ClickCease Linux Kernel 6.7 Released with Various Security Improvements

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Linux Kernel 6.7 Released with Various Security Improvements

Rohan Timalsina

January 25, 2024 - TuxCare expert team

Linus Torvalds has announced the release of Linux kernel 6.7, featuring various improvements and new features. One major addition is the bcachefs file system, designed to compete with Btrfs and ZFS for modern features while maintaining the speed of EXT4 and XFS. This article aims to explore the security features and updates introduced in this new kernel series.

 

Security Features in Linux Kernel 6.7

 

Crypto Subsystem Updates

 

The Linux 6.7 kernel’s crypto subsystem updates involve routine changes and various crypto acceleration updates for different System-on-Chips (SoCs). Notably, the update reduces the role of insecure and obsolete crypto hashing algorithms. SHA1 support for signing kernel modules or importing X.509 certificates has been removed, with SHA256 or better algorithms recommended for these purposes. Additionally, MD4 and MD5 hashing and signatures in X.509 certificates have been eliminated due to security concerns.

 

Make hardening.config

 

Linux 6.7 introduces a new hardening configuration profile to help in building a security-hardened kernel with some sane defaults. The update includes a Kconfig fragment with basic hardening options that can be activated by running “make hardening.config.” Some of the hardening options include basic kernel memory permission enforcement, address space layout randomization, stack offset randomization on syscall entry, buffer length bounds checking, and various security tunables.

 

Landlock Access Controls

 

In Linux 6.7, Landlock, an unprivileged application sandboxing feature merged in Linux 5.13, has expanded its capabilities beyond file-system access controls to include initial support for networking. Implemented as a stackable Linux security module (LSM), Landlock now introduces access rights such as LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP. This update enables the restriction of TCP socket bind() and connect() system calls for specific ports.

 

PE Header Generation

 

The x86/boot changes for Linux kernel 6.7 include a significant rework to the PE header generation led by Ard Biesheuvel. The goal is to create a modern, 4K-aligned kernel image view for improved system security. This restructuring is enabled by the EFI stub boot flow no longer relying on executable and writable memory simultaneously. The new layout exposes the decompressor binary’s code and read-only data as a .text section and data/bss as a .data section, with 4K alignment and limited permissions. This is essential for compatibility with security measures on x86 PCs built for Windows.

 

Other New Features in Linux Kernel 6.7

 

This release also introduces support for NVIDIA’s GSP firmware in the Nouveau open-source graphics driver. Notable updates include enhancements to the Btrfs file system, networking improvements, and updates to file systems like EXT4, F2FS, and exFAT. The kernel brings support for new hardware, architectures, and AMD platforms, as well as security updates, such as AppArmor improvements.

 

Linux Kernel 4.14 Reached End of Life

 

The long-term supported (LTS) Linux 4.14 kernel series, initially released on November 12th, 2017, has officially reached its end of life after being maintained for over six years. Users still on this kernel version are advised to upgrade to newer long-term supported kernels like Linux 5.4 (supported until December 2025), Linux 5.10, Linux 5.15, Linux 6.1, or Linux 6.6 (all supported until December 2026).

 

Conclusion

 

Linux kernel 6.7 is available for download, with Linux kernel 6.8 expected to follow in mid-March 2024. With a short support span of a couple of months, it will soon be succeeded by Linux kernel 6.8.

A kernel is the core component of the Linux OS, making it crucial to secure it for overall system security. TuxCare offers KernelCare Enterprise that automatically applies all security updates and patches to the Linux kernel without having to reboot or schedule maintenance windows.

Learn more about live patching and explore how KernelCare live patching works.

 

The sources for this article can be found on Phoronix.

Summary
Linux Kernel 6.7 Released with Various Security Improvements
Article Name
Linux Kernel 6.7 Released with Various Security Improvements
Description
Discover the latest enhancements in Linux kernel 6.7, including improved security features and updates. Learn how to secure the Linux kernel.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter