New Features and Changes UEK 8

The following is a summary of the features, changes, and improvements that are introduced in UEK 8, relative to UEK R7:

• Linux 6.12 stable kernel base

  The 6.12 mainline kernel release that's used as the base kernel for UEK 8 includes many upstream kernel features and improvements over previous UEK releases and over RHCK on Oracle Linux 9.

• Kernel module packaging is updated

  Kernel modules are distributed in more atomic packages to reduce the attack surface on the kernel, to improve kernel module maintenance, and to also improve visibility of module deprecation. See Changes to UEK Content Distribution and Packaging for a complete view of kernel packaging in UEK 8.

• 64k Base Page Size on Arm

  In this release, a version of the kernel with a 64k base page size is available for Ampere Arm-based Compute shapes in Oracle Cloud Infrastructure only. The 64k base page size improves how Arm platforms process workloads with large, contiguous memory datasets. See (aarch64) 64k Base Page Size on Arm for more information.

• Other platform updates

  Several generic platform updates are included. See Generic Platform Updates. Some other Intel-specific platform updates are available, including security features such as Intel Software Guard Extensions and new hardware support for Intel Quick Assist Technology (QAT). See Intel Platform Updates.

• Completely Fair Scheduler (CFS) replaced by Earliest Eligible Virtual Deadline First (EEVDF)

  CFS is replaced by the EEVDF scheduler to improve scheduling behavior and to reduce configuration complexity. See EEVDF Scheduler Replaces CFS.

• Improved Memory Management

  Many memory management improvements appear in UEK 8, including several memory mapping optimizations, improvements to performance through the introductions of folio structures, and some enhancements to Huge Page handling. See Memory Management.

• File systems updates

  Support for the Btrfs and OCFS2 file systems is enabled in UEK 8. Significant enhancements are available for the Btrfs, XFS, and NFS file systems in this release. For more information about new file systems features that are introduced in UEK 8, see File Systems

• ASMLib v3 and io_uring

  Several io_uring enhancements are included in this release of UEK, which also supports ASMLib v3. ASMLib v3 uses io_uring for the Automatic Storage Management feature of the Oracle Database. See io_uring Enhancements and ASMLib v3.

• Networking updates

  Several general networking enhancements are included in UEK 8. See General Networking Enhancements.

• Security related updates

  Some other security related updates are included in this release of UEK, including some updates to the Random Number Generator help improve performance and security. See Random Number Generator Enhancements. The kernel TLS offload facility is enabled in UEK 8. See KTLS.

• Berkeley Packet Filter

  Several enhancements are available in the Berkeley Packet Filter (BPF) used for tracing, including a dedicated memory allocator, a new user ring buffer, and the use of resilient BPF Type Format (BTF) modules to use BTF for out-of-tree modules. See Berkeley Packet Filter (BPF) Enhancements.

• DTrace v2.0

  Dtrace v2.0 continues to be available in UEK 8 and leverages kernel tracing facilities such as eBPF. Detailed information about DTrace releases and other notable changes are available at Oracle Linux: DTrace Release Notes.

  .

The following table provides details about how UEK 8 content is distributed and packaged and includes information about package dependencies, and any other notable requirements.

rpm -q -l kernel-uek-modules-<ext>

rpm -q -f /lib/modules/$(uname -r)/<path to module>

sudo modprobe wl1251_sdio

modprobe: FATAL: Module wl1251_sdio not found in directory /lib/modules/6.12.0-0.20.20.el9uek.x86_64, 
ensure the following package is installed: kernel-uek-modules-wireless-6.12.0-0.20.20.el9uek.x86_64
      

For security hardening, we recommend that you remove any of the kernel-uek-modules-* packages that aren't required by the system. To remove packages:

1. Mark the core modules packages that you require on the system to prevent them from being removed. For example:

   sudo dnf mark install kernel-uek-core kernel-uek-modules

2. Remove the unused modules packages and the kernel-uek metapackage from the system:

   sudo dnf erase kernel-uek-modules-desktop kernel-uek

In addition to the standard build of UEK for Arm (aarch64), which sets a base 4k page size, a kernel-uek64k package that sets a 64k base page size is available for Ampere Arm-based Compute shapes in Oracle Cloud Infrastructure only. For use cases other than OCI, the kernel-uek64 package is available only as a technical preview. The kernel-uek64k package is available for Oracle Linux 9 and later.

