Oracle Cloud Infrastructure Documentation

New Features and Changes in UEK 8U2

The following new features, enhancements, and notable changes are introduced in UEK 8.

Kernel Version

UEK 8U2 is initially released with version 6.12.0-200.74.27 of the kernel.

FIPS 140-3 Kernel Module Implementation

A new FIPS 140 standalone kernel module is available as part of an effort to redesign and shrink the FIPS 140-3 cryptographic module boundary by encapsulating a stable kernel crypto API within a standalone fips140.ko kernel module.

This change helps to provide separation between the cryptographic module and the rest of the kernel, so FIPS certification can be targeted to the cryptographic module used by the kernel. This implementation means that the cryptographic module boundary doesn't change each time the kernel is compiled, and provides greater confidence in the certification.

The new implementation embeds the fips140.ko module and HMAC digest within the vmlinux kernel image after compilation. The HMAC is checked when the module is loaded using the HMAC algorithm from within the fips140.ko itself. The module and its digest are loaded into memory alongside the rest of the kernel by the boot loader when FIPS mode is enabled. These cryptographic components can easily be extracted from the kernel image for verification purposes.

Note

This change is transparent and you continue to enable FIPS mode in the same way as before.

XFS Online Repair

XFS online file system repair is supported with UEK 8U2 and later. In this release, the experimental tag is removed from the tooling.

You can use this feature to check and repair XFS filesystems while they remain mounted and fully operational. XFS online repair can reduce downtime and improve maintainability for mission-critical and large-scale deployments.

XFS online file system repair is achieved using the xfs_scrub utility, which can detect and correct metadata corruption without requiring unmounting or disrupting active workloads. You can run xfs_scrub to systematically verify file system metadata such as inodes, directories, and allocation groups. When inconsistencies are detected, the tool provides options to perform targeted repairs while online.

To use this feature, ensure the system is running UEK 8 or later, and the latest XFS user-space tools.

See the xfs_scrub(8) manual page. See also https://docs.kernel.org/filesystems/xfs/xfs-online-fsck-design.html.

Memory Allocation Profiling

Memory allocation profiling is available in UEK 8U2. This feature tracks memory allocation to help when reviewing where memory is used and when tracking down memory leaks. The feature uses code tagging to track where memory was allocated, when allocated memory is freed, the number of allocations, and the amount of memory still in use.

The option is disabled by default but can be enabled at boot by using the boot parameter: 

sysctl.vm.mem_profiling=1

You access runtime information for memory allocation profiling in /proc/allocinfo.

See https://docs.kernel.org/mm/allocation-profiling.html for more information. Note that the compressed option for memory allocation profiling isn't available in UEK 8U2.

Lightweight Guard Pages

This release introduces lightweight guard pages which provide a way to mark regions of virtual memory so that they trigger segmentation faults (SIGSEGV) when accessed. This feature is important for thread stacks and userland memory allocators. The mechanism is designed to remove any memory overhead, by using guard markers rather than creating or splitting Virtual Memory Areas (VMAs).

Before lightweight guard pages, similar functionality was achieved by using mmap(.., PROT_NONE), which incurred memory overhead. As processes and threads scale up using this method, overhead increases. Additionally, memory that's mapped in this way remains unavailable for allocation to user processes. By using lightweight guard pages, the overhead is avoided and significant memory gains are achieved.

The update uses new madvise() commands:

  • MADV_GUARD_INSTALL installs guard markers and removes existing mappings in the range. Installation applies to anonymous-memory-only and installation isn't allowed for special, huge, or locked (mock'ed) VMAs.
  • MADV_GUARD_REMOVE removes only the guard markers, keeping any normal mappings untouched.

Guarded ranges persist over MADV_DONTNEED or MADV_FREE (guaranteed protection until removed), but are cleared with process teardown or explicit unmapping.

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)

AMD Secure Encrypted Virtualization (SEV) and AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) are key components in AMD's confidential computing technology. SEV is a hardware-based feature that encrypts the memory of virtual machines running on AMD EPYC processors, to protect the data of the VM from unauthorized access by the hypervisor host, even if the hypervisor host is compromised. SEV uses a dedicated encryption key for each VM, managed by the processor. SEV must be enabled in both the guest OS and the KVM hypervisor host to work.

On Oracle Linux 9 and Oracle Linux 10, UEK 8U2 includes guest and hypervisor support for SEV-SNP, which helps to prevent malicious hypervisor-based attacks such as data replay, and memory remapping, among other vectors such as side channel attacks. SEV-SNP is available on AMD E4 based servers or later (Milan). This functionality requires the latest edk2-ovmf and qemu package versions.

Note

Confidential computing using SEV-SNP is a technical preview feature when used outside of Oracle Cloud Infrastructure (OCI).

