Linux Security News Archives
Linux 5.6 Crypto Code Brings The New AMD TEE Driver

Herbert Xu sent in all of the crypto subsystem changes on Tuesday for the in-development Linux 5.6 kernel. Interesting us the most out of this crypto work is the AMD Trusted Execution Environment (TEE) driver.

28 January 2020 - Trusted Execution - 5 Comments
Google's Kernel Runtime Security Instrumentation (KRSI) Is Something To Look Forward To In 2020

Back in September was an initial "request for comments" by Google on some kernel work they are doing with Kernel Runtime Security Instrumentation (KRSI) for providing eBPF-powered security helpers, ultimately for creating dynamic MAC and audit policies. Just before Christmas the first official version of this new eBPF-based instrumentation was sent out and is being prepared for deployment within Google.

31 December 2019 - Linux KRSI - 17 Comments
Kernel Address Space Isolation Is Still Being Explored For Better Security

IBM developers and others continue exploring the potential for address space isolation in the Linux kernel to reduce the risk of leaking sensitive data in attacks like L1 Terminal Fault (L1TF), MDS, and other vulnerabilities. Though this does increase the complexity of the kernel code and the performance hit is still to be evaluated.

2 November 2019 - Address Space Isolation - 1 Comment
Landlock Revved An 11th Time For Unprivileged Yet Powerful Security Sandboxes

We first wrote about the Landlock Linux security module in 2016 with its aspirations for offering powerful security sandboxing abilities. Landlock has seen revisions every few months and this week marks the 11th time the patches have been volleyed for this interesting sandboxing Linux Security Module (LSM).

30 October 2019 - Landlock LSM - 1 Comment
Linux "Lockdown" Patches Hit Their 40th Revision

The long-running Linux "Lockdown" patches were sent out again overnight for their 40th time but it remains to be seen if these security-oriented patches will be pulled in for the upcoming Linux 5.4 cycle.

20 August 2019 - Linux Lockdown v40 - 3 Comments
CVE-2019-1125 "SWAPGS" Is The Newest Spectre Vulnerability

CVE-2019-1125 was made public today or also referred to as the "SWAPGS" vulnerability as a new variant of Spectre V1 affecting Windows and Linux with Intel (and according to mixed information, AMD - though the current Linux kernel patches at least seem to only apply to Intel) x86_64 processors.

6 August 2019 - CVE-2019-1125 - 27 Comments
Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

It didn't make it for the Linux 5.2 kernel and now it's up to its 33rd revision on the Linux kernel mailing list... The "lockdown" patches for locking down access to various kernel hardware features has been reworked now and is a Linux Security Module (LSM) as it still tries to get enough endorsements to be mainlined.

23 June 2019 - Linux LOCKDOWN LSM - 3 Comments
ZombieLoad Mitigation Costs For Intel Haswell Xeon, Plus Overall Mitigation Impact

With tests over the past week following the disclosure of the Microarchitectural Data Sampling (MDS) vulnerabilities also known as "Zombieload", we've looked at the MDS mitigation costs (and now the overall Spectre/Meltdown/L1TF/MDS impact) for desktop CPUs, servers, and some laptop hardware. I've also begun doing some tests on older hardware, such as some Phoronix readers curious how well aging Intel Haswell CPUs are affected.

23 May 2019 - Haswell Xeon - 8 Comments
MDS / Zombieload Mitigations Come At A Real Cost, Even If Keeping Hyper Threading On

The default Linux mitigations for the new Microarchitectural Data Sampling (MDS) vulnerabilities (also known as "Zombieload") do incur measurable performance cost out-of-the-box in various workloads. That's even with the default behavior where SMT / Hyper Threading remains on while it becomes increasingly apparent if wanting to fully protect your system HT must be off.

16 May 2019 - Microarchitectural Data Sampling - 57 Comments
In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it's been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system.

20 April 2019 - Dmesg To All - 103 Comments
Improved Spectre/Meltdown Switches Might Finally Come To The Linux Kernel

By the time the next Linux kernel is released it will have been roughly a year and a half since the Spectre and Meltdown CPU speculative execution vulnerabilities went public and the mitigations started appearing within the kernel. Finally now it's being discussed again by upstream developers over improving the switches / tunable knobs for easily configuring these performance-degrading mitigations.

6 April 2019 - CPU Speculation Vulnerabilities - 32 Comments

135 Linux Security news articles published on Phoronix.