Kernel Live Patching works.
+
+
+
+
+ REQUIREMENTS
+
+
+
+
+ Working knowledge of Linux.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/concepts/klp-intro.xml b/concepts/klp-intro.xml
new file mode 100644
index 000000000..a362f95cb
--- /dev/null
+++ b/concepts/klp-intro.xml
@@ -0,0 +1,81 @@
+
+
+ %entities;
+]>
+
+
+ Introduction to &klp;
+
+
+
+ &klp; (&klpa;) makes it possible to apply the latest security updates to
+ Linux kernels without rebooting. This maximizes system uptime and
+ availability, which is particularly important for mission-critical systems.
+ As such, &klpa; offers several benefits.
+
+
+
+
+ Keeping a large number of servers automatically up-to-date is essential
+ for organizations obtaining or maintaining certain compliance
+ certifications. &klpa; can help achieve compliance, while reducing the
+ need for maintenance windows.
+
+
+
+
+ Companies that work with service-level agreement contracts must
+ guarantee a certain level of the system accessibility and uptime.
+ Live patching makes it possible to patch systems without incurring
+ downtime.
+
+
+
+
+ Since &klpa; is part of the standard system update mechanism, there is
+ no need for specialized training or introduction of additional
+ maintenance routines.
+
+
+
+
+
+ &klp; scope
+
+
+ The scope of &slea; Live Patching includes fixes for SUSE Common
+ Vulnerability Scoring System (CVSS; SUSE CVSS is based on the CVSS v3.0
+ system) level 7+ vulnerabilities and bug fixes related to system
+ stability or data corruption. However, it may not be technically feasible
+ to create live patches for all fixes that fall under the specified
+ categories. &suse; therefore reserves the right to skip fixes in
+ situations where creating a kernel live patch is not possible for
+ technical reasons. Currently, over 95% of qualifying fixes are released
+ as live patches. For more information on CVSS (the base for the SUSE CVSS
+ rating), see Common
+ Vulnerability Scoring System SIG.
+
+
+
+ &klp; limitations
+
+
+ &klpa; involves replacing functions and gracefully handling replacement
+ of interdependent function sets. This is done by redirecting calls to old
+ code to updated code in a different memory location. Changes in data
+ structures make the situation more complicated, as the data remain in
+ place and cannot be extended or reinterpreted. While there are techniques
+ that allow indirect alteration of data structures, certain fixes cannot
+ be converted to live patches. In this situation, a system restart is the
+ only way to apply the fixes.
+
+
+
diff --git a/concepts/klp-patches.xml b/concepts/klp-patches.xml
new file mode 100644
index 000000000..db004c836
--- /dev/null
+++ b/concepts/klp-patches.xml
@@ -0,0 +1,66 @@
+
+
+ %entities;
+]>
+
+
+ Understanding kernel live patches
+
+
+
+ Kernel live patches are delivered as packages with modified code that are
+ separate from the main kernel package. The live patches are cumulative, so
+ the latest patch contains all fixes from the previous ones for the kernel
+ package. Each kernel live package is tied to the exact kernel revision for
+ which it is issued. The live patch package version number increases with
+ every addition of fixes. To determine the kernel patching status, use the
+ klp -v patches command.
+
+
+ Live patches versus kernel updates
+
+ Live patches contain only critical fixes, and they do not replace regular
+ kernel updates that require a reboot. Consider live patches as temporary
+ measures that protect the kernel until a proper kernel update and a
+ reboot are performed.
+
+
+ The diagram below illustrates the overall relationship between live
+ patches and kernel updates. The list of CVEs and defect reports addressed
+ by the currently active live patch can be viewed using the klp
+ -v patches command.
+
+
+
+
+
+
+
+
+
+
+
+
+ It is possible to have multiple versions of the kernel package installed
+ along with their live patches. These packages do not conflict. You can
+ install updated kernel packages along with live patches for the running
+ kernel. In this case, you may be prompted to reboot the system. Users
+ with &slea; Live Patching subscriptions are eligible for technical
+ support as long as there are live patch updates for the running kernel.
+
+
+ With &klpa; activated, every kernel update comes with a live patch
+ package. This live patch does not contain any fixes and serves as a seed
+ for future live patches for the corresponding kernel. These empty seed
+ patches are called initial patches.
+
+
+
diff --git a/images/klp.png b/images/klp.png
new file mode 100644
index 000000000..2cb0c5265
Binary files /dev/null and b/images/klp.png differ
diff --git a/images/src/svg/klp-src.svg b/images/src/svg/klp-src.svg
new file mode 100644
index 000000000..46991491e
--- /dev/null
+++ b/images/src/svg/klp-src.svg
@@ -0,0 +1,3 @@
+
+
+
\ No newline at end of file
diff --git a/tasks/klp-activate-cli.xml b/tasks/klp-activate-cli.xml
new file mode 100644
index 000000000..d6726fdd3
--- /dev/null
+++ b/tasks/klp-activate-cli.xml
@@ -0,0 +1,66 @@
+
+
+ %entities;
+]>
+
+
+ Activating &klp; from the command line
+
+
+
+ To activate &klp;, you need to have active &slsa; and &slsa; Live Patching
+ subscriptions. Visit &scc; to check the
+ status of your subscriptions and obtain a registration code for the &slsa;
+ Live Patching subscription.
+
+
+
+
+ Run sudo SUSEConnect --list-extensions. Note the
+ exact activation command for &slsa; Live Patching. Example command
+ output (abbreviated):
+
+$ SUSEConnect --list-extensions
+ ...
