Mitigating kernel vulnerabilities proactively using livepatch
As suggested in #19081 (closed), I'm opening a new ticket to start a discussion on this subject. I've worked on this on another Linux distribution made specifically for a company I worked for, so I have some experience with it, including its benefits and shortcomings, and can assist with getting it up and running, as well as providing the livepatch mitigations themselves (which I already do for every Tails kernel vulnerability and have for years, although I only post them occasionally).
Background:
Many kernel vulnerabilities are extremely easy to mitigate using livepatch kernel modules. The livepatch system is a Linux feature which allows simple, precise, and stable mitigations that can be used to patch live systems without an update. Unlike manual kernel patches, livepatches are temporary and add no extra delta with upstream, as they do not need to be maintained at all and are specific to only one version of Tails and its kernel. Livepatch is also natively supported by the Debian kernel.
Using livepatch as a mitigation would reduce the period of vulnerability between a security bug's disclosure and it's eventual fixing in Tails. Because Tails uses snapshot releases, serious kernel vulnerabilities often end up going unfixed for weeks, as emergency releases are not always practical (or fast). It would also allow (most) emergency releases to be skipped entirely.
Proposal:
I propose using livepatch to solve this. Right now, Tails' infrastructure is not conducive to this. It would be more practical when automatic and rolling upgrades are made available (IIRC there was a ticket for that, but I can't find it at the moment). This is not something which could be implemented extremely quickly because it requires the infrastructure and client-side code to support it.
The UX would be simple and easy. When Tails boots up and checks for available upgrades, it could additionally check for available livepatches and give the user the option to install it with the click of a button using the same easy pop-up as the "You should upgrade to Tails X" notice. Clicking the install option would download a pre-compiled livepatch module and insert it on the system. Compressed, the average livepatch module is around 50 KiB in size.