The Linux Kernel TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to NICs that support this functionality.

OpenSSL 3.0 is able to use KTLS if the enable-ktls configuration option is used during compiling.

The updated gnutls packages can use KTLS for accelerating data transfer on encrypted channels. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

[global]
ktls = true

Note that gnutls doesn't permit you to update traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites.

The socket API for TuneD maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus isn't available. With the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default. You can enable it in the tuned-main.conf file.

The gpsd-minimal package is available as a technical preview. gpsd is a service daemon that mediates access to a GPS sensor connected to the host computer by serial or USB interface, making its data on the location, course, and velocity of the sensor available to be queried on TCP port 2947 of the host computer.

WireGuard is a VPN solution that has improved security features and is easily configurable.

Note that WireGuard is fully supported in UEK. See Oracle Linux: Configuring Virtual Private Networks for more information on using WireGuard on Oracle Linux.

The systemd-resolved service provides name resolution to local applications. Its components include a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.

The hsr kernel module is included with RHCK to provide the following protocols as a technology preview:

• Parallel Redundancy Protocol (PRP)

• High-availability Seamless Redundancy (HSR)

In RHCK, complete IPsec encapsulation can be offloaded to a Network Interface Controller (NIC) to reduce workload. This functionality is offered as a technology preview.

Oracle Linux provides modem drivers in RHCK with limited functionality as a technology preview:

• Qualcomm MHI WWAM MBIM - Telit FN990Axx

• Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced

• Mediatek t7xx (WWAN) - Fibocom FM350GL

• Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem

Segment Routing over IPv6 (SRv6) is available as a technology preview in RHCK. SRv6 can improve traffic flows in edge computing and provides a mechanism to program network slicing and resource reservation.

Software Guard Extensions (SGX) from Intel® protects software code and data from disclosure and modification. The Linux kernel partially supports SGX v1 and SGX v1.5. Version 1 enables platofmrs by using the Flexible Launch Control mechanism to use the SGX technology.

Note that SGX is supported in UEK.

The driver is an Intel® CPU integrated accelerator and shares a work queue with process address space ID (pasid) submission and shared virtual memory (SVM).

Soft-iWARP (siw) is an Internet Wide-area RDMA Protocol (iWARP) software kernel driver. The driver implements the iWARP protocol suite over the TCP/IP network stack. The suite is implemented in software. Therefore, it doesn't require an RDMA hardware. The protocol suite enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system that already has siw installed.

In this release, the DAX file system is available as a Technology Preview for the ext4 and XFS file systems. DAX enables an application to directly map persistent memory into its address space. The system must have some form of persistent memory available to use DAX. Persistent memory can be in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs). In addition, a file system that supports DAX must be created on the NVDIMMs; the file system must be mounted with the dax mount option. Then, an mmap of a file on the DAX mounted file system results in a direct mapping of storage into the application's address space.

The NVMe-oF Discovery Service features are defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014. To preview these features, install the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ website.

Note that NVMe-oF is supported in UEK.

The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, handles the following functionalities:

• Asynchronous Event Notifications (AEN)

• Automated NVMe subsystem connection controls

• Error handling and reporting

• Automatic (zeroconf) and Manual configuration.

This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).

Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF), is available as for technology preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF. For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) manual page.

in-Band Authentication is fully available in UEK R7U2.

Although available, the io_uring asynchronous I/O interface is disabled by default. To enable the feature, set the kernel.io_uring_disabled variable to any one of the following values when running the sysctl command:

• 0: All processes can create io_uring instances as usual.

• 1: Creating io_uring is disabled for unprivileged processes. With this setting, the io_uring_setup fails with the -EPERM error. It only successfully completes if the calling process is privileged by the CAP_SYS_ADMIN capability. However, existing io_uring instances can still be used.

• 2 (default): Creating io_uring creation is disabled for all processes. With this setting, the io_uring_setup always fails with -EPERM. However, existing io_uring instances can still be used.

To use this feature, an updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also required.

Note that io_uring support has been available in UEK from UEK R6U3.

jmc-core is a library that provides core APIs for Java Development Kit (JDK) Mission Control, including APIs for:

• Parsing and writing Java Flight Recording files

• Discovering Java Virtual Machines (JVMs) through the Java Discovery Protocol (JDP)

The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.

The packages are available in the Oracle Linux 9 CodeReady Builder repository, which is unsupported, and which you must explicitly enable.

Nested KVM virtualization is provided as a technology preview for KVM virtual machines (VMs) running on Oracle Linux 9.

The Secure Encrypted Virtualization (SEV) feature is provided for AMD EPYC host machines that use the KVM hypervisor. It encrypts a virtual machine's memory and protects the VM from access by the host.

SEV's enhanced Encrypted State version (SEV-ES) encrypts all CPU register contents when a VM stops running, thus preventing the host from modifying the VM's CPU registers or reading any information from them.

Note that SEV is supported in UEK.

You can create KVM virtual machines on systems running on the Arm (aarch64) platforms using RHCK as a technical preview.

KVM is supported on aarch64 in UEK.

With the updated RHCK, Oracle Linux confidential virtual machines (VMs) can be deployed on Microsoft Azure. Through the availability of Unified Kernel Images (UKIs), you can boot encrypted confidential VM images on that cloud environment. The UKI is available as a kernel-uki-virt package in Oracle Linux 9 repositories.

Note that the Oracle Linux UKI can only be used in a UEFI boot configuration.

This functionality isn't yet available for UEK.