Linux 6.7 Will Let You Enable/Disable 32-bit Programs Support At Boot-Time
From the perspective of Linux distributions trying to reduce their attack surface while still making it possible for users to run legacy software without recompiling their kernel, SUSE has spearheaded the effort for boot-time enabling/disabling of x86 32-bit support for whether 32-bit user-space programs and 32-bit system calls can be executed. That code has been submitted for the imminent Linux 6.7 merge window.
The Linux kernel already has the "IA32_EMULATION" Kconfig knob for toggling the 32-bit support at build time, while most (all?) Linux distributions leave it enabled for allowing 32-bit user-space software to work fine. But the new patches coming for Linux 6.7 allow optionally enabling/disabling it at boot time. So in the future Linux distributions could choose to have the support off-by-default but then users if they want to run 32-bit legacy software could add the new "ia32_emulation=1" boot time flag to have the support enabled without having to rebuild the kernel. Or alternatively, server administrators could decide to preemptively disable this 32-bit support more easily.
These patches for Linux 6.7 aren't making any default policy changes.
This boot time ia32_emulation control was sent out in Saturday's x86/entry changes for Linux 6.7. That pull request also has a clean-up to the fast syscall return validation code.
The Linux kernel already has the "IA32_EMULATION" Kconfig knob for toggling the 32-bit support at build time, while most (all?) Linux distributions leave it enabled for allowing 32-bit user-space software to work fine. But the new patches coming for Linux 6.7 allow optionally enabling/disabling it at boot time. So in the future Linux distributions could choose to have the support off-by-default but then users if they want to run 32-bit legacy software could add the new "ia32_emulation=1" boot time flag to have the support enabled without having to rebuild the kernel. Or alternatively, server administrators could decide to preemptively disable this 32-bit support more easily.
These patches for Linux 6.7 aren't making any default policy changes.
This boot time ia32_emulation control was sent out in Saturday's x86/entry changes for Linux 6.7. That pull request also has a clean-up to the fast syscall return validation code.
27 Comments