Linux 4.17 provides protection against the processor vulnerability Specter v4 aka Speculative Store Bypass (SSB) – but mostly it is inactive, because it needs microcode updates which Intel still has to release.
Specter v4 protection, kernel-side TLS decryption, HDCP support and graphics drivers for new AMD and Intel GPUs are some of the highlights of Linux 4.17. In addition, AMD and Intel processors are idle to use less power.
Linus Torvalds released Linux kernel 4.17 on the night of June 1st. Like every new version of Linux’s main development line, the newest brings well over ten thousand changes. Some upgrade new features, others improve existing ones. The most important changes in short form:
- The kernel can now take care of the hard work of decrypting a TLS (Transport Layer Security) protected data transfer.
- Idle AMD and Intel processors are expected to consume 4.17 less power.
- The kernel developers have again fine-tuning on the protection of the Specter v1 and v2 processor gaps; the technology introduced against Meltdown now has less overhead on legacy systems. In addition, came a measure against the gap in May, Specter v4 to the kernel.
- Intel’s video driver now supports HDCP and appeals to recently introduced mobile processors. AMD’s video driver received many important detail improvements.
Display
- XFS has learned to optimize that Ext4 has mastered for a long time. The latter file system is no longer so easily out of step with manipulated file systems.
- The kernel developers once again significantly improved hardware support by including dozens of new drivers and improving many existing ones.
- For some Thinkpad notebooks, it is now easier to configure from when and to where the firmware should charge the battery. This can reduce charge cycles and increase battery life.
One version of Linus Torvald’s occasionally humorous version jumped to Linux 5.0; But the change could happen soon.
- Especially through a spring cleaning in the architecture support shrank the kernel sources with the new version – this happens only the third time in the history of modern Linux development.
- Changes to the increased Secure Boot support have been loudly rejected. Maybe they pull in but without much attention in Linux 4.18, which should appear on 6 or 13 August.
The following paragraphs and article pages provide details about these and many other innovations.
Kernel Decrypts TLS Data Stream
The kernel can now take care of decrypting a TLS (Transport Layer Security) protected data transfer. This is achieved by extending the kernel TLS (KTLS) integrated with Linux 4.13. Through the latter, Linux learned to encrypt data sent over a TLS connection itself three quarters of a year ago; now follows the counterpart, through which KTLS can decrypt directly at reception.
In both cases, handling in the kernel promises to improve the performance of HTTPS and other transmission protocols using TLS. For example, KTLS allows the kernel to process the data more efficiently because it ideally needs to shuffle it less often in memory; he can also better integrate crypto accelerators. These advantages allow KTLS to increase data throughput, reduce system load, and reduce latency.
As with the transmit path, KTLS also takes care of the symmetric decryption even when receiving; The kernel still leaves the userspace libraries such as OpenSSL to the more complex and error-prone connection setup, including the asymmetric encryption used. Further background to the whole can be found in the commentary of a Merge Request of 4.17, with which the TLS-Rx support and documentation in Linux flowed.
Idle Optimization For AMD And Intel CPUs
There have been a number of changes in the Linux environment, with some systems running Intel CPUs up to ten percent more efficient (see, among other things, 1, 2). The whole thing, however, mainly affects servers with several dozen processor cores. The optimizations arose after researchers at the TU Dresden had shown in an article in 2017 that Intel’s processors idle sometimes become unnecessarily short-lived instead of continuing to sleep. In cooperation with the responsible kernel developers from Intel they were able to solve the problem, as TU Dresden proudly announces. For applications with short sleep cycles, this should also reduce the latency; This also increases the performance a bit.
Even systems with AMD’s current processors should run a bit more economical with 4.17. This is due to a small change to the code that makes the processor sleep idle. He used on AMD CPUs so far the MWAIT call, through which AMD’s current processors but only switch to sleep mode C1; Now the kernel uses CPUIDLE or HALT, through which Ryzen, Epyc & Co. also switch to deeper and therefore more efficient sleep states.
Specter v4 protection, HDCP support, new video drivers
Protection From Specter 1 & 2 And Meltdown
The new kernel includes some enhancements to protect against the Specter v1 and v2 processor gaps that became known in early January (et al 1, 2, 3). The system call code has also been cleaned up to secure system calls against speculative code execution attacks (including 1, 2, 3, see also “Rewiring x86 system-call dispatch” on LWN.net).
In addition, there was an optimization to improve the performance of the 4.15 integrated meltdown countermeasure PTI (Page Table Isolation) on mostly older processors that do not handle PCID (Process Context Identifiers). On those, the kernel can now mark some memory pages as global, reducing the overhead of the protection technology and thus speeding up the system
Countermeasures For Specter 4
In addition, Linux received some measures against the mid-May become known vulnerability Specter v4 aka Speculative Store Bypass (SSB). Shortly after these mechanisms were introduced, the changes also flowed into Stable and Longterm kernels such as 4.9.102, 4.14.42 and 4.16.11, which did not appear 24 hours after the gap became public.
In all of these Linux versions, the Specter v4 countermeasures can work in different modes, which can be selected via the spec_store_bypass_disable = kernel parameter. At present, however, the protection is inactive on many systems because it relies on new CPU functions that have been retrofitted via microcode updates – but Intel has not yet distributed the new microcodes freely.
HDCP Support In The Intel Driver
The i915 driver for Intel’s advanced graphics chip sets now supports HDCP (High-bandwidth Digital Content Protection) (including 1, 2, 3, 4, 5, 6). Google developers have contributed the appropriate code: ChromeOS already uses it to play high-definition videos, which video players only allow if the hardware and operating system implement copy protection.
Intel’s driver now also addresses the graphics cores of Cannon Lake family processors, which Intel has recently sold as part of the Core i 8000 series; Support was still incomplete at 4.16, so it only became active there when the parameter i915.alpha_support = 1 was specified. For now, this is needed for the brand new and rudimentary support for the Icelake GPU GPU, which Intel is expected to launch within the next year.
Driver For AMD GPUs Turns Up
AMD’s extensive and integrated DC (Display Core) with Linux 4.15 is now automatically activated for older graphics chips too, if you create a new kernel configuration. The expansion, which is important for HDMI 2.0 and audio forwarding via HDMI and DisplayPort, is reaching more users, which improves the out-of-the-box support for AMD graphics processors sold in recent years. In addition, the Amdgpu driver now supports Vega12 chips, which AMD apparently intends to launch in the coming weeks or months.
Thanks to enhancements to the Amdkfd driver, AMD’s ROCm GPU computing solution can now also be used with Hawaiian, Tonga, Polaris and Fiji GPUs for GPU (GPGPU / General Purpose Computing on Graphics Processing Units). Comparable conversions to support AMD’s current high-end GPUs of the Vega series should follow at 4.18.