SupportConsoleDevelopersStart a trialContact

Chapter 9. Technology Preview features

This part provides a list of all Technology Preview features available in Red Hat Enterprise Linux 10.

For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.

9.1. Identity Management

HSM support is available as a Technology Preview

Hardware Security Module (HSM) support is now available in Identity Management (IdM) as a Technology Preview. You can store your key pairs and certificates for your IdM CA and KRA on an HSM. This adds physical security to the private key material.

IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IPA operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.

Note

Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.

You need the following:

  • A supported HSM
  • The HSM PKCS #11 library
  • An available slot, token, and the token password

To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example: 

ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra

Jira:RHELDOCS-17465[1]

IdM-to-IdM migration is available as a Technology Preview

IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.

Jira:RHELDOCS-18408[1]

9.2. Virtualization

AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines are available as Technology Preview

As a Technology Preview, RHEL provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the VM security.

In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.

RHEL also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps to prevent hypervisor-based attacks, such as data replay or memory re-mapping.

Note that: * SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. * SEV-SNP works only on 4rd generation AMD EPYC CPUs (codenamed Genoa) or later.

Also note that RHEL includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.

Jira:RHELDOCS-16800[1]

9.3. Containers

composefs filesystem is available as a Technology Preview

composefs is the default backend for container storage. The key technologies composefs uses are:

  • OverlayFS as the kernel interface
  • Enhanced Read-Only File System (EROFS) for a mountable metadata tree
  • The fs-verity feature (optional) from the lower filesystem

Key advantages of composefs:

  • Separation between metadata and data. composefs does not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such as ext4, xfs, btrfs, and so on.
  • Mounting multiple composefs with a shared storage.
  • Data files are shared in the page cache to enable multiple container images to share their memory.
  • Support fs-verity validation of the content files.

Jira:RHEL-52238

Pushing and pulling images compressed with zstd:chunked is available as a Technology Preview

The zstd:chunked compression is now available as a Technology Preview.

Jira:RHEL-32266

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.