12장. Kernel
Kernel version in RHEL 7.5
Red Hat Enterprise Linux 7.5 is distributed with the kernel version 3.10.0-862. (BZ#1801759)
Memory Protection Keys are now supported in later Intel processors
Memory Protection Keys provide a mechanism for enforcing page-based protections, but without requiring modifications of the page tables when an application changes protection domains. To determine if your processor supports Memory Protection Keys, check for the
pku
flag in the /proc/cpuinfo
file. Further documentation including programming examples can be found in the /usr/share/doc/kernel-doc-*/Documentation/x86/protection-keys.txt
file, which is provided by the kernel-doc package. (BZ#1272615)
EDAC support added for Pondicherry 2 memory controllers
Error Detection and Correction support has been added for Pondicherry 2 memory controllers used on machines based on the Intel Atom C3000-series processors. (BZ#1273769)
MBA
is now supported
Memory Bandwidth Allocation (MBA) is an extension of the existing Cache QoS Enforcement (CQE) feature found in Broadwell servers.
MBA
is a feature of the Intel Resource Director Technology (RDT) that provides control over memory bandwidth for applications. With this update, the MBA
support is added. (BZ#1379551)
Swap optimizations enable fast block devices to be used as secondary memory
Previously, the swap subsystem was not performance-critical because the performance of rotating disks, especially in terms of latency, was orders of magnitude worse than the rest of the memory management subsystem. With the advent of fast SSD devices, the overhead of the swap subsystem has become significant. This update brings a series of performance optimizations that reduce this overhead. (BZ#1400689)
HID Wacom
rebased to version 4.12
The
HID Wacom
kernel module packages have been upgraded to upstream version 4.12, which provides a number of bug fixes and enhancements over the previous version:
- The
hid_wacom
power supply code has been updated, fixing previously existing problems. - Support has been added for the Bluetooth-based Intuos 2 Pro pen tablet.
- Bugs affecting the Intuos 2 Pro pen tablet and the Bamboo slate have been fixed. (BZ#1475409)
New livepatch
functionality improves the latency and success rate of the kpatch-patch packages
With this update, the
kpatch
kernel live patching infrastructure has been upgraded to use the new upstream livepatch
functionality for patching the kernel. This functionality improves the scheduling latency and success rate of the kpatch-patch hotfix packages. (BZ#1430637)
Persistent Kernel Module Upgrade (PKMU) supported
The kmod packages provide various programs for automatic loading, unloading, and management of kernel modules. Previously, kmod searched for the modules only in the /lib/modules/<kernel version> directory. Consequently, users needed to perform additional actions, for example, run the /usr/sbin/weak-modules script to install symlinks, to make the modules loadable. With this update, kmod have been modified to search for the modules anywhere in the file system. As a result, users can now install new modules to a separate directory, configure the
kmod
tools to look for modules there, and the modules will be available automatically for the new kernel. Users can also specify several directories for a kernel, or different directories for different kernels. The kernel version is specified with a regular expression. (BZ#1361857)
The Linux kernel now supports encrypted SMB 3 connections
Prior to introducing this feature, the kernel only supported unencrypted connections when using the Server Message Block (SMB) protocol. This update adds encryption support for SMB 3.0 and later protocol versions. As a result, users can mount SMB shares using encryption, if the server provides or requires this feature.
To mount a share using the encrypted SMB protocol, pass the
seal
mount option together with the vers
mount option set to 3.0
or later to the mount
command. For further details and an example, see the seal
parameter description in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/mounting_an_smb_share#tab.frequently_used_mount_options. (BZ#1429710)
SME
enabled on AMD Naples platforms
With this update, AMD Secure Memory Encryption (SME) is provided by systems based on AMD Naples platforms. The Advanced Encryption Standard (AES) engine has the ability to encrypt and decrypt dynamic random access memory (DRAM).
SME
, provided by the AES engine, is intended to protect machines against hardware-probing attacks. To activate SME
, boot the system with the kernel parameter mem_encrypt=on
. (BZ#1361287)
Support for the ie31200_edac driver
This enhancement adds support for the ie31200_edac driver to the consumer version of Skylake and Kabi Lake CPU families. (BZ#1482253)
EDAC now supports GHES
This enhancement adds Error Detection and Correction (EDAC) support for using the Generic Hardware Error Source (GHES) provided by BIOS. GHES is now used as a source for memory corrected and uncorrected errors instead of a hardware specific driver. (BZ#1451916)
CUIR enhanced scope detection is now fully supported
Support for Control Unit Initiated Reconfiguration (CUIR) enables the Direct Access Storage Device (DASD) device driver to automatically take paths to DASDs offline for concurrent services. If other paths to the DASD are available, the DASD stays operational.
CUIR informs the DASD device driver when the paths are available again, and the device driver attempts to vary them back online.
In addition to the support for Linux instances running in Logical Partitioning (LPAR) mode, support for Linux instances on IBM z/VM systems has been added. (BZ#1494476)
kdump
allows a vmcore
collection without the root file system being mounted
In Red Hat Enterprise Linux 7.4,
kdump
required the root file system to be mounted although this is not always necessary for the collection of a vmcore
image file. Consequently, kdump
failed to collect a vmcore
file if the root device could not be mounted when the dump target was not on the root file system, but, for example, on a usb or on the network. With this enhancement, if the root device is not required for dump, it is not mounted, and a vmcore
file can be collected. (BZ#1431974, BZ#1460652)
KASLR fully supported and enabled by default
Kernel address space layout randomization (KASLR), which was previously available as a Technology Preview, is fully supported in Red Hat Enterprise Linux 7.5 on the AMD64 and Intel 64 architectures. KASLR is a kernel feature that contains two parts, kernel text KASLR and
mm
KASLR. These two parts work together to enhance the security of the Linux kernel.
The physical address and virtual address of kernel text itself are randomized to a different position separately. The physical address of the kernel can be anywhere under 64TB, while the virtual address of the kernel is restricted between [0xffffffff80000000, 0xffffffffc0000000], the 1GB space.
The starting address of three
mm
sections (the direct mapping, vmalloc
, and vmemmap
section) is randomized in a specific area. Previously, starting addresses of these sections were fixed values.
KASLR can thus prevent inserting and redirecting the execution of the kernel to a malicious code if this code relies on knowing where symbols of interest are located in the kernel address space.
KASLR code is now compiled in the Linux kernel, and it is enabled by default. If you want to disable it explicitly, add the
nokaslr
kernel option to the kernel command line. (BZ#1491226)
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.5. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel® Omni-Path Architecture documentation, see https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_7_5_RN_J98644.pdf. (BZ#1543995)
noreplace-paravirt
has been removed from the kernel command line parameters
The
noreplace-paravirt
kernel command line parameter has been removed, because the parameter is no longer compatible with the patches to mitigate the Spectre and Meltdown vulnerabilities. Booting AMD64 and Intel 64 systems with noreplace-paravirt
in kernel command line will cause repeated reboots of the operating system. (BZ#1538911)
The new EFI memmap
implementation is now available on SGI UV2+ systems
Prior to this update, the Extensible Firmware Interface (EFI) stable runtime services mapping across kexec reboot (
memmap
) implementation was not available on Silicon Graphics International (SGI) UV2 and later systems. This update adds support for EFI memmap
. Additionally, this update also enables use of Secure Boot with the kdump
kernel. (BZ#1102454)
Mounting pNFS shares with flexible file layout is now fully supported
Flexible file layout on pNFS clients was first introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. With Red Hat Enterprise Linux 7.5, it is now fully supported.
pNFS flexible file layout enables advanced features such as non-disruptive file mobility and client-side mirroring, which provides enhanced usability in areas such as databases, big data, and virtualization. See https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/ for detailed information about pNFS flexible file layout. (BZ#1349668)