+ SUSE Linux Enterprise Live Patching &productnumber; x86_64
+ Activate with: SUSEConnect -p sle-module-live-patching/&productnumber-regurl;/x86_64 \
+ -r ADDITIONAL REGCODE
+
+
+
+ Activate &slsa; Live Patching using the obtained command followed by
+ ,
+ for example:
+
+SUSEConnect -p sle-module-live-patching/&productnumber-regurl;/x86_64 \
+ -r LIVE_PATCHING_REGISTRATION_CODE
+
+
+
+ Install the required packages and dependencies using the command
+ zypper install -t pattern lp_sles
+
+
+
+
+ At this point, the system has already been live-patched.
+
+
+ Here is how the process works behind the scenes: when the package
+ installation system detects that there is an installed kernel that can be
+ live-patched, and that there is a live patch for it in the software
+ channel, the system selects the live patch for installation. The kernel
+ then receives the live patch fixes as part of the package
+ installation. The kernel gets live-patched even before the
+ product installation is complete.
+
+
diff --git a/tasks/klp-activate-yast.xml b/tasks/klp-activate-yast.xml
new file mode 100644
index 000000000..f857d99d5
--- /dev/null
+++ b/tasks/klp-activate-yast.xml
@@ -0,0 +1,70 @@
+
+
+ %entities;
+]>
+
+
+ Activating &klp; using &yast;
+
+
+
+ To activate &klpa; on your system, you need to have active &slsa; and
+ &slea; Live Patching subscriptions. Visit
+ &scc; to check the status of your
+ subscriptions and obtain a registration code for the &slea; Live Patching
+ subscription.
+
+
+ To activate &klp; on your system, follow these steps:
+
+
+
+
+ Run the yast2 registration command and click
+ Select Extensions.
+
+
+
+
+ Select SUSE Linux Enterprise Live Patching 15 in the
+ list of available extensions and click Next.
+
+
+
+
+ Confirm the license terms and click Next.
+
+
+
+
+ Enter your &slea; Live Patching registration code and click
+ Next.
+
+
+
+
+ Check the Installation Summary and selected
+ Patterns. The patterns Live
+ Patching and SLE Live Patching Lifecycle
+ Data should be automatically selected for installation
+ along with additional packages to satisfy dependencies.
+
+
+
+
+ Click Accept to complete the installation. This
+ installs the base &klp; components on your system, the initial live
+ patch, and the required dependencies.
+
+
+
+
diff --git a/tasks/klp-perform.xml b/tasks/klp-perform.xml
new file mode 100644
index 000000000..d10b3f090
--- /dev/null
+++ b/tasks/klp-perform.xml
@@ -0,0 +1,66 @@
+
+
+ %entities;
+]>
+
+
+ Performing &klp;
+
+
+
+ Kernel live patches are installed as part of regular system updates.
+ However, there are several things you should be aware of.
+
+
+
+
+
+ The kernel is live-patched if a kernel-livepatch-*
+ package has been installed for the running kernel. You can use the command
+ zypper se --details kernel-livepatch-* to check what
+ kernel live patch packages are installed on your system.
+
+
+
+
+ When the kernel-default package is installed, the update
+ manager prompts you to reboot the system. To prevent this message from
+ appearing, you can filter out kernel updates from the patching operation.
+ This can be done by adding package locks with Zypper. &susemgr; also makes
+ it possible to filter channel contents (see
+ Live
+ Patching with SUSE Manager).
+
+
+
+
+ You can check patching status using the klp status
+ command. To examine installed patches, run the klp -v
+ patches command.
+
+
+
+
+ Keep in mind that while there may be multiple kernel packages installed on
+ the system, only one of them is running at any given time. Similarly,
+ there may be multiple live patch packages installed, but only one live
+ patch is loaded into the kernel.
+
+
+
+
+ The active live patch is included in the initrd. This
+ means that in case of an unexpected reboot, the system comes up with the
+ live patch fixes applied, so there is no need to perform patching again.
+
+
+
+
diff --git a/tasks/klp-troubleshoot.xml b/tasks/klp-troubleshoot.xml
new file mode 100644
index 000000000..d5b691e89
--- /dev/null
+++ b/tasks/klp-troubleshoot.xml
@@ -0,0 +1,53 @@
+
+
+ %entities;
+]>
+
+
+ Troubleshooting &klp; issues
+
+
+
+ Checking expiration date of the live patch
+
+ Make sure that the
+ lifecycle-data-sle-module-live-patching is installed,
+ then run the zypper lifecycle command. You should see
+ expiration dates for live patches in the Package end of support
+ if different from product section of the output.
+
+
+ Every live patch receives updates for 13 months from the release of the
+ underlying kernel package. The
+ Maintained
+ kernels, patch updates and lifecycle page allows you to check
+ expiration dates based on the running kernel version without installing
+ the product extension.
+
+
+
+ Downgrading a kernel patch
+
+ If you find the latest live patch problematic, you can downgrade the
+ currently installed live patch back to its previous version. Keep in mind
+ that a system with kernel warnings or kernel error traces in the system
+ log may not be suitable for the patch downgrade procedure. If you are
+ unsure whether the system meets the requirements for a patch downgrade,
+ contact SUSE Technical Support for help.
+
+
+ To downgrade the latest kernel live patch, use the klp
+ downgrade command. This command automatically detects the
+ version of the latest live patch and installs the preceding one.
+
+
+