3 Technology Preview
The following items are available as technical previews in this release of Oracle Linux. Note that some items listed apply to Red Hat Compatible Kernel (RHCK) and might already be available in UEK.
KTLS
Oracle Linux 9 provides kernel Transport Layer Security (KTLS) as a technology preview.
The Linux Kernel TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to NICs that support this functionality.
OpenSSL 3.0 is able to use KTLS if the enable-ktls configuration option is
used during compiling.
The updated gnutls packages can use KTLS for accelerating data transfer on
encrypted channels. To enable KTLS, add the tls.ko kernel module using the
modprobe command, and create a new configuration file
/etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide
cryptographic policies with the following content:
[global] ktls = true
Note that gnutls doesn't permit you to update traffic keys through TLS
KeyUpdate messages, which impacts the security of AES-GCM ciphersuites.
SGX Available
Software Guard Extensions (SGX) from Intel® protects software code and data from disclosure and modification. The Linux kernel partially supports SGX v1 and SGX v1.5. Version 1 enables platforms by using the Flexible Launch Control mechanism to use the SGX technology.
Note that SGX is supported in UEK.
DAX File System Available
In this release,
the DAX file system is available as a Technology Preview for the ext4 and XFS file systems.
DAX enables an application to directly map persistent memory into its address space. The
system must have some form of persistent memory available to use DAX. Persistent memory can be
in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs). In addition, a
file system that supports DAX must be created on the NVDIMMs; the file system must be mounted
with the dax mount option. Then, an mmap of a file on the
DAX mounted file system results in a direct mapping of storage into the application's address
space.
SEV and SEV-ES
The Secure Encrypted Virtualization (SEV) feature is provided for AMD EPYC host machines that use the KVM hypervisor. It encrypts a virtual machine's memory and protects the VM from access by the host.
SEV's enhanced Encrypted State version (SEV-ES) encrypts all CPU register contents when a VM stops running, thus preventing the host from modifying the VM's CPU registers or reading any information from them.
Note that SEV is supported in UEK.
WireGuard
WireGuard is a VPN solution that has improved security features and is easily configurable.
Note that WireGuard is fully supported in UEK. See Oracle Linux: Configuring Virtual Private Networks for more information on using WireGuard on Oracle Linux.