Linus Torvalds has announced the release of Linux kernel 6.7, featuring various improvements and new features. One major addition is the bcachefs file system, designed to compete with Btrfs and ZFS for modern features while maintaining the speed of EXT4 and XFS. This article aims to explore the security features and updates introduced in this new kernel series.
The updates to the crypto subsystem of the Linux 6.7 kernel include routine changes as well as diverse crypto acceleration updates for various System-on-Chips (SoCs). Importantly, these changes lessen the utilisation of insecure and out-of-date crypto hashing algorithms. Support for SHA1 when signing kernel modules or importing X.509 certificates is no longer provided, with the recommendation now being for the use of SHA256 or superior algorithms. Furthermore, because of security issues, MD4 and MD5 hashing and signatures in X.509 certificates have been removed.
Linux 6.7 presents a newly fortified configuration profile that aids in the construction of a fortified kernel, which comes with sensible default settings. The upgrade has a Kconfig piece featuring essential fortification possibilities selectable by executing “make hardening.config.” Some fortification options involve fundamental kernel memory permission implementation, random allocation of address space, random stack offset on syscall entry, buffer length limit checking, and an assortment of security adjustables.
In Linux 6.7, Landlock, a sandboxing feature for non-privileged apps that combined in Linux 5.13, has broadened its functionalities past controls for file-system access to feature initial support for networking. As a stackable Linux security component (LSM), Landlock has now introduced access privileges like LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP. This enhancement permits the limitation of TCP socket bind() and connect() system instructions for particular ports.
The modifications in x86/boot for the Linux kernel 6.7, steered by Ard Biesheuvel, incorporate a substantial overhaul of the PE header production. The aim is to establish a contemporary, 4K-aligned kernel image lens for heightened safeguards for the system. The EFI stub boot flow no longer depends on writeable and executable memory at the same time, allowing for this architecture revamp. The enhanced layout exhibits the decompressor binary’s code alongside its read-only data as a .text section. Meanwhile, data/bss is featured as a .data section, aligning with 4K and maintaining restricted permissions. This arrangement is crucial for seamless integration with safety protocols on x86 PCs engineered for Windows.
This release also introduces support for NVIDIA’s GSP firmware in the Nouveau open-source graphics driver. Notable updates include enhancements to the Btrfs file system, networking improvements, and updates to file systems like EXT4, F2FS, and exFAT. The kernel brings support for new hardware, architectures, and AMD platforms, as well as security updates, such as AppArmor improvements.
The long-term supported (LTS) Linux 4.14 kernel series, initially released on November 12th, 2017, has officially reached its end of life after being maintained for over six years. Users still on this kernel version are advised to upgrade to newer long-term supported kernels like Linux 5.4 (supported until December 2025), Linux 5.10, Linux 5.15, Linux 6.1, or Linux 6.6 (all supported until December 2026).
Linux kernel 6.7 is available for download, with Linux kernel 6.8 expected to follow in mid-March 2024. With a short support span of a couple of months, it will soon be succeeded by Linux kernel 6.8.
A kernel is the central element of the Linux OS, making its protection vital for the overall security of the system. TuxCare provides KernelCare Enterprise, an application that automatically installs all security updates and patches to the Linux kernel without requiring a system reboot or scheduled maintenance.
The references used for this article can be accessed at Phoronix.
The post Linux Kernel 6.7 Released with Various Security Improvements appeared first on TuxCare.
This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/linux-kernel-6-7-released-with-various-security-improvements/
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.