Canonical kernel engineer Juerg Haefliger has shared an update on Ubuntu support for the Lenovo ThinkPad X13s (Gen 1) laptop. The 13-inch Lenovo ThinkPad X13s is an ARM laptop powered by a Qualcomm Snapdragon 8cx (gen3) processor with Adreno 690 GPU, 16 GB RAM, a 256 GB SSD, and claimed ~28 battery life. It comes preloaded with Windows 11 Pro for ARM by default. Last year a quasi-official (albeit experimental) Ubuntu 23.10 install image was released for this device, spearheaded by Juerg and the engineering effort he’d made to support it. The ISO was made available to download from the […]
Media Progress is a new GNOME Shell extension that adds a real-time progress bar to the MPRIS notification/sound control doohickey that shows in the notification area. This extension doesn’t do else bar (heh) that, but as simple enhancements go it’s a nifty one. More than a mere indicator, the progress bar the extension adds is interactive and seekable. Click anywhere in the progress bar to jump to that position (which is handy if listening to something long, like a podcast or audiobook). As of writing the Media Progress extension supports GNOME 46. To use it you will need to be […]
With 12 years of support, Landscape 24.04 LTS adds snap and repository management controls to a modernised systems management web portal and API.
Screenshot of the new Landscape Dashboard
London, 30 April 2024.
Today Canonical announced the availability of Landscape’s first LTS release. Landscape 24.04 LTS features a new versioned API, a new web portal with accessibility and performance in mind, and intuitive controls for software distribution. Landscape 24.04 LTS comprises Landscape Server and Landscape Client. With a modernised backend and web portal in place, engineering teams can work efficiently, focusing on patches and new features.
Predictable release cadence and 12 years of support for LTS versions
Building on Canonical’s commitment to reliability, Landscape releases going forward will align with Ubuntu LTS and interim releases for predictable security coverage, feature patches, and bug fixes.
Landscape Server 24.04 can be installed on Ubuntu 22.04 LTS and Ubuntu 24.04 LTS releases with Ubuntu Pro. Landscape Server 24.04 is compatible with the previous four Ubuntu LTS releases (Ubuntu 16.04 LTS onwards), and will manage future Ubuntu releases including Ubuntu 26.04 LTS.
Like Ubuntu 24.04 LTS, this Landscape release gets a 12 year commitment for security maintenance and support. Landscape 24.04 LTS will get five years of bug fixes and incremental feature patches until August 2029. Ubuntu Pro subscribers can continue using Landscape 24.04 LTS after these 5 years for a total of 12 years, with the Legacy Support add-on.
A new web portal built with Canonical’s Vanilla Framework
Vanilla Framework provides consistent and uniform design patterns across Canonical’s products. Landscape joins MAAS, LXD UI, and others with a responsive React JS driven user interface. This web portal is built using a new versioned API serving JSON data. This API enhancement ensures seamless integration for developers, offering a forward-looking assurance that applications developed with a particular API version will remain robust and reliable, regardless of future updates to Landscape and its accompanying API endpoints.
The Monitoring feature from the legacy Landscape web portal has not yet been migrated to Landscape 24.04 LTS, yet. Monitoring will arrive as an incremental patch for Landscape 24.04 LTS with a modern charting library, a monitoring API, and companion documentation.
Lastly, the web portal provides a significant improvement in Lighthouse scores for Accessibility. The dashboard’s accessibility scores as measured by Lighthouse improved from 70% to 95%. Landscape 24.04 LTS has a web portal which is accessible to users with deficiencies in colour vision, complete colour blindness, and other visual impairments.
Save terabytes in storage and bandwidth with point-in-time repository snapshots
An overview of the repository management experience in the new Landscape web portal.
Landscape’s new web portal includes an intuitive point-and-click repository mirroring experience, and the repository snapshot service is available as a source when mirroring repositories. In late 2023, Canonical became the first Linux provider to integrate a repository snapshot service with Microsoft Azure’s update mechanisms. Landscape 24.04 LTS brings this simplified and safe deployment practice capability on-premises, and to mixed and hybrid cloud environments.
Benefits of Landscape’s repository snapshot service include predictable updates, consistency across deployments, and simplified repository mirroring, providing improved resilience and security for Ubuntu workloads.
Beyond the conveniences afforded to system administrators, the repository snapshots implementation also saves over 100 terabytes of disk space and network throughput, for organisations making complete repository mirrors every week. Canonical’s on-demand repository snapshot capability extends back to February 2023 for non-ESM (Expanded Security Maintenance) repositories. This innovation frees storage and network resources, because scheduled mirroring and archival of these mirrors becomes unnecessary.
Snap management for Ubuntu and Ubuntu Core
Beyond managing Ubuntu interim and LTS releases, Landscape 24.04 LTS also manages Ubuntu Core, Canonical’s snap based, immutable and strictly-confined operating system. A strictly confined Landscape Client snap package provides snap package management, remote script execution, monitoring and inventory capabilities to Ubuntu, for anyone interested in consuming the latest Landscape Client as a snap package.
Snap management capabilities also exist in the Landscape Client Debian package, available in the Main repository for Ubuntu 24.04 LTS, and in ppa:landscape/self-hosted-24.04 for previous versions of Ubuntu.
Distribution of updated snap revisions is controlled through the Snap Store, which organisations can self-host as a snap store proxy, or as a brand store if there is a need to distribute proprietary non-public snaps within the organisation. Snap management in Landscape 24.04 LTS can add, remove, update, and pause updates from Snap Store, snap store proxy, and brand stores.
Landscape has historically provided fine grained management of Debian packages installed through the apt package manager. With Landscape 24.04 LTS, similar management capabilities arrive for snap packages, with consideration for revisions and channels, which are specific to the snap ecosystem. By default, snap packages self-update through transactional over-the-air updates, and have the ability to rollback automatically if the upgrade fails. Organisations and individuals interested in uniformity across machines can pin revisions of a snap to machines, and ensure consistency between machines that must be uniformly configured.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Canonical recently announced the release of Ubuntu 24.04 LTS, codenamed “Noble Numbat”. This update underscores Ubuntu’s ongoing commitment to enhancing performance and security, focusing on optimizing developer productivity. The latest version features an optimized Linux kernel 6.8 and significant system management upgrades as detailed in the release notes. In this blog post, we highlight the key features and improvements that Ubuntu 24.04 LTS brings to the table, specifically tailored for users of Microsoft/Azure.
Unified marketplace offering
Ubuntu 24.04 LTS introduces a consolidated Azure Marketplace experience. Easily find the official Ubuntu images created by Canonical and endorsed by Microsoft for Azure, all under a single offering: ubuntu-24_04-lts. This simplification aids your search and selection process, helping you choose the right image for your needs and ensuring optimal compatibility and performance. [Explore the Ubuntu 24.04 images on the Azure Marketplace].
Optimized for Azure
Ubuntu 24.04 LTS is finely tuned to enhance performance on Azure infrastructure, ensuring that the Ubuntu images are fully compatible and support the latest cloud features as they are released. This optimization boosts system efficiency, speed, and reliability. Integration with Azure Guest Patching and the Update Management Center facilitates streamlined and continuous system updates, thereby reinforcing the overall security and stability of Ubuntu deployments.
Enhanced developer toolchains
.NET 8 is fully compatible with Ubuntu 24.04 LTS from launch, being directly available through the official Ubuntu feeds. This synchronization with the .NET release cadence ensures developers have immediate access to the latest features and updates. Additionally, .NET 8 introduces streamlined package management and new Ubuntu container images, boosting development flexibility and deployment efficiency. (Read more in this Microsoft’s blog post).
The commitment to developer productivity also extends to other popular programming languages, including TCK-certified Java versions and the latest Rust toolchains, enhancing support and smoothing the development experience.
Confidential Computing
Ubuntu continues to lead in confidential computing with support for Confidential VMs, including capabilities for confidential AI. This is facilitated by utilizing advanced hardware security extensions such as AMD’s 4th Gen EPYC processors with SEV-SNP and NVIDIA H100 Tensor Core GPUs. These features help safeguard data at runtime from system vulnerabilities and unauthorized access, making them particularly suitable for AI training and data inference involving sensitive information.
Windows Subsystem for Linux (WSL)
Ubuntu 24.04 LTS enhances its WSL integration using the same installer technology as Ubuntu Server. This update includes support for cloud-init, standardizing developer environments across installations and ensuring consistent and streamlined workflows.
Wrapping up
As we explore the capabilities of Ubuntu 24.04 LTS, Microsoft/Azure users will experience an integration that is tailored to current technological needs and equipped for upcoming developments. This version is supported for up to 12 years, providing a stable and reliable foundation that enterprises and developers can rely on for long-term projects and innovation.
Arriving alongside the main Ubuntu 24.04 LTS release are new versions of the official Ubuntu flavours, including Kubuntu, Xubuntu, and Ubuntu Cinnamon. What follows is a concise, top-level overview of the key new features and changes in some of the most popular Ubuntu flavours, plus the relevant downloads links to snag an ISO need should be tempted into trying a few flavors first-hand. Unless otherwise noted, all flavours share the same foundational footprint as the main release, e.g., Linux kernel, graphics drivers, tooling, etc. But some fears, like the Flutter-based OS installer and the snap-centric App Center aren’t used in […]
Among the many new features in Ubuntu 24.04 LTS is the ability to access your Microsoft OneDrive files through the Nautilus file manager. No 3rd-party app downloads, no dodgy scripts to run, and no paid plans to cough up for because this nifty feature is part of GNOME 46 (and available in any Linux distribution using it, not just the latest Ubuntu LTS). OneDrive file access works the same way as the (long-standing and popular) Google Drive integration: a Gvfs backend authorised through GNOME Online Accounts (via the Settings app), and then surfaced as an entry in the Nautilus sidebar. […]
After 6 frenzied months of development the final stable Ubuntu 24.04 LTS release has arrived and is available for download. Ubuntu 24.04 LTS (codenamed ‘Noble Numbat’) includes a rich array of new features ranging from an enhanced desktop installer and a the latest GNOME desktop to gaming improvements and a new Linux kernel. As a long-term support release Ubuntu 24.04 LTS gets 5 years of select apps updates, security fixes, kernel upgrades, and other buffs, and a further 5 years of extended security coverage via Ubuntu Pro. Plus, enterprise customers can buy an additional 2 years of coverage to make […]
Canonical’s 10th Long Term Supported release sets a new standard in performance engineering, enterprise security and developer experience.
London, 25 April 2024.
Today Canonical announced the release of Ubuntu 24.04 LTS, codenamed “Noble Numbat”, available to download and install from https://ubuntu.com/download.
