Oracle Cloud Infrastructure Documentation

New Features and Changes in UEK 8U1

The following new features, enhancements, and notable changes are introduced in UEK 8U1.

Kernel Version

UEK 8U1 is initially released with the 6.12.0-100.28.2 version of the kernel.

dmesg Hardening for Administrator Privileges

UEK 8U1 is built with the SECURITY_DMESG_RESTRICT flag enabled. Administrator privileges are now required to run the dmesg command when a system is running UEK 8U1.

This update hardens the system against unrestricted access to sensitive information about the system. Use the sudo command to gain administrator privileges when running dmesg.

If you urgently need to disable this restriction, you can run sudo sysctl kernel.dmesg_restrict=0 to temporarily disable the restriction. Or you can add the configuration entry in a system configuration file in the /etc/sysctl.d/ directory:

echo "kernel.dmesg_restrict = 0" | sudo tee /etc/sysctl.d/dmesg-restrict
sudo sysctl --system

Consider the security risk of disabling this restriction before doing so, and evaluate whether it might be better to resolve this requirement in another way.

Updated Drivers

Device drivers included in UEK 8U1 are aligned with the drivers in the upstream mainline Linux 6.12 kernel. A few notable updates are included where drivers include functionality or fixes available in later upstream kernel versions.

Many driver modules no longer track version information. Oracle works with vendors to align device drivers included in UEK 8U1 with the code available in upstream kernel versions.

Notable driver updates are presented in the following table:

Driver Alignment
Driver Module Driver Description Aligned Kernel Version Notable Updates

megaraid_sas

Broadcom MegaRAID SAS Driver

6.15

Several fixes and improvements from 6.15 were backported in this release. Note that this driver includes a version string: 07.734.00.00-rc1

mgag200

HPE MGA G200 SE Driver

6.12

 Partner provided update for new iLO7 devices on HPE Gen12 servers.

mpi3mr

Broadcom MPI3 Storage Controller Device Driver

6.15

Several fixes and improvements from 6.15 were backported in this release. Note that this driver includes a version string: 8.13.0.5.50

mpt3sas

Broadcom LSI MPT Fusion SAS 3.0 Device Driver

6.15

Several fixes and improvements from 6.15 were backported in this release. Note that this driver includes a version string: 52.100.00.00

Deprecated and Removed Features

The following features are deprecated, removed, or no longer supported in UEK 8U1:

Deprecated Features

  • SHA-1 Algorithm

    The SHA-1 algorithm is deprecated in UEK 8U1 while in FIPS mode and will be removed in a future UEK release. The SHA-1 algorithm has been retired by National Institute of Standard and Technology (NIST) because the SHA-1 hash algorithm is no longer considered secure. See Oracle Linux release notes for more details on SHA-1 usage and deprecation.

  • Kernel modules moved to the kernel-uek-modules-deprecated package are now deprecated.

    These modules might be removed in a future release of UEK.

    See UEK 8 Module Deprecations (x86_64) and UEK 8 Module Deprecations (aarch64) for a detailed listing.

  • cgroupsv1 is deprecated

    cgroupsv1 is deprecated in Oracle Linux 9 and is removed in a Oracle Linux 10.

  • XFS_SUPPORT_V4 is deprecated

    The V4 file system format contains known weaknesses in the on-disk format. Therefore, the option is deprecated in UEK 8U1 and will be removed in a future UEK release.

    You can check whether the file system is formatted to use V4, by running the xfs_db -r -c version <device> command.

    If the feature is enabled, you must backup data, reformat the device, and restore data.

  • XFS_SUPPORT_ASCII_CI is deprecated

    The XFS ASCII case-insensitive name feature is deprecated in UEK 8U1 and will be removed in a future UEK release. The feature provided an option to format an XFS file system with the ascii-ci option enabled to disable case-sensitivity.

    You can check whether the feature is enabled by using the xfs_info command.

    If the feature is enabled, you must backup data, reformat the device with the option disabled, and restore data.

  • CONFIG_SECURITY_SELINUX_DISABLE and CONFIG_SECURITY_WRITABLE_HOOKS options are disabled

    The option to disable SELinux at runtime by using the sysfs interface is removed in this UEK release.

    The preferred method of disabling SELinux is by using the selinux=0 boot parameter

Removed Features

  • Unrestricted access to the kernel ring buffer is removed.

