After two months of development Linus Torvalds kernel release . Among the most notable changes: integration of the WireGuard VPN interface, support for USB4, namespaces for time, the ability to create TCP overload handlers using BPF, initial support for MultiPath TCP, getting rid of the kernel from the 2038 problem, the βbootconfigβ mechanism, the ZoneFS file system.
The new version accepted 13702 fixes from 1810 developers,
patch size - 40 MB (changes affected 11577 files, 610012 lines of code added,
294828 lines removed). About 45% of all presented in 5.6
changes are associated with device drivers, approximately 15% of changes have
attitude towards updating code specific to hardware architectures, 12%
related to the network stack, 4% to file systems, and 3% to internals
kernel subsystems.
:
- Network subsystem
- VPN interface implementation , which is implemented on the basis of modern encryption methods (ChaCha20, Poly1305, Curve25519, BLAKE2s), is easy to use, devoid of complications, has proven itself in a number of large implementations and provides very high performance (3,9 times ahead of OpenVPN in terms of throughput). WireGuard uses the concept of encryption key routing, which involves binding a private key to each network interface and using public keys to bind. The exchange of public keys to establish a connection is similar to SSH. Cryptographic primitives required for WireGuard to work from the library as part of the regular Crypto API and into the core .
- integration of the components necessary to support MPTCP (MultiPath TCP), an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously along several routes through different network interfaces bound to different IP addresses. For network applications, such an aggregated connection looks like a regular TCP connection, and all the flow separation logic is performed by MPTCP. Multipath TCP can be used to both increase bandwidth and increase reliability. For example, MPTCP can be used to organize data transfer on a smartphone using both WiFi and 4G links, or to reduce costs by connecting a server using several cheap links instead of one expensive one.
- support for the discipline of processing network queues sch_ets (, IEEE 802.1Qaz), which provides the ability to distribute bandwidth between different traffic classes. If the load on a certain traffic class is below the provided bandwidth, then ETS allows other traffic classes to use the available (unused) bandwidth. Qdisc sch_ets is configured as a PRIO discipline and uses traffic classes to define strict and shared bandwidth limits. ETS works as a combination of disciplines ΠΈ - if there are strictly limited traffic classes, PRIO is used, but if there is no traffic in the queue, it works like DRR.
- Added a new type of BPF programs , which allows you to implement kernel function handlers through BPF. At present, this possibility can already be used to implement TCP congestion control algorithms in the form of BPF programs. As an example BPF Program with Algorithm Implementation .
- Taken into the core , translating tools with ioctl() to use . The new interface simplifies the addition of extensions, improves error handling, allows notifications to be sent on state changes, simplifies interaction between the kernel and user space, and reduces the number of named lists that are synchronized.
- Added implementation of the FQ-PIE (Flow Queue PIE) network queue management algorithm, aimed at reducing the negative impact of intermediate packet buffering on edge network equipment (bufferbloat). FQ-PIE is highly efficient when used in cable modem systems.
- Disk Subsystem, I/O and File Systems
- For Btrfs file system asynchronous implementation of the DISCARD operation (marking freed blocks that can no longer be physically stored). Initially, DISCARD operations were performed synchronously, which could lead to performance sag due to drives waiting for the corresponding commands to complete. Asynchronous implementation allows you not to wait for the completion of DISCARD by the drive and perform this operation in the background.
- In XFS cleanup of code that used old 32-bit time counters (time_t type replaced with time64_t), leading to the 2038 problem. Fixed bugs and memory corruption that popped up on 32-bit platforms. Redesigned code to work with extended attributes.
- To ext4 filesystem performance optimizations related to inode lock handling on read and write operations. Improved rewriting performance in Direct I/O mode. To simplify the diagnosis of problems, the first and last error codes are stored in the superblock.
- In the F2FS file system the ability to store data in a compressed form. For a single file or directory, compression can be enabled using the command "chattr +c file" or "chattr +c dir; touch dir/file". You can use the "-o compress_extension=ext" option in the mount utility to compress an entire partition.
- The file system is part of the kernel , which simplifies low-level work with zoned storage devices. Zoned storage refers to hard disk drives or NVMe SSDs where the storage space is divided into zones, constituting groups of blocks or sectors, to which only sequential addition of data is allowed with updating the entire group of blocks. FS ZoneFS was developed by Western Digital and associates each zone in the drive with a separate file that can be used to store data in raw mode without manipulation at the sector and block level, i.e. allows applications to use the file API instead of directly accessing the block device using ioctl.
- NFS mounts partitions over UDP by default. Added support for the NFS 4.2 specification's ability to directly copy files between servers. A new mount option "softreval" has been added, allowing the use of cached attribute values ββin the event of a server failure. For example, when this option is specified, after the server is unavailable, it is possible to navigate along the paths in the NFS partition and access information that has settled in the cache.
