Linux 5.13 has been released on Sun, 27 June 2021

Summary: This release includes the Landlock security module, which aims to make easier to sandbox applications; support for the Clang Control Flow Integrity, which aims to abort the program upon detecting certain forms of undefined behavior; support for randomising the stack address offset in each syscall; support for concurrent TBL flushing; preparatory Apple M1 support; support for incoming AMD and Intel graphics chips; BPF support for calling kernel functions directly; a virtio sound driver for improved sound experience on virtualized guests; io_uring support for multi shot mode and a misc cgroup for miscellaneous resources. As always, there are many other features, new drivers, improvements and fixes.

1. Prominent features

1.1. Landlock security module

Landlock is a new Linux security module that allows to sandbox applications. The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.

Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.

In this current form, Landlock misses some access-control features. This enables to minimize this patch series and ease review. This series still addresses multiple use cases, especially with the combined use of seccomp-bpf: applications with built-in sandboxing, init systems, security sandbox tools and security-oriented APIs

Recommended LWN article: Sandboxing with the Landlock security module

1.2. Support for Clang Control Flow Integrity

This release builds on last cycle's LTO work, and allows the arm64 kernels to be built with Clang's Control Flow Integrity feature, which is designed to abort the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. This feature has happily lived in Android kernels for almost 3 years. CFI support for x86 is still under development, but is pretty close.

Recommended LWN article: Control-flow integrity for the kernel

1.3. Support for randomising the stack address offset in each syscall

This release supports randomized stack offsets per syscall to make stack-based attacks harder which rely on the deterministic stack layout. The feature is based on the original idea of PaX's RANDSTACK feature, but uses a significantly different implementation.

The feature is guarded with a static branch which avoids the overhead when disabled. As of this release this is supported for X86 and ARM64.

1.4. Support for concurrent TBL flushing

Currently, local and remote TLB flushes are not performed concurrently, which introduces unnecessary overhead - each INVLPG can take 100s of cycles. This patch-set allows TLB flushes to be run concurrently: first request the remote CPUs to initiate the flush, then run it locally, and finally wait for the remote CPUs to finish their work. In testing this improved sysbench performance measurably by a couple of percentage points, especially if TLB-heavy security mitigations are active.

1.5. Preparatory Apple M1 support

This kernel includes initial support for the Apple M1 platform. The Apple M1 is the processor used it all current generation Apple Macintosh computers. Support for this platform so far is rudimentary, but it boots and can use framebuffer and serial console over a special USB cable.

Support for several essential on-chip devices (USB, PCIe, IOMMU, NVMe) is work in progress but was not ready in time for this release.

A very detailed description of what works is in the commit messages and on the AsahiLinux wiki

1.6. Support for incoming AMD and Intel graphics chips

This release includes initial support for future Intel and AMD chips, such as Intel Alderlake S or AMD Adebaran support

1.7. BPF support for calling kernel functions directly

This release allows bpf programs calling kernel functions (initially to reuse TCP congestion control implementations)

Recommended LWN article: Calling kernel functions from BPF

1.8. A virtio sound driver for improved sound experience on virtualized guests

This release implements a driver part of the virtio sound device specification.

The driver supports PCM playback and capture substreams, jack and channel map controls. A message-based transport is used to write/read PCM frames to/from a device.

As a device part was used OpenSynergy proprietary implementation.

1.9. io_uring support for multi shot mode

Support for multi-shot poll. This allows arming a poll request for a given event mask, and then have it trigger multiple times. The default behavior for io_uring POLL_ADD has been one-shot, where one SQE issued will result in one CQE filled (when the event triggers) and termination of the poll request after that. With multi-shot, one POLL_ADD will generate a CQE every time the event triggers.

1.10. Add misc cgroup

This implements generic support for misc resources which can be controlled by simply counting and limiting the number of resource instances - ie there's X number of these on the system and this cgroup subtree can have upto Y of those.

The first user is the address space IDs used for virtual machine memory encryption and expected future usages are similar - niche hardware features with concrete resource limits and simple usage models

2. Core (various)

3. File systems

4. Memory management

5. Block layer

6. Tracing, perf and BPF

7. Virtualization

8. Security

9. Networking

10. Architectures

10.1. ARM

10.2. X86

10.3. MIPS


10.5. RISCV

10.6. S390

10.7. IA64

10.8. XTENSA

11. Drivers

11.1. Graphics

11.2. Power Management

11.3. Storage

11.4. Drivers in the Staging area

11.5. Networking

11.6. Audio

11.7. Tablets, touch screens, keyboards, mouses

11.8. TV tuners, webcams, video capturers

11.9. Universal Serial Bus

11.10. Serial Peripheral Interface (SPI)

11.11. Watchdog

11.12. Serial

11.13. CPU Frequency scaling

11.14. Voltage, current regulators, power capping, power supply

11.15. Real Time Clock (RTC)

11.16. Pin Controllers (pinctrl)

11.17. Multi Media Card (MMC)

11.18. Memory Technology Devices (MTD)

11.19. Industrial I/O (iio)

11.20. Multi Function Devices (MFD)

11.21. Pulse-Width Modulation (PWM)

11.22. Inter-Integrated Circuit (I2C + I3C)

11.23. Hardware monitoring (hwmon)

11.24. General Purpose I/O (gpio)

11.25. Leds

11.26. DMA engines

11.27. Cryptography hardware acceleration

11.28. PCI

11.29. Remote Processors

11.30. Clock

11.31. PHY ("physical layer" framework)

11.32. Various

12. List of Pull Requests

13. Other news sites

KernelNewbies: Linux_5.13 (last edited 2021-09-04 00:37:47 by diegocalleja)