Ubuntu 24.04 LTS builds on the advancements of the last three interim releases as well as the contributions of open source developers from around the world to ensure a secure, optimised and forward looking platform.
“Ubuntu 24.04 LTS takes a bold step into performance engineering and confidential computing to deliver an enterprise-grade innovation platform, supported for at least 12 years”, said Mark Shuttleworth, CEO of Canonical. “For developers we are delighted to announce TCK certified Java, an LTS for .NET and the latest Rust toolchain.”
Performance engineering tools pre-enabled and pre-loaded
Canonical is dedicated to raising the bar for quality and performance across the entire Ubuntu ecosystem.
Ubuntu 24.04 LTS delivers the latest Linux 6.8 kernel with improved syscall performance, nested KVM support on ppc64el, and access to the newly landed bcachefs filesystem. In addition to upstream improvements, Ubuntu 24.04 LTS has merged low-latency kernel features into the default kernel, reducing kernel task scheduling delays.
Ubuntu 24.04 LTS also enables frame pointers by default on all 64-bit architectures so that performance engineers have ready access to accurate and complete flame graphs as they profile their systems for troubleshooting and optimisation.
“Frame pointers allow more complete CPU profiling and off-CPU profiling. The performance wins that these can provide far outweigh the comparatively tiny loss in performance. Ubuntu enabling frame pointers by default will be a huge win for performance engineering and the default developer experience”, said Brendan Gregg, Computer Performance Expert and Fellow at Intel. Tracing with bpftrace is now standard in Ubuntu 24.04 LTS, alongside pre-existing profiling tools to provide site reliability engineers with immediate access to essential resources.
Integrated workload accelerators bring additional performance improvements. Canonical and Intel worked together to integrate Intel® QuickAssist Technology (Intel® QAT) for the first time ever in an LTS. Intel QAT enables users to accelerate encryption and compression in order to reduce CPU utilisation and improve networking and storage application performance on 4th Gen and newer Intel Xeon Scalable processors.
“Ubuntu is a natural fit to enable the most advanced Intel features. Canonical and Intel have a shared philosophy of enabling performance and security at scale across platforms”, said Mark Skarpness, Vice President and General Manager of System Software Engineering at Intel.
Increased developer productivity with LTS toolchains
Ubuntu 24.04 LTS includes Python 3.12, Ruby 3.2, PHP 8.3 and Go 1.22 with additional focus dedicated to the developer experience for .NET, Java and Rust.
With the introduction of .NET 8, Ubuntu is taking a significant step forward in supporting the .NET community. NET 8 will be fully supported on Ubuntu 24.04 LTS and 22.04 LTS for the entire lifecycle of both releases, enabling developers to upgrade their applications to newer .NET versions prior to upgrading their Ubuntu release. This .NET support has also been extended to the IBM System Z platform.
“We are pleased about the release of Canonical Ubuntu 24.04 LTS and the increased performance, developer productivity, and security that it provides our joint customers,” said Jeremy Winter, Corporate Vice President, Azure Cloud Native. “Ubuntu is an endorsed Linux distro on Microsoft Azure, and an important component for many of Microsoft’s technologies, including .NET, Windows Subsystem for Linux, Azure Kubernetes Service, and Azure confidential computing. Microsoft and Canonical have a close engineering relationship spanning everything from update infrastructure in Azure to developer tooling, notably .NET 8 which is part of the Noble Numbat release from day one. We look forward to continuing our strong collaboration with Canonical to enhance developer productivity and provide a robust experience for Ubuntu on Azure.”
For Java developers, OpenJDK 21 is the default in Ubuntu 24.04 LTS while maintaining support for versions 17, 11, and 8. OpenJDK 17 and 21 are also TCK certified, which means they adhere to Java standards and ensure interoperability with other Java platforms. A special FIPS-compliant OpenJDK 11 package is also available for Ubuntu Pro users.
Ubuntu 24.04 LTS ships with Rust 1.75 and a simpler Rust toolchain snap framework. This will support the increasing use of Rust in key Ubuntu packages, like the kernel and Firefox, and enables future Rust versions to be delivered to developers on 24.04 LTS in years to come.
New management tools for Ubuntu Desktop and WSL
For the first time in an LTS, Ubuntu Desktop now uses the same installer technology as Ubuntu Server. This means that desktop administrators can now use image customisation tools like autoinstall and cloud-init to create tailored experiences for their developers. The user interface has also received a makeover, with a modern design built in Flutter.
For those managing mixed Windows and Ubuntu environments, the Active Directory Group Policy client available via Ubuntu Pro now supports enterprise proxy configuration, privilege management and remote script execution.
Canonical continues to invest in Ubuntu on Windows Subsystem for Linux (WSL) as a first class platform for developers and data scientists. Starting with Ubuntu 24.04 LTS, Ubuntu on WSL now supports cloud-init to enable image customisation and standardisation across developer estates.
Confidential computing on the cloud and private data centres
Confidential computing secures data at runtime from vulnerabilities within the host privileged system software, including the hypervisor. It also protects data against unauthorised access by
infrastructure administrators. Today, Ubuntu offers the most extensive portfolio of confidential virtual machines, available across Microsoft Azure, Google Cloud, and Amazon Web Services.