Intel Trust Domain Extensions (TDX)

Intel Trust Domain Extensions (TDX) is Intel's confidential computing technology used to provide Trusted Execution Environments. TDX is used to deploy virtual workloads in trust domains (TDs) to provide hardware-based isolation by managing and encrypting memory to maintain integrity and confidentiality of CPU states within TDs.

On Oracle Linux 9 and Oracle Linux 10, UEK 8U2 includes guest and hypervisor support for TDX.

See https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html for more information.

Note

Confidential computing using TDX is a technical preview feature when used outside of OCI.

CIFS Client Can Create Special Files Including Symbolic Links in SMB Shares

The Common Internet File System (CIFS) client can create symbolic links, symlinks, that are recognized by Server Message Block (SMB), Network File System (NFS) and Windows Subsystem for Linux (WSL). Use the symlink=default|none|native|unix|mfsymlinks|sfu|nfs|wsl mount option to disallow creating symlinks or to select the type of symlinks that the client creates.

The client can also create other special files, including character devices, block devices, pipes, and sockets. These file are created as NFS or WSL reparse points by using the reparse=default|none|nfs|wsl mount option. To create native Windows sockets used by Windows applications on NTFS, use the nativesocket mount option.

Updated Drivers

Device drivers included in UEK 8U2 are aligned with the drivers in the upstream mainline Linux 6.12 kernel. A few notable updates are included where drivers include functionality or fixes available in later upstream kernel versions.

Many driver modules no longer track version information. Oracle works with vendors to align device drivers included in UEK 8U2 with the code available in upstream kernel versions.

Notable driver updates are presented in the following table:

Driver Alignment
Driver Module Driver Description Aligned Kernel Version Notable Updates

amd_hsmp

AMD HSMP Platform Interface Driver

6.18

Updates from 6.18 were backported to this release. Primarily updates for AMD EPYC Zen6.

i40e

Intel Ethernet Connection XL710 Network Driver

6.12

Added mdd-auto-reset-vf option.

idxd

Intel Data Streaming Accelerator and In-Memory Analytics Accelerator Common Driver

-

Bug fix for accel-config enable-wq.

ixgbe

Intel 10 Gigabit PCI Express Network Driver

-

Driver update for Intel E610 Series of network devices.

lpfc

Broadcom Emulex Fibre Channel HBA Driver

-

Driver update for Broadcom Emulex LPe37000/LPe38000 Series 32Gb/64Gb Fibre Channel Adapters (rev 11).

Driver versioned at 14.4.0.12.

mlx5

NVIDIA 5th Generation Network Adapters (NVIDIA ConnectX series) Core Driver

6.16

Several fixes and improvements from 6.16 were backported in this release.

Deprecated and Removed Features

The following features are deprecated, removed, or no longer supported in UEK 8:

Deprecated Features

  • SHA-1, SHA-224, and SHA3-224 Algorithms

    The SHA-1, SHA-224, and SHA3-224 algorithms are deprecated in UEK 8 while in FIPS mode and will be removed in a future UEK release. These algorithms have been retired by National Institute of Standard and Technology (NIST) because they're no longer considered secure. See Oracle Linux release notes for more details on SHA-1 usage and deprecation.

  • ECB Algorithm

    The ECB algorithm is deprecated in UEK 8U2 while in FIPS mode and will be removed in a future UEK release.

  • 112-bit strength RSA2048 and ffdhe2048(dh) Algorithms

    112-bit strength RSA2048 and ffdhe2048(dh) algorithms are deprecated in UEK 8 while in FIPS mode and will be removed in a future UEK release.

  • Kernel modules moved to the kernel-uek-modules-deprecated package are now deprecated.

    These modules might be removed in a future release of UEK.

    See UEK 8 Module Deprecations (x86_64) and UEK 8 Module Deprecations (aarch64) for a detailed listing.

  • cgroupsv1 is deprecated

    cgroupsv1 is deprecated in Oracle Linux 9 and is removed in a Oracle Linux 10.

  • XFS_SUPPORT_V4 is deprecated

    The V4 file system format contains known weaknesses in the on-disk format. Therefore, the option is deprecated in UEK 8U2 and will be removed in a future UEK release.

    You can check whether the file system is formatted to use V4, by running the xfs_db -r -c version <device> command.

    If the feature is enabled, you must backup data, reformat the device, and restore data.

  • XFS_SUPPORT_ASCII_CI is deprecated

    The XFS ASCII case-insensitive name feature is deprecated in UEK 8 and will be removed in a future UEK release. The feature provided an option to format an XFS file system with the ascii-ci option enabled to disable case-sensitivity.

    You can check whether the feature is enabled by using the xfs_info command.

    If the feature is enabled, you must backup data, reformat the device with the option disabled, and restore data.

