Chapter 12. Kernel

Memory Protection Keys are now supported in later Intel processors

Memory Protection Keys provide a mechanism for enforcing page-based protections, but without requiring modifications of the page tables when an application changes protection domains. To determine if your processor supports Memory Protection Keys, check for the pku flag in the /proc/cpuinfo file. Further documentation including programming examples can be found in the /usr/share/doc/kernel-doc-*/Documentation/x86/protection-keys.txt file, which is provided by the kernel-doc package. (BZ#1272615)

EDAC support added for Pondicherry 2 memory controllers

Error Detection and Correction support has been added for Pondicherry 2 memory controllers used on machines based on the Intel Atom C3000-series processors. (BZ#1273769)

MBA is now supported

Memory Bandwidth Allocation (MBA) is an extension of the existing Cache QoS Enforcement (CQE) feature found in Broadwell servers. MBA is a feature of the Intel Resource Director Technology (RDT) that provides control over memory bandwidth for applications. With this update, the MBA support is added. (BZ#1379551)

Swap optimizations enable fast block devices to be used as secondary memory

Previously, the swap subsystem was not performance-critical because the performance of rotating disks, especially in terms of latency, was orders of magnitude worse than the rest of the memory management subsystem. With the advent of fast SSD devices, the overhead of the swap subsystem has become significant. This update brings a series of performance optimizations that reduce this overhead. (BZ#1400689)

HID Wacom rebased to version 4.12

The HID Wacom kernel module packages have been upgraded to upstream version 4.12, which provides a number of bug fixes and enhancements over the previous version:
  • The hid_wacom power supply code has been updated, fixing previously existing problems.
  • Support has been added for the Bluetooth-based Intuos 2 Pro pen tablet.
  • Bugs affecting the Intuos 2 Pro pen tablet and the Bamboo slate have been fixed. (BZ#1475409)

New livepatch functionality improves the latency and success rate of the kpatch-patch packages

With this update, the kpatch kernel live patching infrastructure has been upgraded to use the new upstream livepatch functionality for patching the kernel. This functionality improves the scheduling latency and success rate of the kpatch-patch hotfix packages. (BZ#1430637)

Persistent Kernel Module Upgrade (PKMU) supported

The kmod packages provide various programs for automatic loading, unloading, and management of kernel modules. Previously, kmod searched for the modules only in the /lib/modules/<kernel version> directory. Consequently, users needed to perform additional actions, for example, run the /usr/sbin/weak-modules script to install symlinks, to make the modules loadable. With this update, kmod have been modified to search for the modules anywhere in the file system. As a result, users can now install new modules to a separate directory, configure the kmod tools to look for modules there, and the modules will be available automatically for the new kernel. Users can also specify several directories for a kernel, or different directories for different kernels. The kernel version is specified with a regular expression. (BZ#1361857)

The Linux kernel now supports encrypted SMB 3 connections

Prior to introducing this feature, the kernel only supported unencrypted connections when using the Server Message Block (SMB) protocol. This update adds encryption support for SMB 3.0 and later protocol versions. As a result, users can mount SMB shares using encryption, if the server provides or requires this feature.
To mount a share using the encrypted SMB protocol, pass the seal mount option together with the vers mount option set to 3.0 or later to the mount command. For further details and an example, see the seal parameter description in (BZ#1429710)

SME enabled on AMD Naples platforms

With this update, AMD Secure Memory Encryption (SME) is provided by systems based on AMD Naples platforms. The Advanced Encryption Standard (AES) engine has the ability to encrypt and decrypt dynamic random access memory (DRAM). SME, provided by the AES engine, is intended to protect machines against hardware-probing attacks. To activate SME, boot the system with the kernel parameter mem_encrypt=on. (BZ#1361287)

Support for the ie31200_edac driver

This enhancement adds support for the ie31200_edac driver to the consumer version of Skylake and Kabi Lake CPU families. (BZ#1482253)

EDAC now supports GHES

This enhancement adds Error Detection and Correction (EDAC) support for using the Generic Hardware Error Source (GHES) provided by BIOS. GHES is now used as a source for memory corrected and uncorrected errors instead of a hardware specific driver. (BZ#1451916)

CUIR enhanced scope detection is now fully supported

Support for Control Unit Initiated Reconfiguration (CUIR) enables the Direct Access Storage Device (DASD) device driver to automatically take paths to DASDs offline for concurrent services. If other paths to the DASD are available, the DASD stays operational.
CUIR informs the DASD device driver when the paths are available again, and the device driver attempts to vary them back online.
In addition to the support for Linux instances running in Logical Partitioning (LPAR) mode, support for Linux instances on IBM z/VM systems has been added. (BZ#1494476)

kdump allows a vmcore collection without the root file system being mounted

In Red Hat Enterprise Linux 7.4, kdump required the root file system to be mounted although this is not always necessary for the collection of a vmcore image file. Consequently, kdump failed to collect a vmcore file if the root device could not be mounted when the dump target was not on the root file system, but, for example, on a usb or on the network. With this enhancement, if the root device is not required for dump, it is not mounted, and a vmcore file can be collected. (BZ#1431974, BZ#1460652)

KASLR fully supported and enabled by default

Kernel address space layout randomization (KASLR), which was previously available as a Technology Preview, is fully supported in Red Hat Enterprise Linux 7.5 on the AMD64 and Intel 64 architectures. KASLR is a kernel feature that contains two parts, kernel text KASLR and mm KASLR. These two parts work together to enhance the security of the Linux kernel.
The physical address and virtual address of kernel text itself are randomized to a different position separately. The physical address of the kernel can be anywhere under 64TB, while the virtual address of the kernel is restricted between [0xffffffff80000000, 0xffffffffc0000000], the 1GB space.
The starting address of three mm sections (the direct mapping, vmalloc, and vmemmap section) is randomized in a specific area. Previously, starting addresses of these sections were fixed values.
KASLR can thus prevent inserting and redirecting the execution of the kernel to a malicious code if this code relies on knowing where symbols of interest are located in the kernel address space.
KASLR code is now compiled in the Linux kernel, and it is enabled by default. If you want to disable it explicitly, add the nokaslr kernel option to the kernel command line. (BZ#1491226)

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.5. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

noreplace-paravirt has been removed from the kernel command line parameters

The noreplace-paravirt kernel command line parameter has been removed, because the parameter is no longer compatible with the patches to mitigate the Spectre and Meltdown vulnerabilities. Booting AMD64 and Intel 64 systems with noreplace-paravirt in kernel command line will cause repeated reboots of the operating system. (BZ#1538911)

The new EFI memmap implementation is now available on SGI UV2+ systems

Prior to this update, the Extensible Firmware Interface (EFI) stable runtime services mapping across kexec reboot (memmap) implementation was not available on Silicon Graphics International (SGI) UV2 and later systems. This update adds support for EFI memmap. Additionally, this update also enables use of Secure Boot with the kdump kernel. (BZ#1102454)

Mounting pNFS shares with flexible file layout is now fully supported

Flexible file layout on pNFS clients was first introduced in Red Hat Enterprise Linux 7.2 as a Technology Preview. With Red Hat Enterprise Linux 7.5, it is now fully supported.
pNFS flexible file layout enables advanced features such as non-disruptive file mobility and client-side mirroring, which provides enhanced usability in areas such as databases, big data, and virtualization. See for detailed information about pNFS flexible file layout. (BZ#1349668)