One week past the Linux 5.9 official debut, Linux 5.9.1 is now available. Making this initial point release a bit more noteworthy is including the fixes for the "Bleeding Tooth" Bluetooth vulnerability made public this week.

A new kernel feature sent in today for the Linux 5.10 merge window is static calls, which can be helpful in cases where Retpolines (return trampolines) are currently used as part of protections against speculative execution vulnerabilities like Spectre.

For a while now Oracle engineers and others have been working on Trenchboot as a means of secure launch/boot support when paired with the likes of Intel TXT and AMD SKINIT for trusted execution and configuring each piece of the software boot chain for trusted/secure handling. The latest kernel patches have been sent out for review for secure launching of the kernel.

The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month.

Security researchers from Amsterdam have publicly detailed "BlindSide" as a new speculative execution attack vector for both Intel and AMD processors.

When it comes to kernel address space isolation (ASI) and other yet-to-be-merged security features around fending off speculative execution attacks, there are multiple concurrent efforts by many of the public cloud providers and other hyperscalers. A Google engineer at this week's Linux Plumbers Conference has called for more collaboration in this area to ideally provide a unified solution.

At this week's Linux Plumbers Conference there were DigitalOcean engineers providing an update on their CoreScheduling work in the era of vulnerabilities affecting Hyper Threading. Oracle meanwhile presented today at LPC2020 on their Kernel Address Space Isolation (ASI) functionality for dealing with Hyper Threading data leakage in a different manner, but the performance costs are still being evaluated.

Security researchers from Graz University of Technology and CISPA Helmholtz are out with their latest findings on CPU speculative execution vulnerabilities, namely taking another look at L1TF/Foreshadow. Their findings are bad news not only for Intel but potentially other CPU vendors as well.

A major vulnerability in the GRUB2 boot-loader has been made public today that compromises its UEFI SecureBoot capabilities.

A patch queued up into the driver core tree ahead of the upcoming Linux 5.9 kernel will allow further restricting access to DebugFS.

Intel open-source developer Kristen Carlson Accardi continues work on Function Granular Kernel Address Space Layout Randomization (FGKASLR) as a big improvement over traditional KASLR address space layout randomization.

Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option.

Version 0.8 of the Linux Kernel Runtime Guard (LKRG) has been released for further enhancing the runtime security provided by this out-of-tree kernel code plus other general improvements.

This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel.

There are some urgent fixes pending for the x86/x86_64 speculative execution handling for the Linux kernel following a Google security engineer discovering these issues, including one of the fixes address a situation that unfairly impacted AMD CPUs.

Security Enhanced Linux is seeing some nice optimizations with the in-development Linux 5.8 kernel.

For those very concerned about CPU data sampling vulnerabilities, the Linux 5.8 kernel comes with the ability to flush the L1 data cache on each context switch. That's good for security, but will hurt the system performance with all the excess L1 cache flushing.

As a result of at least "a few AArch64 platforms" lacking firmware support for mitigating Spectre Variant Two, Google engineers are evaluating the possibility of Retpolines for the 64-bit Arm architecture.

The Linux kernel patches that have been spearheaded by Amazon AWS engineers to optionally flush the L1 data cache on each context switch have now been queued in the x86/mm branch ahead of the upcoming Linux 5.8 kernel cycle.

Thunderspy is a class of seven vulnerabilities found within Intel's Thunderbolt 3 hardware and the researchers having found nine realistic scenarios for exploiting these Thunderbolt issues across platforms.

The latest Linux kernel security work being pursued by Thomas Gleixner is tightening up access around the kernel's per-CPU TLB state access for the translation lookaside buffer.

Patches have been revised for allowing Linux to support kernel stack base address offset randomization for each system call.

A new patch series sent out just under one month ago was providing opt-in L1 data cache flushing on context switching. That work has now been revived again and now with documentation added it's clear that this work is being done in response to a recent CVE being made public.

A few months back when we last looked at the performance impact of having SELinux enabled there was a hit but not too bad for most workloads. But we'll need to take another look soon as with the Linux 5.7 kernel are some performance improvements and more for SELinux.

Earlier this month there was the proposal by a Linux kernel engineer for Amazon to flush the L1 data cache on context switches as another safeguard against the ever increasing CPU vulnerabilities.

Going back to over a year ago were discussions by Oracle engineers and others about a secure launch boot protocol for the Linux kernel to in turn tie into the Trenchboot open-source project working on various system integrity features. We are now finally seeing new patches out of Oracle for wiring more Trenchboot support into the Linux kernel.

It turns out the Point-to-Point Protocol Daemon (PPPD) used for dial-up models, DSL, and other point-to-point network setups on Linux has been bugged for the past seventeen years with a buffer overflow vulnerability that could lead to remote code execution at the system level.

While there are many new features in the forthcoming Linux 5.6 kernel, the ongoing Address Space Isolation support is not one of them.

Fuzzing is an important means of finding unintended/invalid behavior within software and now there exists a fuzzer for providing Spectre-type vulnerabilities.

Herbert Xu sent in all of the crypto subsystem changes on Tuesday for the in-development Linux 5.6 kernel. Interesting us the most out of this crypto work is the AMD Trusted Execution Environment (TEE) driver.