  • CONFIG_SECURITY_SELINUX_DISABLE and CONFIG_SECURITY_WRITABLE_HOOKS options are disabled

    The option to disable SELinux at runtime by using the sysfs interface is removed in this UEK release.

    The preferred method of disabling SELinux is by using the selinux=0 boot parameter

  • NLM file locking with NFSv3 is deprecated

    NLM file locking with NFSv3 is deprecated and might be removed in a future release. File locking isn't available in NFSv4.

Removed Features

  • Unrestricted access to the kernel ring buffer is removed.

    Unprivileged access to the kernel ring buffer through the dmesg command output is removed in this release. Use the sudo command to escalate to administrator privileges when running the dmesg command.

  • CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_DES option for 3DES/DES3 RPCSEC GSS encryption types is disabled

    The RPCSEC GSS encryption types DES and Triple-DES (3DES/DES3) is removed in this UEK release.

    These encryption types were deprecated by RFCs 6649 and 8429 because they're known to be insecure.

  • CONFIG_NFS_V2 and CONFIG_NFSD_V2 options for NFSv2 client and server are disabled

    Support for NFSv2 clients and NFSv2 servers is removed in this UEK release.

    NFSv2 has long been replaced by NFSv3 and NFSv4, which offer improved functionality, performance, and security.

  • CONFIG_NFS_DISABLE_UDP_SUPPORT option for NFSv3 over UDP is enabled

    Support for NFS version 3 over the UDP network protocol is removed in this UEK release.

    Modern NFS/RPC over TCP and RDMA implementations provide better performance than UDP, and provide reliable ordered delivery of data combined with congestion control.

    Note that NFSv4 is already not supported over UDP, for the same reasons.

  • CONFIG_STAGING option is disabled

    The CONFIG_STAGING kernel configuration option is disabled in UEK 8U2. The kernel option made available drivers that don't necessarily meet the highest kernel quality level and which were available for test use. The option was deprecated in UEK R7 and is removed in UEK 8.

  • CONFIG_IXGB option is disabled

    The CONFIG_IXGB for Intel PRO/10GbE hardware is removed in this UEK release.

  • crashkernel=auto removed

    The crashkernel=auto option was deprecated in UEK R7 and unsupported for Oracle Linux 9. The kernel option is removed in UEK 8. For more information about configuring the crashkernel setting on Oracle Linux, see Managing Kernels and System Boot on Oracle Linux.

  • CONFIG_IP_NF_TARGET_CLUSTERIP option is disabled

    The CONFIG_IP_NF_TARGET_CLUSTERIP option that allowed you to build load-balancing clusters of network servers without a dedicated load-balancing router or switch is removed in favor of functionality already in Netfilter cluster match.

  • CONFIG_EFI_VARS option disabled

    The CONFIG_EFI_VARS option that provided the efivars sysfs interface to configure UEFI variables is removed from this release of UEK. Replacement functionality has been present in the kernel since 2012. For more information, see https://www.kernel.org/doc/html/latest/filesystems/efivarfs.html.

  • Firewire driver removed

    The CONFIG_FIREWIRE option is disabled in this UEK release.

  • Several Network Scheduler Modules Removed

    The following network scheduler modules were deprecated in UEK R7 and are now removed in UEK 8U2:

    • cls_tcindex
    • cls_rsvp
    • sch_dsmark
    • sch_atm
    • sch_cbq

  • resilient_rdmaip Module Removed

    The resilient_rdmaip module was deprecated in UEK R7 and is now removed.

  • oracleasm Kernel Module Removed

    The oracleasm kernel module is removed in UEK 8. Note that this module continues to be supported in the UEK R5 and UEK R6 releases.

    Oracle ASMLib continues to be supported using io_uring interfaces. See Oracle Linux: Installing and Configuring Oracle ASMLIB v3 for more information.

  • sundance Kernel Module Removed

    The DLink Sundance (ST201), sundance, driver is removed in UEK 8. The module was removed in the upstream kernel because it was unmaintained.

  • cpu5_wdt Kernel Module Removed

    The cpu5_wdt watchdog driver is removed in UEK 8. The module was removed in the upstream kernel because it had several issues that were unresolved and lacked maintenance.

  • i2c-amd756-s4882 and i2c-nforce2-s4985 Kernel Modules Removed

    The i2c-amd756-s4882 and i2c-nforce2-s4985 legacy muxing drivers are removed in UEK 8U2. The module was removed in the upstream kernel because they're old and contain technically inaccurate code.

  • CONFIG_CRYPTO_OFB and CONFIG_CRYPTO_CFB cryptographic modes

    The CFB (Cipher Feedback) mode (NIST SP800-38A) used for TPM2 cryptography and the OFB (Output Feedback) mode (NIST SP800-38A) used to turn a block cipher into a synchronous stream cipher are removed in UEK 8U2, to align with upstream changes.