    Unprivileged access to the kernel ring buffer through the dmesg command output is removed in this release. Use the sudo command to escalate to administrator privileges when running the dmesg command. See dmesg Hardening for Administrator Privileges.

  • CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_DES option for 3DES/DES3 RPCSEC GSS encryption types is disabled

    The RPCSEC GSS encryption types DES and Triple-DES (3DES/DES3) is removed in this UEK release.

    These encryption types were deprecated by RFCs 6649 and 8429 because they're known to be insecure.

  • CONFIG_NFS_V2 and CONFIG_NFSD_V2 options for NFSv2 client and server are disabled

    Support for NFSv2 clients and NFSv2 servers is removed in this UEK release.

    NFSv2 has long been replaced by NFSv3 and NFSv4, which offer improved functionality, performance, and security.

  • CONFIG_NFS_DISABLE_UDP_SUPPORT option for NFSv3 over UDP is enabled

    Support for NFS version 3 over the UDP network protocol is removed in this UEK release.

    Modern NFS/RPC over TCP and RDMA implementations provide better performance than UDP, and provide reliable ordered delivery of data combined with congestion control.

    Note that NFSv4 is already not supported over UDP, for the same reasons.

  • CONFIG_STAGING option is disabled

    The CONFIG_STAGING kernel configuration option is disabled in UEK 8U1. The kernel option made available drivers that don't necessarily meet the highest kernel quality level and which were available for test use. The option was deprecated in UEK R7 and is removed in UEK 8U1.

  • CONFIG_IXGB option is disabled

    The CONFIG_IXGB for Intel PRO/10GbE hardware is removed in this UEK release.

  • crashkernel=auto removed

    The crashkernel=auto option was deprecated in UEK R7 and unsupported for Oracle Linux 9. The kernel option is removed in UEK 8U1. For more information about configuring the crashkernel setting on Oracle Linux, see Managing Kernels and System Boot on Oracle Linux.

  • CONFIG_IP_NF_TARGET_CLUSTERIP option is disabled

    The CONFIG_IP_NF_TARGET_CLUSTERIP option that allowed you to build load-balancing clusters of network servers without a dedicated load-balancing router or switch is removed in favor of functionality already in Netfilter cluster match.

  • CONFIG_EFI_VARS option disabled

    The CONFIG_EFI_VARS option that provided the efivars sysfs interface to configure UEFI variables is removed from this release of UEK. Replacement functionality has been present in the kernel since 2012. For more information, see https://www.kernel.org/doc/html/latest/filesystems/efivarfs.html.

  • Firewire driver removed

    The CONFIG_FIREWIRE option is disabled in this UEK release.

  • Several Network Scheduler Modules Removed

    The following network scheduler modules were deprecated in UEK R7 and are now removed in UEK 8U1:

    • cls_tcindex
    • cls_rsvp
    • sch_dsmark
    • sch_atm
    • sch_cbq

  • resilient_rdmaip Module Removed

    The resilient_rdmaip module was deprecated in UEK R7 and is now removed.

  • oracleasm Kernel Module Removed

    The oracleasm kernel module is removed in UEK 8U1. Note that this module continues to be supported in the UEK R5 and UEK R6 releases.

    Oracle ASMLib continues to be supported using io_uring interfaces. See Oracle Linux: Installing and Configuring Oracle ASMLIB v3 for more information.

  • sundance Kernel Module Removed

    The DLink Sundance (ST201), sundance, driver is removed in UEK 8U1. The module was removed in the upstream kernel because it was unmaintained.

  • cpu5_wdt Kernel Module Removed

    The cpu5_wdt watchdog driver is removed in UEK 8U1. The module was removed in the upstream kernel because it had several issues that were unresolved and lacked maintenance.

  • i2c-amd756-s4882 and i2c-nforce2-s4985 Kernel Modules Removed

    The i2c-amd756-s4882 and i2c-nforce2-s4985 legacy muxing drivers are removed in UEK 8U1. The module was removed in the upstream kernel because they're old and contain technically inaccurate code.

  • CONFIG_CRYPTO_OFB and CONFIG_CRYPTO_CFB cryptographic modes

    The CFB (Cipher Feedback) mode (NIST SP800-38A) used for TPM2 cryptography and the OFB (Output Feedback) mode (NIST SP800-38A) used to turn a block cipher into a synchronous stream cipher are removed in UEK 8U1, to align with upstream changes.