In development for more than one year has been the ability to create secret memory areas on Linux that would be visible only to the owning process and is not mapped for other processes or the kernel page tables. That "memfd_secret" system call has finally materialized in Linux-Next and looking like it could be ready for mainline.

The ability to randomize the kernel stack offset at each system call looks like it will land for the upcoming Linux 5.13 cycle. This optional feature makes it much more difficult to carry out stack-based attacks on the Linux kernel.

Besides Linux kernel developers still working to optimize code due to Retpolines overhead three years after Spectre rocked the ecosystem, another area kernel developers have still been actively working on is core scheduling for controlling the behavior of what software can share CPU resources or run on the sibling thread of a CPU core. That core scheduling work is finally closer to the mainline Linux kernel.

Security researcher and Microsoft engineer Mickaël Salaün is proposing unprivileged chroot support for the Linux kernel.

Last summer the GRUB bootloader was impacted by "BootHole" with security issues hitting its UEFI Secure Boot support while today a new round of vulnerabilities were made public.

On Monday the crypto subsystem updates were sent in to the Linux 5.12 kernel by crypto maintainer Herbert Xu.

Security researchers out of the University of Birmingham have crafted another attack against Intel Software Guard Extensions (SGX) when having physical motherboard access and using their "VoltPillager" hardware device they assembled for about $30 USD.

Google engineers are proposing a new framework called "Know, Prevent, Fix" in dealing with open-source security vulnerabilities.

Coming out in early 2020 were patches by an Amazon engineer to implement flushing the L1 data cache on context switching in the name of security given the various data sampling vulnerabilities. That work so far has been rejected from the mainline kernel but today was updated and makes it harder to enable and thus moving forward could stand chances to finally see the opt-in functionality merged to mainline.

Google engineers continue working on the Linux kernel around "Restricted DMA" for helping to protect systems that lack DMA access control for hardware without an IOMMU.

With it recently being noticed that the Linux AES-NI XTS performance regressed big time from the return trampolines "Retpolines" enacted nearly three years ago as a defense against Spectre, here are some benchmarks looking at the performance cost involved to this day using Retpolines and the impact on the XTS encryption/decryption performance measured by cryptsetup that is used for setting up encrypted disks under Linux.

It turns out the Intel/AMD AES-NI implementation of XTS regressed hard from the Retpolines functionality merged nearly three years ago for mitigating Spectre... But now the crypto performance with the AES-NI XTS implementation is set to recover from that regression with a huge improvement thanks to a new set of patches.

The Linux 5.11 kernel cycle continues to prove to be very exciting. The latest are SECCOMP filters for this secure computing mode yielding a nice speed-up.

Assuming Linus Torvalds has no last minute objections, the long-in-development Intel SGX support will be merged into the mainline Linux kernel.

A proposal and set of patches have been sent out around the Linux kernel's Page Table Isolation (PTI/KPTI) implementation to defer switching from the user page-table to kernel page-table until later in the kernel entry sequence. There are possible performance benefits and code improvements that would stem from this change.

Upstream Linux kernel developers are looking at changing some of their Spectre mitigation defaults around what's applied to SECCOMP threads by default in part due to the performance hit as well as other reasons.

Building off a set of "request for comments" patches from September, a set of patches were sent out on Sunday for providing brute force attack mitigation around the fork system call.

One week past the Linux 5.9 official debut, Linux 5.9.1 is now available. Making this initial point release a bit more noteworthy is including the fixes for the "Bleeding Tooth" Bluetooth vulnerability made public this week.

A new kernel feature sent in today for the Linux 5.10 merge window is static calls, which can be helpful in cases where Retpolines (return trampolines) are currently used as part of protections against speculative execution vulnerabilities like Spectre.

For a while now Oracle engineers and others have been working on Trenchboot as a means of secure launch/boot support when paired with the likes of Intel TXT and AMD SKINIT for trusted execution and configuring each piece of the software boot chain for trusted/secure handling. The latest kernel patches have been sent out for review for secure launching of the kernel.

The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month.

Security researchers from Amsterdam have publicly detailed "BlindSide" as a new speculative execution attack vector for both Intel and AMD processors.

When it comes to kernel address space isolation (ASI) and other yet-to-be-merged security features around fending off speculative execution attacks, there are multiple concurrent efforts by many of the public cloud providers and other hyperscalers. A Google engineer at this week's Linux Plumbers Conference has called for more collaboration in this area to ideally provide a unified solution.

At this week's Linux Plumbers Conference there were DigitalOcean engineers providing an update on their CoreScheduling work in the era of vulnerabilities affecting Hyper Threading. Oracle meanwhile presented today at LPC2020 on their Kernel Address Space Isolation (ASI) functionality for dealing with Hyper Threading data leakage in a different manner, but the performance costs are still being evaluated.

Security researchers from Graz University of Technology and CISPA Helmholtz are out with their latest findings on CPU speculative execution vulnerabilities, namely taking another look at L1TF/Foreshadow. Their findings are bad news not only for Intel but potentially other CPU vendors as well.

A major vulnerability in the GRUB2 boot-loader has been made public today that compromises its UEFI SecureBoot capabilities.

A patch queued up into the driver core tree ahead of the upcoming Linux 5.9 kernel will allow further restricting access to DebugFS.

Intel open-source developer Kristen Carlson Accardi continues work on Function Granular Kernel Address Space Layout Randomization (FGKASLR) as a big improvement over traditional KASLR address space layout randomization.

Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option.

Version 0.8 of the Linux Kernel Runtime Guard (LKRG) has been released for further enhancing the runtime security provided by this out-of-tree kernel code plus other general improvements.