Ubuntu is also the first and only Linux distribution to support confidential GPUs on the public cloud, starting with a preview on Microsoft Azure. Building on the silicon innovation of NVIDIA H100 Tensor Core GPUs and AMD 4th Gen EPYC processors with SEV-SNP, Ubuntu confidential VMs are ideal to perform AI training and inference tasks on sensitive data.
Ubuntu also supports confidential computing in private data centres. Thanks to a strategic collaboration between Intel and Canonical, Ubuntu now seamlessly supports Intel® Trust Domain Extensions (Intel® TDX) on both the host and guest sides, starting with an Intel-optimised Ubuntu 23.10 build. With no changes required to the application layer, VM isolation with Intel TDX greatly simplifies the porting and migration of existing workloads to a confidential computing environment.
12 years of support with new Ubuntu Pro add-on
To meet the needs of Canonical’s enterprise customers, Ubuntu 24.04 LTS gets a 12 year commitment for security maintenance and support. As with other long term supported releases, Noble Numbat will get five years of free security maintenance on the main Ubuntu repository. Ubuntu Pro extends that commitment to 10 years on both the main and universe repositories. Ubuntu Pro subscribers can purchase an extra two years with the Legacy Support add-on.
The 12 year commitment also applies to earlier Ubuntu releases, starting with 14.04 LTS. The LTS expansion offers benefits for individuals and organisations who want to gain even more stability while building on top of Ubuntu’s wide array of open source software libraries.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
20 years in the making. Ubuntu 24.04 LTS brings together the latest advancements from the Linux ecosystem into a release that is built to empower open source developers and deliver innovation for the next 12 years.
The road to Noble Numbat has proven to be an exciting journey through successively ambitious interim releases, experimenting with new approaches to security (and tackling last minute CVEs), evolving our core desktop apps, and continuing our commitment to performance and compatibility across a wide array of hardware supported by the brand new Linux 6.8 kernel.
Whilst each LTS is a significant milestone, it’s never the final destination. We look forward to extending and expanding on what we’ve delivered today both within the lifecycle of Ubuntu 24.04 LTS and in future releases, always considering how we can live up to our mission, and the values of Ubuntu Desktop.
Let’s get into the details.
Rethinking provisioning
Addressing the fundamental issue of “how do I get Ubuntu on this machine?” is still one of our biggest priorities. Whilst today Ubuntu ships pre-installed on millions of desktops, laptops and workstations around the world thanks to our partnerships with OEMs like Dell, HP and Lenovo, more than ten times as many users install the operating system themselves each year. Here’s what we’re adding to simplify Ubuntu installations.
Unifying the stack
Over the last few interim releases we have aligned the underlying tech stack of the desktop installer to use the same Subiquity back end as Ubuntu server, creating a consistent codebase across both platforms to deliver feature parity and easier maintainability. This is complemented by a brand new front end built in Flutter which has been iterated on significantly over the past year to improve access to accessibility options, increase clarity on the user experience and deliver a polished and improved experience.
Additional encryption options
As part of this migration we’ve brought ZFS guided install back as a filesystem option and added support for ZFS encryption. We’ve also added improved guidance for dual-boot setups, particularly in relation to BitLocker. One major request from users has been support for hardware-backed full disk encryption and it makes its first appearance in an experimental form in Ubuntu 24.04 LTS. This implementation has certain limitations at launch which restrict its use to those devices that only require a generic kernel with no third party drivers or kernel modules, and does not currently support firmware upgrades. We intend to extend the hardware compatibility of this feature over time within the lifecycle of this release, with support for NVIDIA drivers as our first priority.
Integrated autoinstall
One of the most exciting new additions is the surfacing of autoinstall support in the graphical installer. Users or enterprises who want to create a customised, repeatable, automated installation flow can now provide the address of a local or remote autoinstall.yaml file and let Subiquity take over from there.
Check out this getting started tutorial to see how easy it is to automate user-creation, install additional apps and configure your filesystem in a format you can use across multiple machines.
This brings us a number of steps closer to the long term goal of zero touch provisioning, and we plan to add additional support for SSO authentication to access protected autoinstall files in a corporate environment at a later date.
New core apps
The new features don’t stop once you’ve installed Ubuntu Desktop. The new App Center (also flutter-based) is another notable highlight, bringing a modern, more performant new look to app discovery with clearer categories and application management functionality. Since its initial launch, the App Center now includes a new ratings service to allow users to vote on the quality of their apps and view an aggregated score from other users. These scores, combined with the other rich meta-data available from the Snap Store, will make it easier for us to deliver additional discovery mechanisms such as top charts, most popular or recently updated.
While the App Center defaults to a snap-centric view by default to enable us to deliver these usability features, you can still use it to find and install deb packages via the search toggles.
As part of the new App Center development we’ve split out firmware updates into their own dedicated app. This not only allows a richer experience managing firmware but also improves performance since the old Ubuntu Software application would need to remain permanently running in the background to check for new firmware on previous releases.
GNEW GNOME
Ubuntu Desktop 24.04 LTS continues our commitment to shipping the latest and greatest GNOME with version 46. This release delivers a host of performance and usability improvements including file manager search and performance, expandable notifications and consolidated settings options for easier access.
As usual, Ubuntu builds on the excellent foundation provided by GNOME with a number of extensions and additions. The colour picker allows users to tailor their desktop highlights to their taste, triple buffering improves performance on Intel and Raspberry Pi graphics drivers and the addition of the Tiling Assistant extension enables quarter screen tiling support for better workspace management.
