In association with heise online

Architecture

The Linux kernel now supports the 64-bit ARM instruction set (see 1, 2, 3, 4 and others). The code for this instruction set, officially known as AArch64, has been largely developed by ARM staff and has been placed in a separate arch/arm64/ directory in the kernel source code, as suggested by a number of kernel developers when the code was first presented. This ensures that the code is separated from the code for 32-bit ARM processors, just as had been the case for 32- and 64-bit x86 support until a few years ago. Some developers questioned if the separation was the best approach; Linus Torvalds is one of them, as a comment in the release email for the first pre-release version of Linux 3.7 shows.

Linux 3.7 saw multi-platform support merged. It allows the creation of a kernel image able to run on a range of different 32-bit ARM platforms. In 3.7, this kernel image supports Highbank, Mvebu, Picoxcell, Socfpga and Vexpress. Code from further platforms will be converted for subsequent kernel versions, with the goal of having a kernel image able to run on many different ARM platforms, just as is normal in the x86 world.

Security

The Linux kernel now supports the processor security feature SMAP (supervisor mode access prevention) (1, 2, 3 and others). Intel is planning to introduce this feature in its Haswell processors, which are set to succeed the current Ivy Bridge generation in the first half of 2013. SMAP protects memory pages used by programs from unwanted changes by the kernel. Attackers sometimes exploit kernel bugs to make changes to memory used by programs that run with root privileges, in order to escalate their own privileges. Details of this feature can be found from page 408 of Intel's Architecture Instruction Set Extensions Programming Reference PDF, in a posting on the grsecurity forum, and in an LWN.net article.

Kernel Log penguin Virtualisation

In conjunction with development versions of Xen hypervisor 4.3, Linux can now run virtual machines running with the aid of virtualisation features offered by some of the latest ARM cores (1, 2 and others). KVM support for these ARM virtualisation features is still a work in progress. The main git pull requests for the Linux KVM code and Xen support discuss other significant changes in the virtualisation field.

Performance Monitoring

The tracing infrastructure has gained perf-kvm, an events analysis tool that can be used to analyse the reasons why and the frequency with which a KVM guest switches to the host system ("VM exit"). This is just one of many enhancements to the tracing code. There is also a new system-wide tracing tool, perf-trace, the initial functionality of which has been compared by its developers to that of the "venerable" strace. The new tool, however, utilises the kernel's perf infrastructure, which should enable it to offer a broader range of functions.

Infrastructure

Linux 3.7 can sign kernel modules and verify those signatures and, therefore, the integrity of the modules before loading them (1, 2, 3, 4, 5, 6, 7). Some enterprise distributions have had similar features for a while – for example, to ensure that the modules used for troubleshooting are really from the distribution kernel. Developers have been working on integrating the functionality into Linux as some distributions want to load only signed kernel modules when booted with UEFI secure boot – this is now possible with the integrated code.

Eric W. Biederman integrated a large patch series that improves support for namespaces, which is useful for stricter separation of user and group IDs between the host and containers (1, 2, 3, 4). The changes improve upon the "user namespace enhancements" that Biederman contributed to Linux 3.5, describing them at the time as a course correction for user namespaces. Biederman is preparing additional patches for 3.8 that should wrap up the major reconstruction of the namespace code; the new infrastructure will then be complete and will allow users to simply set up and use a namespace without having root-permissions.

Storage

The MD software RAID code of Linux 3.7 can now use discard to inform the devices in a RAID array of newly deallocated storage areas, which is relevant for SSDs and thin provisioning (1, 2, 3, 4, 5). The Libata subsystem supports "Aggressive SATA device sleep", a power-saving mechanism that is specified in the AHCI 1.3.1 Technical Proposal and can reduce power consumption in systems with SATA disks. The block layer offers the "WRITE SAME" command that allows a data packet to be transmitted once and then written to all specified IO blocks. This provides an easy and efficient way to perform tasks such as initialising RAIDs or overwriting entire storage devices.

Next: Summary, Outlook, Statistics

Print Version | Permalink: http://h-online.com/-1759862
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit