Linux is a mostly free kernel similar to the Unix kernel. It is one of the main examples of free and open source software.
Recently Linus Torvalds, the creator and maintainer of the Linux kernel, announced the release of version 6.6, after exhausting all excuses to delay work. This new version brings several new features and improvements, particularly in terms of security, hardware support and performance. One of the most notable new features in Linux 6.6 is the EEVDF scheduler, which replaces the CFS scheduler.
Among the main features of Linux 6.6 is the implementation of the Intel Shadow Stack (which despite its name also benefits certain AMD chips), a hardware security technology that protects applications against return-oriented programming (ROP) attacks. for its acronym in English) on Intel Tiger Lake processors and later.
Main news in Linux 6.6
In this new version of Linux 6.6 that is presented, se added additional configurations for independent work queues to improve the efficiency of processor cache reuse in large systems with multiple third-level (L3) caches. The kernel also includes a utility tools/workqueue/wq_dump.py to check the current configuration of the work queues.
Another change that stands out is that added support for numeric parameters to settings /sys/devices/system/cpu/smt/ controls that determine the number of threads available for each CPU core (previously only "on" and "off" values were supported to enable or disable symmetrical multithreading support). The new feature can be used on some PowerPC processors that support hotplug symmetric multithreading ("SMT hotplug") to selectively enable SMT on specific cores during operation.
On the file system side, Linux 6.6 brings improvements to zonal device support and compression for F2FS, support for shared mmaps in non-cache mode for FUSE, fixes for netfilter and BPF, numerous fixes for AMDGPU driver, regression fixes for MIDI 2.0 support and better Intel RAPL power management.
Linux 6.6 also adds a BPF compiler just in time for the PA-RISC architecture, SMT hot plug support for the PowerPC architecture, a new flag for the mount API that prevents a mount from sharing superblocks in memory with other mounts, support for SEV-Guests SNP and TDX in Hyper-V and operations support initial network values for the io_uring subsystem. Support for defragmenting IPv4 and IPv6 packets, as well as the ability to filter fragmented packets, has been added to the BPF subsystem. A new handler, update_socket_protocol, was added to BPF to allow BPF programs to change the requested protocol for new sockets.
Besides that, information has been added to the /proc/pid/smaps file to diagnose the effectiveness of the mechanism for merging identical memory pages (KSM: Kernel Samepage Merging).
Removed the Frontswap API, allowing the swap partition to be placed in memory that cannot be directly addressed and does not provide operational information about free space availability. This API was used only in zswap, so it was decided to use this functionality directly in zswap, eliminating unnecessary layers.
XFS has been prepared for the possibility of using the fsck utility to check and fix identified problems online, without unmounting the file system. Additionally, XFS implemented the ability to use large posts in the page cache and added some related optimizations that significantly improved performance for some workload types.
The file system tmpfs has added support for extended user attributes (user xattrs), direct I/O, and user and group quotas. Stabilized directory offsets, which resolved issues with exporting tmpfs over NFS.
In addition to this, it was added an implementation of the Shadow Stack mechanism, allowing block the operation of many exploits, using the hardware capabilities of Intel processors to protect against overwriting the return address of a function in the event of a buffer overflow on the stack.
The essence of protection is that After passing control to a function, the processor stores the return addresses not only on the normal stack, but also on a separate "Shadow" stack, which cannot be changed directly. Before the function exits, the return address is popped from the hidden stack and compared with the return address on the main stack. Mismatched addresses cause an exception to be raised, blocking situations where the exploit managed to overwrite an address on the main stack. The hardware shadow stack is only supported in 64-bit builds and software emulation is used in 32-bit builds.
Of the other changes that stand out of this new version:
- Added initial support for ARM SME (Scalable Matrix Extension) instructions.
- The capabilities of the perf utility have been expanded.
- Added a new character interface (/dev/vfio/devices/vfioX) to the VFIO subsystem for managing VFIO devices, allowing the user to directly open a device file without accessing the legacy /dev/vfio/$ group interface groupID .
- The NFS server no longer supports legacy Kerberos encryption types that use the DES and 3DES algorithms.
- The implementation of the AF_XDP (eXpress Data Path) address family has been extended to work with packets stored in multiple buffers.
- Programs that use AF_XDP sockets can now receive and transmit packets from multiple buffers at once.
- The experimental development flag was removed from the ksmbd module, which provides a kernel-level implementation of a file server based on the SMB3 protocol.
- Added support for combining read operations ("compound read" queries).
Finally, if you are interested in being able to know more about it, you can consult the details in the following link