The 64k page size kernel is a useful option for Ampere (Arm-based) platforms that process workloads with large, contiguous memory datasets, and can achieve better performance for some types of memory and CPU intensive operations.

The 4k page size kernel is useful for smaller environments, where minimizing physical system memory usage is a priority.

Note that the 4k page size kernel and 64k page size kernel don't differ in user experience as the user space is the same.

After a system is installed with kernel-uek64k switching to a 4k kernel page size is unsupported.

Some generic platform updates are available in UEK 8. Updates include:

• Split-lock detection for operations on memory that spans two cache lines, such as misaligned memory access. See also https://docs.kernel.org/arch/x86/buslock.html

• Shadow Stacks for user space, using x86's Control-flow Enforcement Technology (CET) to provide protection against return oriented programming attacks. This implementation works by maintaining a secondary stack using a special memory type that has protections against modification. See also https://docs.kernel.org/arch/x86/shstk.html.

• Call depth tracking is implemented to improve performance in the Retbleed security vulnerability mitigation code.

• x86 CPU bringup is updated so that secondary CPU cores are booted in parallel to improve kernel boot times on high core count systems.

• 32-bit emulation on x86_64 kernels with the ia32_emulation command-line parameter. When set to true, you can load 32-bit programs and run 32-bit system calls.

Some upstream Intel platform updates are included in UEK 8. Notable items include:

• Intel Software Guard Extensions (SGX2), a hardware-based implementation of Enclave Dynamic Memory Management (EDMM), is an enhanced version of a security technology that can protect sensitive data and code by isolating them in private memory regions called enclaves. SGX2 introduces new features such as dynamic memory management, so that enclaves can resize and manage their memory during runtime. This update is important for applications with dynamic workloads or larger memory requirements, that require a more scalable architecture. SGX2 provides robust confidentiality and integrity for sensitive workloads in both on-premises and cloud environments. See https://www.intel.com/content/www/us/en/support/articles/000058764/software/intel-security-products.html.

• Flexible Return and Event Delivery (FRED) userspace interrupts. See also https://docs.kernel.org/arch/x86/x86_64/fred.html.

• In-Field scan to help test CPU health by detecting problems that aren't caught by parity or ECC checks. See also https://docs.kernel.org/arch/x86/ifs.html.

• Quick Assist Technology (QAT) functionality is updated to support 4th Gen Intel Xeon processors.

• Linear address masking (LAM_U57 mode) to change the checking that's applied to 64-bit linear addresses, so that software can use untranslated address bits to store metadata. LAM_U57 can use 6 bits of metadata in bits 62 to 57.

Earliest Eligible Virtual Deadline First (EEVDF) is a new kernel scheduler that replaces the Completely Fair Scheduler (CFS). EEVDF provides a better scheduling policy for the kernel and reduces configuration complexity and improves scheduling behavior.

Several important memory management updates are available in UEK 8 with upstream changes that are included from v5.15 to v6.12.

• The folios data structure replaces struct page to provide better abstraction for the management of pages. Folios is a new data structure that represents one or more pages of memory. The new structure reduces type confusion and memory overhead.
• Huge Pages are improved with several useful updates, including:
  • Update to handle hugeTLB faults when using per-VMA locking. Memory management operations like page faults and memory mapping can be handled in a more fine-grained and efficient manner reducing contention and improving concurrency.
  • Multi-size THP for anonymous memory, which enables allocation of folios larger than the base page size but smaller than PMD size.
  • Split underused THPs, and improve THP=always policy. These changes improve overprovisioning of THPs in sparsely accessed memory areas.
  • MADV_DONTNEED madvise() flag works on hugetlb pages and can be useful for unmapping and freeing of private mapped hugetlb pages.
  • MADV_COLLAPSE madvise() flag collapses pages into a transparent huge page.
• Continued improvements to memory control groups code, memcg, to decouple v1 fields in the code from the v2 code base.
• A new sysfs interface, /proc/sys/vm/enable_soft_offline, is available so that you can disable the automatic soft-offlining of pages. This feature can be useful to manage page offlining from user space.