Consistent networking across desktop and server with Netplan 1.0
In Ubuntu 23.10 we included Netplan as the default tool to configure networking on desktop, unifying the stack across server and cloud where Netplan has been the default since 2016. This change enables administrators to consistently configure their Ubuntu estate regardless of platform. With the recent release of Netplan 1.0, all platforms also benefit from new features around wireless compatibility and usability improvements such as netplan status –diff.
It is important to note that Netplan does not replace NetworkManager and will not impact workflows that prefer the previous configuration methods. NetworkManager has bidirectional integration with Netplan, meaning changes made in either configuration are updated and reflected in both.
You can read more about this bidirectionality in Lukas’ previous blog. To find out what’s new in Netplan 1.0, check out his recent announcement.
Comprehensive GPO support with Active Directory
Ubuntu Desktop is highly prevalent in enterprise engineering and data science teams in enterprise, academic and federal institutions around the globe, whilst Windows remains the corporate OS of choice for other departments. Canonical’s Landscape is highly effective at monitoring, managing and reporting on the compliance of Ubuntu instances across desktop, server and cloud, however desktop IT administrators are often looking for solutions that help them manage mixed Ubuntu and Windows devices.
On-premise Active Directory has been the preferred management tool for Windows administrators for many years, and still represents the majority share of organisations. User authentication with Active Directory on Linux has been a standard for some time as part of the System Services Security Daemon (SSSD), however in Ubuntu 22.04 LTS we introduced additional support for Group Policy Objects (GPOs) allowing further compliance configuration. Over the course of our interim releases this GPO support has been expanded to cover the majority device and user policies requested by Active Directory administrators, including:
Privilege management and removal of local admins
Remote scripts execution
Managing apparmor profiles
Configuring network shares
Configuring proxy settings
Certificate autoenrollment
In addition to the pre-existing policies available on Ubuntu 22.04 LTS. This delivers a best in class solution for administrators looking to empower their developers with Ubuntu Desktop.
Going forward, our attention is now turning to support third party cloud-based identity providers following a proof of concept implementation of Azure Active Directory enrollment in Ubuntu 23.04. We are currently in the process of expanding on the functionality delivered in that release as part of a new implementation and look forward to talking more about that in the near future.
Finally, for those developers who remain on Windows due to internal policy requirements, we are continuing to invest in enterprise tooling for Ubuntu on Windows Subsystem for Linux (WSL). Ubuntu 24.04 LTS supports cloud-init instance initialisation, enabling administrators to seed custom config files on their developer’s machines to create standardised Ubuntu environments. This is a more robust solution than existing import/export workflows and represents the first step toward future management and compliance tooling.
Secure software management in Ubuntu Desktop 24.04 LTS
Underneath the hood, Ubuntu 24.04 LTS also includes a number of security improvements for those developing and distributing software within the Ubuntu ecosystem. In Ubuntu 23.10 we landed a new version of software-properties that changed the way Personal Package Archives (PPAs) are managed on Ubuntu.
PPAs are a critical tool for development, testing and customisation, enabling users to install software outside of the official Ubuntu archives. This allows for a great deal of software freedom but also comes with potential security risks due to the access they are granted to your OS. In Ubuntu 24.04 LTS, PPAs are now distributed as deb822-formatted.sources files with their signing key directly embedded into the file’s signed-by field. This establishes a 1:1 relationship between the key and the repository, meaning one key cannot be used to sign multiple repositories and removing a repository also removes its associated key. In addition, APT now requires repositories to be signed using stronger public key algorithms.
Unprivileged user namespace restrictions
Another significant security enhancement is the restriction of unprivileged user namespaces. These are a widely used feature of the Linux kernel that provide additional security isolation for applications that construct their own sandboxes, such as browsers which would then use that space to execute untrusted web content. So far so good, however the ability to create unprivileged user namespaces can expose additional attack surfaces within the Linux kernel and has proven to be a step in a significant number of exploits. In Ubuntu 24.04 LTS, AppAmor is now used to selectively control access to unprivileged user namespaces on a per application basis so that only applications with legitimate need can leverage this functionality.
You can read more about this change as well as a range of other security enhancements to the latest Ubuntu release in the security team’s deep dive.
Improved proposed pocket
The proposed pocket is used as a staging area for software updates prior to their release to the wider Ubuntu user base. In the past this pocket has been an all-or-nothing experience, with users who opt in to updates from proposed needing to take all updates that were available. As a result the chance of introducing system instability was significantly increased, disincentivising those who wanted to provide testing support for specific features in advance of their wider availability.
In Ubuntu 24.04 LTS we have lowered the default apt priority of updates in “proposed” to allow users to specify exactly which packages they want to install and which they want to remain stable. This change is designed to increase the confidence of users who want to test specific features ahead of their general release.
Building the future, together
This brings us to the end of this deep dive into the motivations and decisions behind just some of the features of the latest Long Term Supported release of Ubuntu Desktop. It has been a challenging and exciting experience to see each of these building blocks come together over the last three interim releases. With Ubuntu Desktop 24.04 LTS our goal has been to build a platform ready to stand the test of time, and the foundation for your next, great open source project.
As always, the story continues. Thank you for joining us.
