After two months of development, Linus Torvalds announced a few days ago the release of the new version of the Linux kernel 5.11 and in this new release of the most notable changes, we can mention the support for Intel SGX enclaves, new mechanism to intercept system calls, virtual auxiliary bus, fast filtering of system calls in seccomp, discontinuation of maintenance of the ia64 architecture, the ability to encapsulate SCTP in UDP.
The new version received 15480 fixes from 1991 developers, patch size is 72MB (Changes affected 12090 files, 868,025 lines of code added, 261,456 lines removed). Approximately 46% of all changes introduced in 5.11 are related to device drivers, approximately 16% of the changes are related to updating the specific code of hardware architectures, 13% are related to the network stack, 3% are related to file systems and 4% are related to the internal kernel subsystems.
Main news in Linux 5.11
In this new version of the Linux Kernel 5.11, we can find that added several mount options to Btrfs to use when recovering data from corrupted filesystems, in addition to removing support for the previously deprecated "inode_cache" mount option, the code was prepared to support blocks with metadata and data smaller than a page (PAGE_SIZE), as well as support for space allocation by zones.
Besides that a new mechanism has been added to intercept system calls, based on prctl () and that allows to throw exceptions from user space when accessing a specific system call and emulating its execution. This functionality is requested in Wine and Proton to emulate Windows system calls, which is necessary to ensure compatibility with games and programs that directly execute system calls without going through the Windows API (for example, to protect against unauthorized use).
For architecture RISC-V, support for Contiguous Memory Allocator memory allocation system has been added (CMA), which is optimized to allocate large contiguous memory areas using the page movement technique. For RISC-V, there are also tools implemented to limit access to / dev / mem and accounting for outage processing time.
For systems 32-bit ARM, support for KASan debugging tool has been added (kernel address sanitizer), which provides error detection when working with memory. For 64-bit ARM, the KASan implementation has been moved to use MTE (MemTag) tags.
Regarding Virtualization and security, the system call stands out seccomp () which has added support for quick response mode, which allows you to very quickly determine whether a specific system call is allowed or denied based on a constant action bitmap attached to the process, which does not require starting a handler BPF.
Also, we can find some Integrated kernel components for enclave creation and management based on Intel SGX technology (Software Guard eXtensions), which allows applications to execute code in isolated and encrypted memory areas, whose access to the rest of the system is restricted.
For ARM64 systems, the ability to use MTE (MemTag, Memory Tagging Extension) tags for signal handler memory addresses was added. The use of MTE is enabled by specifying the SA_EXPOSE_TAGBITS option in Sigaction () and allows you to verify the correctness of the use of pointers to block the exploitation of vulnerabilities.
Finally on the part of the controllers, Support for Intel Maple Ridge's First Discrete USB4 Host Controller Highlighted, as well as support for AMD "Green Sardine" APUs (Ryzen 5000) and "Dimgrey Cavefish" GPUs (Navi 2), as well as initial support for AMD Van Gogh APUs with Zen 2 core and RDNA 2 (Navi 2) GPUs. Added support for the new Renoir APU IDs (based on Zen 2 CPU and Vega GPU).
The nouveau driver adds initial support for NVIDIA GPUs based on the »Ampere» microarchitecture (GA100, GeForce RTX 30xx), currently limited to video mode controls.
I saw that they made a Valentine commit in the kernel and I was left with a face of, what?