Linux Kernel 6.7 Released with Various Security Improvements
Linus Torvalds has announced the release of Linux kernel 6.7, featuring various improvements and new features. One major addition is the bcachefs file system, designed to compete with Btrfs and ZFS for modern features while maintaining the speed of EXT4 and XFS. This article aims to explore the security features and updates introduced in this new kernel series.
Security Features in Linux Kernel 6.7
Crypto Subsystem Updates
The Linux 6.7 kernel’s crypto subsystem updates involve routine changes and various crypto acceleration updates for different System-on-Chips (SoCs). Notably, the update reduces the role of insecure and obsolete crypto hashing algorithms. SHA1 support for signing kernel modules or importing X.509 certificates has been removed, with SHA256 or better algorithms recommended for these purposes. Additionally, MD4 and MD5 hashing and signatures in X.509 certificates have been eliminated due to security concerns.
Linux 6.7 introduces a new hardening configuration profile to help in building a security-hardened kernel with some sane defaults. The update includes a Kconfig fragment with basic hardening options that can be activated by running “make hardening.config.” Some of the hardening options include basic kernel memory permission enforcement, address space layout randomization, stack offset randomization on syscall entry, buffer length bounds checking, and various security tunables.
Landlock Access Controls
In Linux 6.7, Landlock, an unprivileged application sandboxing feature merged in Linux 5.13, has expanded its capabilities beyond file-system access controls to include initial support for networking. Implemented as a stackable Linux security module (LSM), Landlock now introduces access rights such as LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP. This update enables the restriction of TCP socket bind() and connect() system calls for specific ports.
PE Header Generation
The x86/boot changes for Linux kernel 6.7 include a significant rework to the PE header generation led by Ard Biesheuvel. The goal is to create a modern, 4K-aligned kernel image view for improved system security. This restructuring is enabled by the EFI stub boot flow no longer relying on executable and writable memory simultaneously. The new layout exposes the decompressor binary’s code and read-only data as a .text section and data/bss as a .data section, with 4K alignment and limited permissions. This is essential for compatibility with security measures on x86 PCs built for Windows.
Other New Features in Linux Kernel 6.7
This release also introduces support for NVIDIA’s GSP firmware in the Nouveau open-source graphics driver. Notable updates include enhancements to the Btrfs file system, networking improvements, and updates to file systems like EXT4, F2FS, and exFAT. The kernel brings support for new hardware, architectures, and AMD platforms, as well as security updates, such as AppArmor improvements.
Linux Kernel 4.14 Reached End of Life
The long-term supported (LTS) Linux 4.14 kernel series, initially released on November 12th, 2017, has officially reached its end of life after being maintained for over six years. Users still on this kernel version are advised to upgrade to newer long-term supported kernels like Linux 5.4 (supported until December 2025), Linux 5.10, Linux 5.15, Linux 6.1, or Linux 6.6 (all supported until December 2026).
Linux kernel 6.7 is available for download, with Linux kernel 6.8 expected to follow in mid-March 2024. With a short support span of a couple of months, it will soon be succeeded by Linux kernel 6.8.
A kernel is the core component of the Linux OS, making it crucial to secure it for overall system security. TuxCare offers KernelCare Enterprise that automatically applies all security updates and patches to the Linux kernel without having to reboot or schedule maintenance windows.
The sources for this article can be found on Phoronix.