Coming out in early 2020 were patches by an Amazon engineer to implement flushing the L1 data cache on context switching in the name of security given the various data sampling vulnerabilities. That work so far has been rejected from the mainline kernel but today was updated and makes it harder to enable and thus moving forward could stand chances to finally see the opt-in functionality merged to mainline.
Google engineers continue working on the Linux kernel around "Restricted DMA" for helping to protect systems that lack DMA access control for hardware without an IOMMU.
With it recently being noticed that the Linux AES-NI XTS performance regressed big time from the return trampolines "Retpolines" enacted nearly three years ago as a defense against Spectre, here are some benchmarks looking at the performance cost involved to this day using Retpolines and the impact on the XTS encryption/decryption performance measured by cryptsetup that is used for setting up encrypted disks under Linux.
It turns out the Intel/AMD AES-NI implementation of XTS regressed hard from the Retpolines functionality merged nearly three years ago for mitigating Spectre... But now the crypto performance with the AES-NI XTS implementation is set to recover from that regression with a huge improvement thanks to a new set of patches.
The Linux 5.11 kernel cycle continues to prove to be very exciting. The latest are SECCOMP filters for this secure computing mode yielding a nice speed-up.
Assuming Linus Torvalds has no last minute objections, the long-in-development Intel SGX support will be merged into the mainline Linux kernel.
A proposal and set of patches have been sent out around the Linux kernel's Page Table Isolation (PTI/KPTI) implementation to defer switching from the user page-table to kernel page-table until later in the kernel entry sequence. There are possible performance benefits and code improvements that would stem from this change.
Upstream Linux kernel developers are looking at changing some of their Spectre mitigation defaults around what's applied to SECCOMP threads by default in part due to the performance hit as well as other reasons.
Building off a set of "request for comments" patches from September, a set of patches were sent out on Sunday for providing brute force attack mitigation around the fork system call.
One week past the Linux 5.9 official debut, Linux 5.9.1 is now available. Making this initial point release a bit more noteworthy is including the fixes for the "Bleeding Tooth" Bluetooth vulnerability made public this week.
A new kernel feature sent in today for the Linux 5.10 merge window is static calls, which can be helpful in cases where Retpolines (return trampolines) are currently used as part of protections against speculative execution vulnerabilities like Spectre.
For a while now Oracle engineers and others have been working on Trenchboot as a means of secure launch/boot support when paired with the likes of Intel TXT and AMD SKINIT for trusted execution and configuring each piece of the software boot chain for trusted/secure handling. The latest kernel patches have been sent out for review for secure launching of the kernel.
The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month.
Security researchers from Amsterdam have publicly detailed "BlindSide" as a new speculative execution attack vector for both Intel and AMD processors.
When it comes to kernel address space isolation (ASI) and other yet-to-be-merged security features around fending off speculative execution attacks, there are multiple concurrent efforts by many of the public cloud providers and other hyperscalers. A Google engineer at this week's Linux Plumbers Conference has called for more collaboration in this area to ideally provide a unified solution.
At this week's Linux Plumbers Conference there were DigitalOcean engineers providing an update on their CoreScheduling work in the era of vulnerabilities affecting Hyper Threading. Oracle meanwhile presented today at LPC2020 on their Kernel Address Space Isolation (ASI) functionality for dealing with Hyper Threading data leakage in a different manner, but the performance costs are still being evaluated.
Security researchers from Graz University of Technology and CISPA Helmholtz are out with their latest findings on CPU speculative execution vulnerabilities, namely taking another look at L1TF/Foreshadow. Their findings are bad news not only for Intel but potentially other CPU vendors as well.
A major vulnerability in the GRUB2 boot-loader has been made public today that compromises its UEFI SecureBoot capabilities.
A patch queued up into the driver core tree ahead of the upcoming Linux 5.9 kernel will allow further restricting access to DebugFS.
Intel open-source developer Kristen Carlson Accardi continues work on Function Granular Kernel Address Space Layout Randomization (FGKASLR) as a big improvement over traditional KASLR address space layout randomization.
Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option.
Version 0.8 of the Linux Kernel Runtime Guard (LKRG) has been released for further enhancing the runtime security provided by this out-of-tree kernel code plus other general improvements.
This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel.
There are some urgent fixes pending for the x86/x86_64 speculative execution handling for the Linux kernel following a Google security engineer discovering these issues, including one of the fixes address a situation that unfairly impacted AMD CPUs.
Security Enhanced Linux is seeing some nice optimizations with the in-development Linux 5.8 kernel.
For those very concerned about CPU data sampling vulnerabilities, the Linux 5.8 kernel comes with the ability to flush the L1 data cache on each context switch. That's good for security, but will hurt the system performance with all the excess L1 cache flushing.
As a result of at least "a few AArch64 platforms" lacking firmware support for mitigating Spectre Variant Two, Google engineers are evaluating the possibility of Retpolines for the 64-bit Arm architecture.
The Linux kernel patches that have been spearheaded by Amazon AWS engineers to optionally flush the L1 data cache on each context switch have now been queued in the x86/mm branch ahead of the upcoming Linux 5.8 kernel cycle.
Thunderspy is a class of seven vulnerabilities found within Intel's Thunderbolt 3 hardware and the researchers having found nine realistic scenarios for exploiting these Thunderbolt issues across platforms.
The latest Linux kernel security work being pursued by Thomas Gleixner is tightening up access around the kernel's per-CPU TLB state access for the translation lookaside buffer.
171 Linux Security news articles published on Phoronix.