- optimization of the performance of the fs-verity mechanism, which is used to control the integrity and authentication of individual files. Improved sequential read speed using Merkle hash tree. Optimized the performance of FS_IOC_ENABLE_VERITY in the absence of data in the cache (applied pre-reading of pages with data).
- Virtualization and Security
- The ability to disable the SELinux module at runtime has been deprecated, and unloading an already enabled SELinux will be prohibited in the future. To disable SELinux, you need to pass the "selinux=0" parameter on the kernel command line.
- support for namespaces for time (time namespaces), allowing you to bind the state of the system clock to the container (CLOCK_REALTIME,
CLOCK_MONOTONIC, CLOCK_BOOTTIME), use your own time in the container and ensure that the CLOCK_MONOTONIC and CLOCK_BOOTTIME readings remain unchanged when migrating the container to another host (take into account the time after loading, with or without taking into account being in sleep mode). - Removed blocking pool /dev/random. The behavior of /dev/random is similar to /dev/urandom in terms of preventing entropy blocking after the pool is initialized.
- The main part of the kernel includes a driver that allows guests running under VirtualBox to mount directories exported by the host environment (VirtualBox Shared Folder).
- A set of patches has been added to the BPF subsystem (), in the context of using the Retpoline mechanism to protect against attacks of the Specter V2 class, which makes it possible to increase the efficiency of calling BPF programs when events associated with them occur (for example, it makes it possible to speed up the call of XDP handlers when a network packet arrives).
- A driver has been added to support AMD APU built-in TEE (Trusted Execution Environment) environments.
- Memory and system services
- Support for global functions has been added to BPF. Development is underway as part of an initiative to add support for libraries of functions that can be included in BPF programs. The next step will be support for dynamic extensions that allow loading of global functions, including to replace existing global functions during their use. The BPF subsystem also adds support for a variant of the map operation (used to store persistent data) that supports batch execution.
- the "cpu_cooling" device allows you to cool an overheated CPU by putting it into an idle state for short periods of time.
- Added system call , which offers a set of additional flags to limit the permission of the file path (prohibition of crossing mount points, symbolic links, magic links (/proc/PID/fd), "../" components).
- For heterogeneous systems based on the big.LITTLE architecture, which combine powerful and less productive energy-efficient CPU cores in one chip, setting the uclamp_min parameter ( in kernel 5.3 the load pinning mechanism). The specified parameter ensures that the task is placed by the scheduler on a CPU core that has sufficient performance.
- The nucleus has been removed . Replaced the last remaining handlers that used the 32-bit (signed int) type time_t for the epoch time counter, which, given the report from 1970, should overflow in 2038.
- Continued improvements to the asynchronous I/O interface In which support for new operations: IORING_OP_FALLOCATE (reserving empty areas), IORING_OP_OPENAT,
IORING_OP_OPENAT2,
IORING_OP_CLOSE (opening and closing files),
IORING_OP_FILES_UPDATE (adding and removing files from the quick access list),
IORING_OP_STATX (request information about a file),
IORING_OP_READ,
IORING_OP_WRITE (simplified analogues of IORING_OP_READV and IORING_OP_WRITEV),
IORING_OP_FADVISE,
IORING_OP_MADVISE (asynchronous variants of posix_fadvise and madvise calls), IORING_OP_SEND,
IORING_OP_RECV (sending and receiving network data),
IORING_OP_EPOLL_CTL (perform operations on epoll file descriptors). - Added system call A that allows a process to retrieve the file descriptor of an open file from another process.
- the "bootconfig" mechanism, which allows, in addition to command line options, to determine the parameters of the kernel through a configuration file. The bootconfig utility is provided to add such files to the initramfs image. This feature can be used, for example, to set kprobes at boot time.
- mechanism for waiting for writing and reading data in unnamed pipes (pipe). The change made it possible to speed up the execution of tasks such as parallelized assembly of large projects. However, optimization can lead to a race condition in GNU make due to a bug in the 4.2.1 release that is fixed in 4.3.
- Added a PR_SET_IO_FLUSHER flag to prctl() that can be used to mark memory freeing processes that should not be capped in a low memory situation on the system.
- Based on the ION memory allocation system used in Android, a subsystem is implemented , which allows you to manage the allocation of DMA buffers for sharing memory areas among drivers, applications, and various subsystems.
- Hardware architectures
- Added support for the E0PD extension, which appeared in ARMv8.5 and allows you to implement protection against attacks related to speculative execution of instructions in the CPU. E0PD-based protection results in less overhead than KPTI (Kernel Page Table Isolation) protection.