We’re excited about the upcoming Ubuntu 24.04 LTS release, Noble Numbat. Like all Ubuntu releases, Ubuntu 24.04 LTS comes with 5 years of free security maintenance for the main repository. Support can be expanded for an extra 5 years, and to include the universe repository, via Ubuntu Pro. Organisations looking to keep their systems secure without needing a major upgrade can also get the Legacy Support add-on to expand that support beyond the 10 years. Combined with the enhanced security coverage provided by Ubuntu Pro and Legacy Support, Ubuntu 24.04 LTS provides a secure foundation on which to develop and deploy your applications and services in an increasingly risky environment. In this blog post, we will look at some of the enhancements and security features included in Noble Numbat, building on those available in Ubuntu 22.04 LTS.
Unprivileged user namespace restrictions
Unprivileged user namespaces are a widely used feature of the Linux kernel, providing additional security isolation for applications, and are often employed as part of a sandbox environment. They allow an application to gain additional permissions within a constrained environment, so that a more trusted part of an application can then use these additional permissions to create a more constrained sandbox environment within which less trusted parts can then be executed. A common use case is the sandboxing employed by modern web browsers, where the (trusted) application itself sets up the sandbox where it executes the untrusted web content. However, by providing these additional permissions, unprivileged user namespaces also expose additional attack surfaces within the Linux kernel. There has been a long history of (ab)use of unprivileged user namespaces to exploit various kernel vulnerabilities. The most recent interim release of Ubuntu, 23.10, introduced the ability to restrict the use of unprivileged user namespaces to only those applications which legitimately require such access. In Ubuntu 24.04 LTS, this feature has both been improved to cover additional applications both within Ubuntu and from third parties, and to allow better default semantics of the feature. For Ubuntu 24.04 LTS, the use of unprivileged user namespaces is then allowed for all applications but access to any additional permissions within the namespace are denied. This allows more applications to more better gracefully handle this default restriction whilst still protecting against the abuse of user namespaces to gain access to additional attack surfaces within the Linux kernel.
Binary hardening
Modern toolchains and compilers have gained many enhancements to be able to create binaries that include various defensive mechanisms. These include the ability to detect and avoid various possible buffer overflow conditions as well as the ability to take advantage of modern processor features like branch protection for additional defence against code reuse attacks.
The GNU C library, used as the cornerstone of many applications on Ubuntu, provides runtime detection of, and protection against, certain types of buffer overflow cases, as well as certain dangerous string handling operations via the use of the _FORTIFY_SOURCE macro. FORTIFY_SOURCE can be specified at various levels providing increasing security features, ranging from 0 to 3. Modern Ubuntu releases have all used FORTIFY_SOURCE=2 which provided a solid foundation by including checks on string handling functions like sprintf(), strcpy() and others to detect possible buffer overflows, as well as format-string vulnerabilities via the %n format specifier in various cases. Ubuntu 24.04 LTS enables additional security features by increasing this to FORTIFY_SOURCE=3. Level three greatly enhances the detection of possible dangerous use of a number of other common memory management functions including memmove(), memcpy(), snprintf(), vsnprintf(), strtok() and strncat(). This feature is enabled by default in the gcc compiler within Ubuntu 24.04 LTS, so that all packages in the Ubuntu archive which are compiled with gcc, or any applications compiled with gcc on Ubuntu 24.04 LTS also receive this additional protection.
The Armv8-M hardware architecture (provided by the “arm64” software architecture on Ubuntu) provides hardware-enforced pointer authentication and branch target identification. Pointer authentication provides the ability to detect malicious stack buffer modifications which aim to redirect pointers stored on the stack to attacker controlled locations, whilst branch target identification is used to track certain indirect branch instructions and the possible locations which they can target. By tracking such valid locations, the processor can detect possible malicious jump-oriented programming attacks which aim to use existing indirect branches to jump to other gadgets within the code. The gcc compiler supports these features via the -mbranch-protection option. In Ubuntu 24.04 LTS, the dpkg package now enables -mbranch-protection=standard, so that all packages within the Ubuntu archive enable support for these hardware features where available.
AppArmor 4
The aforementioned unprivileged user namespace restrictions are all backed by the AppArmor mandatory access control system. AppArmor allows a system administrator to implement the principle of least authority by defining which resources an application should be granted access to and denying all others. AppArmor consists of a userspace package, which is used to define the security profiles for applications and the system, as well as the AppArmor Linux Security Module within the Linux kernel which provides enforcement of the policies. Ubuntu 24.04 LTS includes the latest AppArmor 4.0 release, providing support for many new features, such as specifying allowed network addresses and ports within the security policy (rather than just high level protocols) or various conditionals to allow more complex policy to be expressed. An exciting new development provided by AppArmor 4 in Ubuntu 24.04 LTS is the ability to defer access control decisions to a trusted userspace program. This allows for quite advanced decision making to be implemented, by taking into account the greater context available within userspace or to even interact with the user / system administrator in a real-time fashion. For example, the experimental snapd prompting feature takes advantage of this work to allow users to exercise direct control over which files a snap can access within their home directory. Finally, within the kernel, AppArmor has gained the ability to mediate access to user namespaces as well as the io_uring subsystem, both of which have historically provided additional kernel attack surfaces to malicious applications.