• Memory Mapping optimizations:

  • Maple Tree replaced Red-Black Trees (RB Trees) for managing virtual memory areas (VMAs) for better performance with faster lookups, inserts, and deletes.
  • Introduced a mechanism to name anonymous VMAs for improved debugging and profiling.
  • Per-VMA mmap locking to improve concurrency and reduce contention in multithreaded applications with many VMAs.
  • Introduction of the ptdesc data structure to optimize management of page tables by decoupling page metadata from the page data structure.

The following file systems features and enhancements are introduced in UEK 8:

Several important updates are available in UEK 8 for the Berkeley Packet Filter (BPF), including:

• Introduction of a dedicated BPF memory allocator is added to improve the reliability of allocations made within BPF programs, which can run in a wide variety of contexts.

• Addition of a new user ring buffer BPF map type for asynchronous message passing and faster data transfer between a BPF program and user space.

• BPF programs can now call kernel functions from a loadable module, can access and store task_struct objects, and can use absolute time values.

• Friendlier helper functions, such as bpf_trace_vprintk, and also destructive helpers such as crash_kexec, are included.

• BPF programs can attach filter functions to kfuncs. The filter can limit the contexts from which the kfunc can be invoked.

• Resilient BPF Type Format (BTF) information for modules is included so that out-of-tree modules can define BTF that works for the lifetime of a UEK release.

• BPF trampoline is now available for aarch64 platforms to provide faster BPF tracing program execution using Fentry and Fexit programs.

• BPF hooks:

  • To see and filter complete packets.

  • To change the requested protocol for a new socket, primarily to transparently cause programs requesting TCP connections to use multipath TCP instead.

io_uring is a system call interface to manage storage device asynchronous I/O operations. Several features and improvements are provided in the implementation that's available in UEK 8 and some of these might have been backported to previous UEK releases. Updates include many optimizations for security and performance. Significant new features and changes include:

• io_uring now supports sending and receiving T10 Protection Information along with the data buffer.

• Operations for getsockopt(), setsockopt(), bind(), listen() and waitid().

• Mechanism to omit system calls with IORING_SETUP_SQPOLL at setup time. A call to io_uring_enter() starts a kernel thread that occasionally polls the submission queue and automatically submits any requests found there.

• Batch request for recv() calls and for reads().

• IORING_OP_SENDZC to perform Zero-copy writes.

• Several Ring code optimizations:

  • Rings and submission queue can be in user space memory, such as huge pages.

  • One ring is now able to signal another to speed up message requests.

  • Ring related work can be deferred until an application asks for it.

• io_uring improvements in buffered writes, in XFS.

• io_uring optimization in XFS and Ext4 can handle multiple direct-I/O writes to a file in parallel.

• Absolute timeouts, along with the relative timeouts that were already available, are now possible.

ASMLib is a library for the Automatic Storage Management feature of the Oracle Database. ASMLib v3 takes advantage of the io_uring features included in the kernel to deliver high performance. UEK 8 is tested and fully supported with Oracle ASMLib v3.

Note that with this update, the oracleasm kernel module is no longer included, as Oracle ASMLib v3 no longer requires this module to work.

ASMLIB release 3.1 leverages the protection information passthrough enhancements added to io_uring in UEK 8. Through this interface CRC checksums can be attached to each I/O, providing an additional layer of protection against data corruption.

To use this feature, ASM disks must be provisioned on storage hardware which implements T10 Protection Information (SCSI controller with DIX support or NVMe).

See Oracle Linux: Installing and Configuring Oracle ASMLIB v3.

UEK 8 includes Remote Direct Memory Access (RDMA) features that are provided in the upstream kernel, with the addition of Ksplice and DTrace functionality. RDMA enables direct memory access between two systems that are connected by an InfiniBand or RoCE network. RDMA facilitates high-throughput and low-latency networking in clusters.

Oracle RDMA packages are available in the following ULN channels and yum repositories:

• Oracle Linux 10

  • ULN channel: ol10_x86_64_RDMA

  • Oracle Linux yum server repository: ol10_RDMA

• Oracle Linux 9

  • ULN channel: ol9_x86_64_RDMA

  • Oracle Linux yum server repository: ol9_RDMA

See Upgrading Oracle RDMA Packages on Oracle Linux if you're upgrading a system that has the oracle-rdma-release or oracle-rdma-release-guest package installed.

Some general networking enhancements are available in UEK 8 with upstream changes that are included from v5.15 to v6.12.

• BIG TCP, which uses bigger TSO/GRO packet sizes for IPv6 traffic, is included to improve the performance when sending large IPv6 TCP packets on data-center networks. Note that this feature isn't enabled by default because it can affect eBPF programs that might assume the TCP header immediately follows the IPv6 header. BIG TCP is enabled by setting the gro_ipv6_max_size and gso_ipv6_max_size on a link device.

• A new socket option SO_RESERVE_MEM is available to provide a mechanism for users to reserve a certain amount of memory for the socket. With this socket option set, the networking stack spends less cycles doing forward alloc and reclaim, which can lead to better system performance, with the cost of an amount of preallocated and irreclaimable memory, even under memory pressure.

• The fair queuing packet scheduler has gained several performance improvements, including a 5% throughput increase in intensive TCP Request/Response (TCP_RR) workload, and 13% increase for UDP packets without a pacing rate set on the socket.

• Several core networking data structures are reorganized for better cache efficiency that can result in TCP performance improvement in where the are many concurrent connections.

KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS was enabled in UEK R7U3 for TLS encrypted connections for NFS. KTLS continues to be available in UEK 8.

RPC-With-TLS is enabled in the Linux NFS server and client. This update provides a standards-based peer authentication mechanism over an encrypted connection using TLS. The TLS Record protocol is handled entirely by kTLS.

Note that both the server and client systems must run UEK R7U3 or later, or must be running a kernel and user space client that supports RFC 9289, to use this functionality. The user space package, ktls-utils, is also required and must be installed on both the client and server systems. Also ensure that you have installed the most recent version of the nfs-utils package or that you have done a full system update.

RPC-With-TLS is contributed upstream by Oracle and is described in RFC 9289.

Some enhancements to the Random Number Generator (RNG) are available in UEK 8 with upstream changes that are included from v5.15 to v6.12. Most notably, RNG has switched from the SHA1 hash algorithm to the faster and more secure BLAKE2s algorithm.

Also, the getrandom() system call is now implemented in the kernel's virtual dynamic shared object (vDSO) area. This implementation improves performance when obtaining random number data by removing the need to switch from a user space context into the kernel context.

The following KVM and virtualization changes are included in this release of UEK 8:

• Two-Dimensional Paging (TDP) MMU support is added to significantly improve page fault performance on many-VCPU VMs. This functionality is enabled by default.

• The UEK 8 kernel configuration for VCPUs is increased to a theoretical limit of 4096. Note that the actual VCPU limit is use case specific and dependent on many factors including system and QEMU configuration.

Device drivers included in UEK 8 are aligned with the drivers in the upstream mainline Linux 6.12 kernel. A few notable updates are included where drivers include functionality or fixes available in later upstream kernel versions.

Many driver modules no longer track version information. Oracle works with vendors to align device drivers included in UEK 8 with the code available in upstream kernel versions.

Notable driver updates are presented in the following table:

The following features are deprecated, removed, or no longer supported in UEK 8: