Adds mostly better logging and the possibility for upgrades.^[1]

Lockdep (short for Lock Dependency) is a debugging tool built into the Linux kernel. It's designed to detect potential deadlocks that could occur due to inconsistent lock ordering. If Lockdep detects a circular dependency in lock acquisition order, it reports this as a potential deadlock situation.

source for the big brain^[2]

Partial Write, also call tearing.

Having the data in a buffer, not feeding the data char-per-char. Sitting at an address in memory.

Atomic writes refer to the ability of a system call to write a contiguous block of data to a file without interruption. "Cannot be divided" ^[3]

/dev/sda is a block device, meaning a device controlled by block. the block subsystem take care of the talking between the device and the code (often FS code)

PS block device's block size cannot be bigger than page size (normally 4K)^[4]

AMD ONLY uses function like those included by SEV . As the host cannot be trusted SVSM is a pipe between Firmware and guest VM that bypass host.^[5][6]

Fast Collaborative Processor Performance Control is a driver that permits optimization of the frequency on a per core basis to get more perf from the same amount of power. ^[7]

Fine Indirect Branch Tracking is an hardware enhanced version of CFI.

Works with Intel CPU and is called Branch Target Identification (BTI) for ARM64^[10]

Enabled by default in 6.2^[11]

Using smart compiler (LLVM) the kernel can be compiled with a smart way(jump table) to confirmed that a function is going/returning to a valid address and not to an infected program.^[12]

Data Access MONitor (DAMON) is a data access monitoring framework for DRAM^[26]

Ex. of userspace implementation GitHub - awslabs/damo: DAMON user-space tool

KMSAN is a dynamic error detector aimed at finding uses of uninitialized values. It is based on compiler instrumentation (CLANG only) KMSAN is not intended for production use.^[27]

Also called perf_events, it can instrument CPU performance counters, tracepoints, kprobes, and uprobes (dynamic tracing). It is capable of lightweight profiling.

Performance counters are CPU hardware registers that count hardware events such as instructions executed, cache-misses suffered, or branches mispredicted. They form a basis for profiling applications to trace dynamic control flow and identify hotspots. perf provides rich generalized abstractions over hardware specific capabilities. Among others, it provides per task, per CPU and per-workload counters, sampling on top of these and source code event annotation.^[28]

DRM is the in between GPU driver and program like X that ensure no process block another from accessing the GPU. also standardize communications with the GPU. ^[29]

AMD's code to enable their GPU to: general-purpose computing on graphics processing units (GPGPU), high performance computing (HPC), heterogeneous computing. It offers several programming models: HIP (GPU-kernel-based programming), OpenMP (directive-based programming), and OpenCL.

Works with the #AMDKFD driver

AMD Kernel Fusion Driver is the driver to make #ROCm and opencl work.

in other words, kernel driver for computing on GPU.

GPU #Direct Rendering Manager (DRM) & MESA driver for some Arm ^[30]

SYSFS is a pseudo FS made to expose infos and config of linux subsystem and FS. /sys ^[31]

different mounts can expose the same file or directory with different ownership. help when you want to use your home dir on multiple computer of manage a FS that doesn't have permission (like fat & exFAT) with multiple user.^[32]

The "vDSO" (virtual dynamic shared object) is a small shared library that the kernel automatically maps into the address space of all user-space applications. There are some system calls the kernel provides that user-space code ends up using frequently, to the point that such calls can dominate overall performance. TLDR, Kernel mode take more perf to run than exposing lib to all app. ^[33]

User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs. User namespaces can be nested; that is, each user namespace except the _initial ("root")_^[34]

Relocated VFS

Non-uniform memory access (NUMA) is a computer memory design used in multiprocessing, where the memory access time depends on the memory location relative to the processor. Under NUMA, a processor can access its own local memory faster than non-local memory.

IN LINUX, Linux divides the system’s hardware resources into multiple software abstractions called “nodes”. Linux maps the nodes onto the physical cells of the hardware platform, abstracting away some of the details for some architectures. As with physical cells, software nodes may contain 0 or more CPUs, memory and/or IO buses. And, again, memory accesses to memory on “closer” nodes–nodes that map to closer cells–will generally experience faster access times and higher effective bandwidth than accesses to more remote cells.

TLDR: Linux will bundle resources that are closer(faster) together to enhance performance.^[35]

The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. added 5.13^[36]

Some applications may need to read or write data to multiple buffers, which are separated in memory. Although this can be done easily enough with multiple calls to read and write, it is inefficient because there is overhead associated with each kernel call. Instead, many platforms provide special high-speed primitives to perform these _scatter-gather_ operations in a single kernel call.^[37]

x86 Page Attribute Table (PAT) allows for setting the memory attribute at the page level granularity.

WB|Write-back

UC|Uncached

WC|Write-combined -> Take multiple small write to mem to burst it later to storage.

WT|Write-through

UC-|Uncached Minus^[38]

Input–output memory management unit (IOMMU) is a memory management unit (MMU) connecting a direct-memory-access–capable (DMA-capable) I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses (also called device addresses or memory mapped I/O addresses in this context) to physical addresses. ^[39]

An operating system used the Device Tree to discover the topology of the hardware at runtime, and thereby support a majority of available hardware without hard coded information. DT is often in the firmware on a board. ^[40]

Kernel page-table isolation fixes these leaks(Meltdown) by separating user-space and kernel-space page tables entirely. ^[41]

plug into kernel code that allows userspace to inject bpf program to run part of the code, the first implementation was a TCP congestion program but it is now a little bit everywhere. ^[42]

StackLeak is a subsystem made to add more security to kernel memory management. it helps protect against Stack depth overflow (CWE-674), Uninitialized Vars (CWE-457) and Info exposure (CWE-200). VERY SIMPLIFIED the wa y they do it is by making sure that the memory is always clear to a special "poison" value at the end of each syscall and on all uninitialized values.

https://youtu.be/5wIniiWSgUc?si=BdbvjGuuuQrXAGl6&t=233

SCHED_EXT

The generic CPU vulnerabilities support reports the various vulnerabilities and whether the running system/CPU is affected by the vulnerabilities and if so the mitigation status. This is conveniently exposed under _/sys/devices/system/cpu/vulnerabilities_ across x86/x86_64, ARM, AArch64, and other architectures. added riscV and loongarch in 6.12^[43]

added in 3.14, enables address space randomization for the Linux kernel image by randomizing where the kernel code is placed at boot time. ^[44]

A split lock is any atomic operation whose operand crosses two (CPU)cache lines. Since the operand spans two cache lines and the operation must be atomic, the system locks the bus while the CPU accesses the two cache lines.

A bus lock is acquired through either split locked access to writeback (WB) memory or any locked access to non-WB memory. This is typically 1000x of cycles slower than an atomic operation within a cache line. It also disrupts performance on other cores and brings the whole system to its knees.^[45]

Subsystem to manage errors with PCI devices and ECC memory

System management mode is an execution mode in x86 processors that can only be entered via an #System management interrupt (SMI). called Ring -2 or "Black box" as this code is not possible to debug/see while executed. ^[46]

System management interrupts are high priority unmaskable hardware interrupts which cause the CPU to immediately suspend all other activities, including the operating system, and go into a special execution mode called #System Management Mode (SMM). Once the system is in SMM, the interrupt is handled by firmware code. ^[46]

Subsystem that allows to passthrough HW to KVM or also allow data sockets #VirtIO Vsock

Vsock are data socket meant to replace network socket with better perf, by bypassing iptables, netfilter... all the network stuff that wouldn't be needed in a Host(Hypervisor)-guess context^[47]

Integrity Policy Enforcement (IPE) relies on immutable security properties of the system component and is engineered for fixed-function systems like network firewall devices, IoT platforms, etc, that are only ever running certain application-targeted code. TLDR only execute what is immutable to remove the possibility of foreign code breaking you system. ^[48]

RPMB is a several year old specification for having a portion of memory be more secure and accessed via a hidden security key. The RPMB block in eMMC can be used for matters like storing DRM protection keys, OEM security keys, and other information that can't -- for whatever legal or security reasons -- can't be stored via normal storage. RPMB aims to be tamper resistant and requires authentication for reads/writes. ^[49]

Code used to decompress the kernel at boot time ^[50]

Arm confidential computing side adds support for booting an ARM64 kernel as a protected guest under Android's Protected KVM "pKVM" hypervisor. History Android was always a fragmented mess but turns out the kernel and hypervisor world of android was even worst, every model had a different kernel and may have a hypervisor without any standard. There was some initiatives that were created to fix that, GKI Generic Kernel Image to standardize what a kernel for android should be and how a vendor can add to it. pKVM is the logical extension of that issue, we need to standardize the Hypervisor so lets add one. now there are security implications read >> ^{[52] [51]}

removed in 2.6.39 (2011) for finer-grained locking.

BKL was a kernel wide lock, in other words only one thread was able to operate in kernel space.^[53]

The shadow stack itself is a second, separate stack that "shadows" the program call stack. When needed, the shadow stack and main stack will compare each other, showing if an attack was attempted. Guarded Control Stack (GCS) is a type of Shadow Stack.^[54]

The main goal of virtio-mem is to allow for dynamic resizing of virtual machine memory. virtio-mem provides a flexible, cross-architecture memory hot(un)plug solution that avoids many limitations imposed by existing technologies, architectures, and interfaces: paravirtualized memory hot(un)plug.^[55]

Merged back at the start of the Linux 6.8 merge window were the VFS mount API updates that introduce two new system calls: statmount() and listmount() for reading more detailed information about file-system mounts. ^[56]

Rapid Virtualization Indexing (RVI) for AMD.

Extended Page Table (EPT) For Intel.

Stage-2 page-tables For ARM.

basicaly:

Non VM mem handling: process → Page table/TLB → Physical mem

VM mem handling: process → Page table/TLB(Guest) → Page table/TLB(Host) → Physical mem

The first solution to help that was:

Shadow page tables translate guest virtual addresses directly to host physical addresses. Each VM has a separate shadow page table and the hypervisor is in charge of managing them. While shadow page tables are faster than double translation, they are still expensive compared to not running in a virtual machine: every time a guest updates its page tables, it requires the hypervisor to also manage changes in the shadow tables.

Using a special extension the VM is able to directly translate guest to physical mem.

^[57]

The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of CPU cycles since its reset. The instruction RDTSC returns the TSC in EDX:EAX.^[58]

Process ID, number unique to a process. at least inside of the same:

PID namespaces isolate the process ID number space, meaning that processes in different PID namespaces can have the same PID. PID namespaces allow containers to provide functionality such assuspending/resuming the set of processes in the container and migrating the container to a new host while the processes inside the container maintain the same PIDs.^[59]

The sysctl value that govern the max number of PID. was global before 6.14 but now Namespace specific.

Since Linux 5.1, pidfds have more or less allowed one to refer to a process using a file descriptor, making it possible to eliminate a set of race conditions and ambiguities.^[60]

all moved to Mem Management

BPF

^[8], ^[9], ^[13] to ^[25]