Linux Security News Archives
Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

It didn't make it for the Linux 5.2 kernel and now it's up to its 33rd revision on the Linux kernel mailing list... The "lockdown" patches for locking down access to various kernel hardware features has been reworked now and is a Linux Security Module (LSM) as it still tries to get enough endorsements to be mainlined.

23 June 2019 - Linux LOCKDOWN LSM - 3 Comments
ZombieLoad Mitigation Costs For Intel Haswell Xeon, Plus Overall Mitigation Impact

With tests over the past week following the disclosure of the Microarchitectural Data Sampling (MDS) vulnerabilities also known as "Zombieload", we've looked at the MDS mitigation costs (and now the overall Spectre/Meltdown/L1TF/MDS impact) for desktop CPUs, servers, and some laptop hardware. I've also begun doing some tests on older hardware, such as some Phoronix readers curious how well aging Intel Haswell CPUs are affected.

23 May 2019 - Haswell Xeon - 8 Comments
MDS / Zombieload Mitigations Come At A Real Cost, Even If Keeping Hyper Threading On

The default Linux mitigations for the new Microarchitectural Data Sampling (MDS) vulnerabilities (also known as "Zombieload") do incur measurable performance cost out-of-the-box in various workloads. That's even with the default behavior where SMT / Hyper Threading remains on while it becomes increasingly apparent if wanting to fully protect your system HT must be off.

16 May 2019 - Microarchitectural Data Sampling - 57 Comments
In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it's been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system.

20 April 2019 - Dmesg To All - 103 Comments
Improved Spectre/Meltdown Switches Might Finally Come To The Linux Kernel

By the time the next Linux kernel is released it will have been roughly a year and a half since the Spectre and Meltdown CPU speculative execution vulnerabilities went public and the mitigations started appearing within the kernel. Finally now it's being discussed again by upstream developers over improving the switches / tunable knobs for easily configuring these performance-degrading mitigations.

6 April 2019 - CPU Speculation Vulnerabilities - 32 Comments
Linux Kernel Getting New Option So SSBD Isn't Over-Protective - Helping Performance

For the Linux kernel's Speculative Store Bypass Disable (SSBD) handling for Spectre Variant 4 protection is support for processes opting into force disabling of speculation via a prctl() interface. Currently when speculation is disabled, that is carried through to new processes started via the execve() system call. But a new bit will allow clearing that state when a new program is started by a process otherwise relying upon PR_SPEC_DISABLE, in what will help the performance in such cases.

31 January 2019 - PR_SPEC_DISABLE_NOEXEC - 1 Comment
OPTPOLINES - Formerly Relpolines, Lower Overhead To Retpolines For Spectre Mitigation

It's been nearly one year to the day since the Spectre and Meltdown vulnerabilities were made public. While the security vulnerabilities were quickly buttoned up in the Linux space, kernel developers continue working to offset the performance overhead introduced by these mitigations. They made a lot of overhead reductions in 2018 while still there are some patch-sets pending still for bettering the experience. One of these patch-sets was known as "Relpolines" but now has been updated and morphed into what is being called Optpolines.

31 December 2018 - Optpolines - 1 Comment
WireGuard Is Now Available On Apple iOS

While WireGuard didn't make it for Linux 4.20 to the mainline kernel, if you are using an Apple tablet or phone, there is now an app that allows you to use WireGuard on iOS.

6 November 2018 - WireGuard + iOS - 12 Comments
STACKLEAK Plug-In Being Reattempted For Inclusion In Linux 4.20

Originally attempted for the Linux 4.19 kernel but not merged that cycle was the STACKLEAK GCC plug-in that was ported for the mainline code-base from the Linux GrSecurity patch-set. That plug-in is now trying to get into the Linux 4.20 (or perhaps relabeled as 5.0) kernel.

24 October 2018 - STACKLEAK - 1 Comment
RELPOLINES: A New Spectre V2 Approach To Lower Overhead Of Retpolines

Nadav Amit of VMware has announced their (currently experimental) work on "dynamic indirect call promotion" or what they have dubbed "RELPOLINES" -- not to be confused with the traditional Retpolines for "return trampolines" as one of the Spectre Variant Two software-based mitigation approaches. Relpolines is designed to have lower overhead than Retpolines.

18 October 2018 - RELPOLINES - 4 Comments
Spectre V2 "Lite" App-To-App Protection Mode Readying For The Linux Kernel

We are approaching one year since the Spectre and Meltdown CPU vulnerabilities shocked the industry, and while no new CPU speculative execution vulnerabilities have been made public recently, the Linux kernel developers continue improving upon the Spectre/Meltdown software-based mitigation techniques for helping to offset incurred performance costs with current generation hardware.

17 October 2018 - Application To Application - 6 Comments

119 Linux Security news articles published on Phoronix.