Disabling of old TLS versions
The use of cryptography for private communications is the backbone of the modern internet. The Transport Layer Security protocol has provided confidentiality and integrity to internet communications since it was first standardised in 1999 with TLS 1.0. This protocol has undergone various revisions since that time to introduce additional security features and avoid various security issues inherent in the earlier versions of this standard. Given the wide range of TLS versions and options supported by each, modern internet systems will use a process of auto-negotiation to select an appropriate combination of protocol version and parameters when establishing a secure communications link. In Ubuntu 24.04 LTS, TLS 1.0, 1.1 and DTLS 1.0 are all forcefully disabled (for any applications that use the underlying openssl or gnutls libraries) to ensure that users are not exposed to possible TLS downgrade attacks which could expose their sensitive information.
Upstream Kernel Security Features
Linux kernel v5.15 was used as the basis for the Linux kernel in the previous Ubuntu 22.04 LTS release. This provided a number of kernel security features including core scheduling, kernel stack randomisation and unprivileged BPF restrictions to name a few. Since that time, the upstream Linux kernel community has been busy adding additional kernel security features. Ubuntu 24.04 LTS includes the v6.8 Linux kernel which provides the following additional security features:
Intel shadow stack support
Modern Intel CPUs support an additional hardware feature aimed at preventing certain types of return-oriented programming (ROP) and other attacks that target the malicious corruption of the call stack. A shadow stack is a hardware enforced copy of the stack return address that cannot be directly modified by the CPU. When the processor returns from a function call, the return address from the stack is compared against the value from the shadow stack – if the two differ, the process is terminated to prevent a possible ROP attack. Whilst compiler support for this feature has been enabled for userspace packages since Ubuntu 19.10, it has not been able to be utilised until it was also supported by the kernel and the C library. Ubuntu 24.04 LTS includes this additional support for shadow stacks to allow this feature to be enabled when desired by setting the GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK environment variable.
Secure virtualisation with AMD SEV-SNP and Intel TDX
Confidential computing represents a fundamental departure from the traditional threat model, where vulnerabilities in the complex codebase of privileged system software like the operating system, hypervisor, and firmware pose ongoing risks to the confidentiality and integrity of both code and data. Likewise, unauthorised access by a malicious cloud administrator could jeopardise the security of your virtual machine (VM) and its environment. Building on the innovation of Trusted Execution Environments at the silicon level, Ubuntu Confidential VMs aim to restore your control over the security assurances of your VMs.
For the x86 architecture, both AMD and Intel processors provide hardware features (named AMD SEV SNP and Intel TDX respectively) to support running virtual machines with memory encryption and integrity protection. They ensure that the data contained within the virtual machine is inaccessible to the hypervisor and hence the infrastructure operator. Support for using these features as a guest virtual machine was introduced in the upstream Linux kernel version 5.19.
Thanks to Ubuntu Confidential VMs, a user can make use of compute resources provided by a third party whilst maintaining the integrity and confidentiality of their data through the use of memory encryption and other features. On the public cloud, Ubuntu offers the widest portfolio of confidential VMs. These build on the innovation of both the hardware features, with offerings available across Microsoft Azure, Google Cloud and Amazon AWS.
For enterprise customers seeking to harness confidential computing within their private data centres, a fully enabled software stack is essential. This stack encompasses both the guest side (kernel and OVMF) and the host side (kernel-KVM, QEMU, and Libvirt). Currently, the host-side patches are not yet upstream. To address this, Canonical and Intel have forged a strategic collaboration to empower Ubuntu customers with an Intel-optimised TDX Ubuntu build. This offering includes all necessary guest and host patches, even those not yet merged upstream, starting with Ubuntu 23.10 and extending into 24.04 and beyond. The complete TDX software stack is accessible through this github repository.
This collaborative effort enables our customers to promptly leverage the security assurances of Intel TDX. It also serves to narrow the gap between silicon innovation and software readiness, a gap that grows as Intel continues to push the boundaries of hardware innovation with 5th Gen Intel Xeon scalable processors and beyond.
Strict compile-time bounds checking
Similar to hardening of binaries within the libraries and applications distributed in Ubuntu, the Linux kernel itself gained enhanced support for detecting possible buffer overflows at compile time via improved bounds checking of the memcpy() family of functions. Within the kernel, the FORTIFY_SOURCE macro enables various checks in memory management functions like memcpy() and memset() by checking that the size of the destination object is large enough to hold the specified amount of memory, and if not will abort the compilation process. This helps to catch various trivial memory management issues, but previously was not able to properly handle more complex cases such as when an object was embedded within a larger object. This is quite a common pattern within the kernel, and so the changes introduced in the upstream 5.18 kernel version to enumerate and fix various such cases greatly improves this feature. Now the compiler is able to detect and enforce stricter checks when performing memory operations on sub-objects to ensure that other object members are not inadvertently overwritten, avoiding an entire class of possible buffer overflow vulnerabilities within the kernel.
Wrapping up
Overall, the vast range of security improvements that have gone into Ubuntu 24.04 LTS greatly improve on the strong foundation provided by previous Ubuntu releases, making it the most secure release to date. Additional features within both the kernel, userspace and across the distribution as a whole combine to address entire vulnerability classes and attack surfaces. With up to 12 years of support, Ubuntu 24.04 LTS provides the best and most secure foundation to develop and deploy Linux services and applications. Expanded Security Maintenance, kernel livepatching and additional services are all provided to Ubuntu Pro subscribers to enhance the security of their Ubuntu deployments.