- For systems based on the ARMv8.5 architecture, support has been added for the RNG instruction, which provides access to a hardware pseudo-random number generator. In the kernel, the RNG instruction is used to generate entropy when initializing the kernel-provided pseudo-random number generator.
- Removed support for MPX (Memory Protection Extensions) added in the kernel and allows you to organize a check of pointers for compliance with the boundaries of memory areas. The specified technology has not received distribution in compilers and has been removed from GCC.
- For the RISC-V architecture, support has been implemented for the KAsan (Kernel address sanitizer) debugging tool, which provides error detection when working with memory.
- Equipment
- Implemented specification support , which is based on the Thunderbolt 3 protocol and provides throughput up to 40 Gb / s, while maintaining backward compatibility with USB 2.0 and USB 3.2. By analogy with USB 4.0 interface allows multiple protocols to be tunneled over a single connector cable , including PCIe, Display Port and USB 3.x, as well as software implementations of protocols, for example, for organizing network links between hosts. The implementation builds on the Thunderbolt driver already in the Linux kernel and adapts it to work with USB4 compatible hosts and devices. The changes also add support for Thunderbolt 3 devices to the software implementation of the Connection Manager, which is responsible for creating tunnels to connect multiple devices through a single connector.
- In the amdgpu driver Initial support for HDCP 2.x (High-bandwidth Digital Content Protection) copy protection technology. Added support for AMD Pollock ASIC based on Raven 2. Implemented GPU reset for Renoir and Navi families.
- The DRM driver for Intel graphics cards DSI VDSC support for Ice Lake and Tiger Lake chips, LMEM mmap (device local memory) implemented, VBT (Video BIOS Table) parsing improved, HDCP 2.2 support for Coffee Lake chips implemented.
- Work continued on unifying the amdkfd driver code (for discrete GPUs such as Fiji, Tonga, Polaris) with the amdgpu driver.
- The k10temp driver has been redesigned to support the output of voltage and current parameters for AMD Zen CPUs, as well as extended information from temperature sensors used in Zen and Zen 2 CPUs.
- In nouveau driver support for verified firmware download mode for NVIDIA GPUs based on the Turing microarchitecture (GeForce RTX 2000), which made it possible to enable 3D acceleration support for these cards (requires downloading official firmware signed by NVIDIA). Added support for TU10x graphics engine. Fixed issues with HD Audio.
- Added support for data compression when transmitted via DisplayPort MST (Multi-Stream Transport).
- New driver addedΒ» for Qualcomm wireless chips supporting 802.11ax.
The driver is based on the mac80211 stack and supports access point, workstation, and mesh host modes. - Through sysfs, access to readable readings of temperature sensors used on modern hard drives and SSDs is provided.
- significant changes to the ALSA sound system, aimed at getting rid of the code from (avoiding the use of the 32-bit time_t type in the snd_pcm_mmap_status and snd_pcm_mmap_control interfaces). Added support for new audio codecs
Qualcomm WCD9340/WCD9341, Realtek RT700, RT711, RT715, RT1308, Ingenic JZ4770. - drivers for LCD panels Logic PD 28, Jimax8729d MIPI-DSI, igenic JZ4770, Sony acx424AKP, Leadtek LTK500HD1829, Xinpeng XPP055C272, AUO B116XAK01, GiantPlus GPM940B0,
BOE NV140FHM-N49,
Satoz SAT050AT40H12R2,
Sharp LS020B1DD01D. - support for ARM boards and Gen1 platforms Amazon Echo (OMAP3630-based), Samsung Galaxy S III mini (GT-I8190), Allwinner Emlid Neutis, Libre Computer ALL-H3-IT, PineH64 Model B, Aibretech Amlogic GX PC,
Armada SolidRun Clearfog GTR, NXPGateworks GW59xx,
Tolino Shine 3 eBook Reader,
Embedded Artists COM (i.MX7ULP), SolidRun Clearfog CX/ITX and HoneyComb (LX2160A), Google Coral Edge TPU (i.MX8MQ),
Rockchip Radxa Dalang Carrier, Radxa Rock Pi N10, VMARC RK3399Pro SOM
ST Ericsson HREF520, Inforce 6640, SC7180 IDP, Atmel/Microchip AM9X60 (ARM926 SoC, Kizboxmini), ST stm32mp15, AM3703/AM3715/DM3725, ST Ericsson ab8505, Unisoc SC9863A, Qualcomm SC7180. Added support for PCIe controller used in Raspberry Pi 4.
Simultaneously, the Latin American Free Software Foundation
option β , cleaned from elements of firmware and drivers containing non-free components or code sections, the scope of which is limited by the manufacturer. The new release disables blob loading in drivers for AMD TEE, ATH11K and Mediatek SCP. Updated blob cleanup code in AMD PSP, amdgpu and nouveau drivers and subsystems.
Source: opennet.ru