• United States
Unix Dweeb

Linux kernel 4.18: Better security, leaner code

News Analysis
Aug 30, 20186 mins
LinuxOpen Source

The latest version of the Linux kernel cleans out nearly 100K lines of code, adds file encryption and the Berkeley Packet Filter, plus makes a nod to gamers and mobile devices.

The recent release of Linux kernel 4.18 followed closely by the releases of 4.18.1, 4.18.2, 4.18.3, 4.18.4, and 4.18.5 brings some important changes to the Linux landscape along with a boatload of tweaks, fixes, and improvements.

While many of the more significant changes might knock the socks off developers who have been aiming at these advancements for quite some time, the bulk of them are likely to go unnoticed by the broad expanse of Linux users. Here we take a look at some of the things this new kernel brings to our systems that might just make your something-to-get-a-little-excited-about list.

Code Cleanup

For one thing, the 4.18 kernel has brought about the surprising removal of nearly 100,000 lines of outdated code. That’s a lot of code! Does this mean that any of your favorite features may have been ripped out? That is not very likely. This code cleanup does means that a lot of code deadwood has been carefully expunged from the kernel along with one significant chunk. As a result, the new kernel should take up less memory, run a little more efficiently and be less vulnerable to attacks that might have taken advantage of the neglected sections of older code. This change also leaves the remaining code somewhat cleaner and easier to manage.

Losing its Lustre

The one significant chunk of the code shrinkage mentioned above refers to the removal of the Lustre file system which has been in the kernel, though not fully integrated, for roughly five years. It was removed because it hasn’t been moving forward at a sufficient pace to maintain it in the kernel. As premature or incomplete code, Lustre, which is a distributed file system used in cluster computing, may well be reintroduced into a later release after its developers have taken the time to get this feature into better shape, ready to be reattached to the kernel tree. (Lustre is a mashup of the words Linux and cluster.)

Introducing BPFILTER

Another exciting feature is BPFILTER. (The name derives from Berkeley Packet Filter.) While starting out as a packet-filtering facility for other tools (e.g., tcpdump), BPFILTER is poised in 4.18 to eventually replace both iptables and nftables. It also extends the capabilities of Linux in several areas – network security, load balancing and performance monitoring – without impacting performance. In essence, BPFILTER represents something of a foundational shift for both networking and security.

In what is expected to be a very easy transition from the earlier technology BPFILTER will provide easy ways to translate iptables rules into its own rule format. It also provides flexibility with respect to where filtering rules are applied — maybe on the network interface itself — and ways to modernize and revitalize the network stack.

Speck file-system encryption

FSCRYPT, which operates at the file system level rather than at the block device level, in 4.18 supports Speck128/Speck256 encryption algorithms. This change makes Speck an option for file system encryption, although it has met with some controversy because it was developed at the National Security Agency (NSA) and that organization may not have shared all aspects of its design. While some may opt not to use it, it does provide what seems to be the only encryption option for low-end Android devices and, thus, has an important role to play.

Faster, better graphics

The 4.18 kernel provides improved open-source graphics drivers. The AMDGPU (open-source graphics driver for the latest AMD Radeon graphics cards) driver has incorporated code for the future Vega 20 GPU graphics card along with support for the Vega M hardware — the Radeon graphics found within Intel Kabylake-G processors. There are also improvements in Hyper-V support for both Vega M and Nvidia Volta GV100 hardware. These changes promise to provide some super-fast pixel pushing.

Sound-chip enhancements

Significant sound chip improvements are included in 4.18. These include improved support for select Creative Labs CA0132 devices, audio on the HP Spectre x360 laptop, and a slate of Realtek chips and MediaTek controllers

Steam Controller driver

Gamers will especially appreciate the reverse engineered Steam Controller driver that allows a device to work as a normal HID (human interface or input device) right out of the box. Users will not have to separately install a Steam client or controller driver.

This allows a game pad to work as a virtual mouse, touchpad, or keypad over a USB or a wireless connection without affecting the use of the official Steam controller.

Performance improvements

Restartable sequences, a mechanism for lockless concurrency control in user space, is included in the new kernel. RSEQ system calls allow for faster user-space operations and have shown improvements in select micro-benchmarks. It also provides some important improvements in the kernel’s scheduler code. These changes should yield significantly better overall system performance.

Another improvement that Linux 4.18 provides is improved support for dual-lane transfer in USB 3.2, speeding up data transfers with USB devices for hosts and devices using Type-C cables.

Linux kernel 4.18 also provides a new kernel polling interface for asynchronous IO that can poll a set of file descriptors to determine which can perform I/O without blocking. This change also implies better performance.

This new kernel also provides a TCP zero-copy receive API along with support for high-performance AF XDP sockets that promises to enhance performance while saving CPU cycles and memory bandwidth.

No Y2K in 2038

The new kernel also introduces significant progress toward warding off the long-recognized 2038 Problem. If you’re old enough, you might remember the Y2K aka Millenium bug that had many people worried near the end of 1999. They feared that systems and applications using two-digit years in their date fields would, on the stroke of midnight on December 31, suddenly decide that it was 1900 all over again and crash. Because of the unusual way that Unix systems store dates (number of seconds since the Unix Epoch), a similar problem won’t hit those systems until Jan.19, 2038. The 4.18 kernel’s timespec structure work will help ensure that 32-bit systems will not fall apart when the clock strikes 03:14:07 on that date (or tries to).

Some other changes in 4.18:

  • FUSE file systems, which make it possible to implement a fully functional file system in user space, can now be mounted by unprivileged users.
  • ARM Spectre mitigation fixes have been provided for 32-bit ARM devices.
  • Support for Qualcomm Snapdragon 845 (fast mobile processor) — a system on a chip used by many high-end mobile devices — is now available.
  • Complete Raspberry Pi 3B and 3B+ support has been provided.
  • Power management updates to help performance on both servers and PCs are included.
  • Native Thunderbolt support on Dell hardware is added.

Details of the changes can be browsed on the merge list on kernelnewbies.

The 4.18 Linux kernel is bringing lots of welcome changes for performance, security, and functionality to our Linux systems. And maybe now we can stop worrying so much about what’s going to happen in 2038.

Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author