Anyone making the upgrade to Ubuntu 24.04 LTS from the previous LTS, Ubuntu 22.04, is in for a treat because the amount of improvements on offer is vast. In addition to the new features in Ubuntu 24.04 those upgrading from the previous LTS will also discover, experience and benefit from the myriad of features added in the Ubuntu 22.10, 23.04, and 23.10 releases. Those upgrading from the previous LTS will find 2 years worth of changes on offer in Ubuntu 24.04 — Which amounts to a LOT! In this post I run-through 20 of the biggest changes Ubuntu 24.04 LTS […]
Among the many new features in Ubuntu 24.04 LTS is out-of-the-box support for HEIF/HEIC images. Anyone using Ubuntu 24.04 won’t have to manually install any extra packages to be able to see HEIF/HEIC thumbnails previews in the Nautilus file manager or open HEIF/HEIC files in the default Eye of GNOME image viewer app. While HEIF (which stands for High Efficiency Image File Format) isn’t a super common web image format it is widely used on smartphones. Both Apple iPhone & newer Samsung devices save to the format for photos taken using the stock camera apps. Which makes this small change […]
The Ubuntu 24.04 beta is now available to download — one week later than originally planned! Ubuntu 24.04 will become the next long-term support release (LTS) and this beta will provide developers, testers, and enthusiasts time to try it out, track down bugs, and road test its new features. Beta releases are not intended for everyday use (i.e. you’re not supposed to install it as your main OS or on machines you rely on) but, that said, many folks do. The Noble development cycle hasn’t been without its dramas and hiccups. Devs undertook the largest library transition in Ubuntu’s history (to mitigate […]
A new version of Power Profiles Daemon in Ubuntu 24.04 offers power efficiency improvements for laptop users, but those with modern AMD devices may see the biggest gains. Release notes for the power-profiles-daemon package uploaded to Ubuntu 24.04 this week state that it is now “battery-state aware” and that “some drivers use a more power efficient state when using the balanced profile on battery”. While the power profiles daemon is low-level it enables the Power Mode options shown in the Quick Settings menu: “balanced” (default), “power saver”, and on systems where it’s supported by drivers “performance” — this update tweaks […]
If you were hoping to help test the upcoming release of Ubuntu 24.04 by way of the official beta that was due for release this week, I’ve some bad news: it’s been delayed. However, I reckon you may have expected this. Ubuntu 24.04 beta was scheduled for release on April 4, giving developers, testers, and enthusiasts several weeks to test the new features, find and report issues, check compatibility with and performance on real-world hardware, and all of that hyper-useful stuff. But then a major security issue was announced: an (obfuscated) backdoor was discovered in recent versions of xz compression […]
Ubuntu 24.04 is switching its default webcam app from Cheese to Snapshot, a modern GTK4/libadwaita camera tool that’s part of the GNOME Core Apps set. Cheese has been part of Ubuntu’s default software lineup since 2010, having first been added in the Ubuntu 9.10 Netbook Remix owing to the rise of diminutive, underpowered laptops that included dark, dire 0.3MP webcams (webcams weren’t super common in cheap laptops prior to this). Indeed, once upon a time people (hi 👋) made heavy use of Cheese for their instant messaging profile pics, and the app included integrated plugins to upload what we’d now […]
Gamers can look forward to more epic top-tier titles working out-of-the-box in Ubuntu 24.04 LTS, which is due for release in late April. Following a user suggestion Ubuntu developers have massively increased the distro’s virtual memory mapping limit. This small change should have a big impact on gaming as titles previously reported to crash or exhibit performance issues on Ubuntu due to its vm_max_map_count value being too low will now work. Games like Hogwarts Legacy, Payday 2, Counter-Strike 2, DayZ, and Star Citizen are among those likely to benefit from the value bump as Ubuntu gamers have complained that several […]
App Center, Ubuntu’s Flutter-based replacement for the Ubuntu Software app, has picked up a redesigned app icon in the latest Ubuntu 24.04 daily builds. This isn’t the first icon change that the App Center has received in recent months. An updated build of the software installation frontend rolled out a few months back, and it unintentionally swapped the full-colour, 3D Yaru icon for a flat, 2D, solid orange icon with transparent elements. While a subsequent update fixed the issue some users say they still see the ‘wrong icon’. Now the App Center icon has changed again — though this time […]
Esteemed adherents of the arts rejoice, as the official Ubuntu 24.04 wallpaper has finally been unveiled! As you no-doubt know, every new Ubuntu release comes with its own unique desktop background and the upcoming release of Ubuntu 24.04 LTS “Noble Numbat” doesn’t abdicate the responsibility. Indeed, the Ubuntu 24.04 default wallpaper tacks firmly traditional, heeding the formula established in 2017: rich purple gradient, elegant geometric/polygonal edge detailing, and the official mascot image royally positioned in the center: As well as the the “colour” default you see pictured above a darker variant is included for those who prefer nocturnal vibes (i.e., […]
Connexion
Canonical kernel engineer Juerg Haefliger has shared an update on Ubuntu support for the Lenovo ThinkPad X13s (Gen 1) laptop. The 13-inch Lenovo ThinkPad X13s is an ARM laptop powered by a Qualcomm Snapdragon 8cx (gen3) processor with Adreno 690 GPU, 16 GB RAM, a 256 GB SSD, and claimed ~28 battery life. It comes preloaded with Windows 11 Pro for ARM by default. Last year a quasi-official (albeit experimental) Ubuntu 23.10 install image was released for this device, spearheaded by Juerg and the engineering effort he’d made to support it. The ISO was made available to download from the […]