Preparatory patches: github.com/NVIDIA/open-...

Full Kbuild support: github.com/NVIDIA/open-...

#grsecurity compatibility: github.com/NVIDIA/open-...

Today, Mathias Krause of our team has submitted patches for the NVIDIA open gpu kernel modules that implement full Kbuild support, paving the way for CFI, KASAN/UBSAN, and our many compiler plugins.

Running AI workloads with NVIDIA GPUs no longer means weakening kernel security.

Links below 👇️

Our 6.18 #grsecurity LTS release, to be supported through at least the end of 2028, is now available!

Just sent out our year end wrap-up mail to customers. It's a bit bigger than usual, so grab yourself some Swiss Miss and enjoy!

If you didn't receive it, but should have, just reach out and we'll make sure you're on the list.

Happy holidays!

6.18 has been selected as the next #grsecurity stable kernel version, to be supported through the end of 2028, one year longer than the upstream LTS EOL date of Dec 2027.

Quick reminder that our 6.8 short-term stable kernel goes EOL at the end of this month. Some stats: over the period of a year, it included over 1500 security/stability-relevant backports.

Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

It's now available!

We expect our 6.13 #grsecurity beta to be available within the next two weeks.

AMD: Microcode Signature Verification Vulnerability ### Summary Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside...

github.com/google/secur...

Our 6.12 #grsecurity beta is now available to beta testers for testing

Slides for Pawel's H2HC presentation this month on the TLB are now available on grsecurity.net/papers
If you've never heard of "paging-structure caches" before, check it out!

We need to post a correction to yesterday's eBPF performance numbers:
Mathias Krause wasn't happy with just a 30x speedup and took a look at one final bottleneck that was bothering him.
The speedup over vanilla is now 747x 🤯 (5.27s vs 1h5m40s)

Testcase fixes were sent upstream by Mathias Krause here: lore.kernel.org/bpf/20241104...

If you're curious, we also fixed the failing vanilla testcases, without which the speedup would have appeared even larger than 30x. Every grsecurity option really means every single one, including RAP, PRIVATE_KSTACKS, KERNEXEC, UDEREF, AUTOSLAB, KERNSEAL, etc.

Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

Johannes Wikner has published a detailed walkthrough of the first cross-process Spectre exploit against a real target, an attack he developed in part during his internship with us last year.
Check it out here: grsecurity.net/cross_proces...

A new version of paxctld (1.2.6) is now available for download!