TECHCINDIA | Be Updated Easily-All About Technology Articles.





Techcindia a blog is all about science , technews , techfacts , latest updates and motivation.
you will like it while enjoying it.
Experience all the comfort of technews . This blog is all about Technology articles. 

--------------------------------------------------------------------------------------------------------------------------

With Improved Meltdown, Spectre Patches 

"Linux 4.15" Released.

by:ANKIT SUDEGORA


first new Linux kernel of 2018 

Linus Torvalds released the first new Linux kernel of 2018 on Jan. 28, after the longest development cycle for a new Linux kernel in seven years.



On the Linux Kernel Mailing List (LKML), Torvalds explained, "The bulk of the 4.15 work is all the regular plodding 'boring' stuff. And I mean that in the best possible way. It may not be glamorous and get the headlines, but it's the bread and butter of kernel development, and is in many ways the really important stuff."

you may read>>>





With new Linux kernels, during the release cycle there is typically a release candidate made available by Torvalds once a week, with most cycles including six to eight release candidates. There were nine release candidates for the Linux 4.15 kernel, which makes it the longest cycle since Linux 3.1 was released in 2011. The Linux 3.1 kernel was delayed in part due to the 2011 hack of the kernel.org development server.


As it turns out, the Linux 4.15 kernel delay was also due to security related issues.


Among the highlights of the new Linux 4.15 kernel is the core reason for the kernel's delay, namely the Meltdown and Spectre CPU flaws, that first became public on January 3.

 Linux developers had been quietly working since at least November 2017 on dealing with the Meltdown issue in particular through an effort known as Page Table Isolation (PTI).


"This obviously was not a pleasant release cycle, with the whole meltdown/spectre thing coming in in the middle of the cycle and not really gelling with our normal release cycle," Torvalds wrote in his release announcement. "The extra two weeks were obviously mainly due to that whole timing issue."


The Meltdown flaw, identified as CVE-2017-5754, affects Intel CPUs while Spectre, known as CVE-2017-5753 and CVE-2017-5715, impacts all modern processors. The issues also impact Microsoft Windows, which has had multiple stability issues related to the patch.

 On January 28, Microsoft issued an emergency out-of-band Windows update that disables the patch for the  CVE-2017-5715 (Spectre) issue due to stability issues that were triggering data loss and system reboots.


The Spectre issue is being mitigated in Linux 4.15 with the retpoline code that was originally developed by Google.

Reptoline helps to avoid kernel-to-user data leaks, by restricting speculative indirect branches in CPU processes.


Torvalds also noted that there is still more work to be done to further protect users against Meltdown and Spectre patches. That said, he emphasized that Linux 4.15 is about more than just patches for CPU vulnerabilities.


"Anyway, while Spectre/Meltdown has obviously been the big news this release cycle, it's worth noting that we obviously had all the *normal* updates going on too,"Torvalds wrote. "The work everywhere else didn't just magically stop, even if some developers have been distracted by CPU issues."


Among the new features that have landed in Linux 4.15 are a set of capabilities to support expanded security capabilities in Intel and AMD CPUs. On AMD, Linux now supports the AMD Secure Encrypted Virtualization (SEV) capability."SEV enables running encrypted virtual machines (VMs) in which the code and data of the guest VM are secured so that a decrypted version is available only within the VM itself," the code commit for the feature states. 


On Intel CPUs, Linux now supports a feature called User Mode Instruction Prevention (UMIP) that is intended to help limit the risk of privilege escalation. Ricardo Neri, Linux software engineer at Intel explained in his Linux kernel commit message that User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. 


"If enabled, it prevents the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0," Neri wrote. "If these instructions were executed while in CPL > 0, user space applications could have access to system-wide settings such as the global and local descriptor tables, the segment selectors to the current task state and the local descriptor table. Hiding these system resources reduces the tools available to craft privilege escalation attacks."

                                             <<<HOME>>>