7 reasons why Ubuntu 22.04 LTS is the most secure release yet
Ubuntu 22.04 LTS, released in April, is the most secure version of Ubuntu to date.
Between its extensive security updates, new hardware support, and a wide range of other improvements, it far surpasses all previous versions in terms of security.
But how does he do this? And what makes this version different from the previous ones? Well, there are several reasons for this, and Canonical has highlighted all the relevant details in a new blog post.
Here, let me summarize it to help you learn more.
What makes Ubuntu 22.04 LTS secure?
With this release, it looks like the Ubuntu team has done a lot of work to ensure its long-term security and reliability. Although they’ve done it in an unthinkable number of ways over the years, I’ll highlight a few things, including:
- Improved support for hardware security measures
- Updated Security Packs
- Private home directories
- OpenSSL 3
- CCG 11
- nftables as default firewall backend
- Linux kernel improvements
1. Improved support for hardware security measures
As Intel, AMD, and ARM processors/SoCs begin to offer more security measures, it becomes increasingly important that the correct software is there to enable the use of these features.
Currently, there are three main hardware security measures supported by Ubuntu 22.04.
Intel’s Software Guard eXtensions (SGX) provide a secure, independent area to perform sensitive computations. For example, password processing should ideally take place here, as it ensures that no other application can access this data.
The next one includes Secure Encrypted Virtualization (SEV) from AMD. This technology aims to prevent host operating systems from interfering with running virtual machines.
While not as relevant to desktop users as other technologies, consider that much of data center infrastructure relies on virtual machines for application containerization. Overall, these hardware-specific security measures should improve the protection of workstation and server users.
2. Linux Kernel Security Improvements
With each Ubuntu release, the Linux kernel gets an upgrade with many useful features and support.
But, this time, Canonical introduced kernel versions optimized for different platforms. For OEM-certified desktop devices, Linux Kernel 5.17 has been included.
And, for all desktop and server users, Linux Kernel 5.15 LTS will be the active one.
Not limited to this concept, some key kernel security enhancements mentioned in the blog post to understand:
- Support basic schedulingwhich allows processes to control which threads will be scheduled on SMT siblings and therefore can allow them to protect sensitive information from leaking to other untrusted processes on the system.
- Kernel stack randomization provides a hardening measure to thwart attackers wishing to perform memory corruption attacks within the kernel.
- The BPF subsystem has also seen a number of security enhancements, including the restriction of its use to only privileged processes by default, as well as the inclusion of initial efforts to support signed BPF programs.
- The inclusion of the new Linux Landlock security module provides another application sandboxing mechanism to accompany more traditional methods through AppArmor or SELinux.
Collectively, all of these improvements make Ubuntu 22.04 LTS a safer option for developers, users, and system administrators.
3. Updated security packages
Stepping back from technical security concepts, we come to a concept that every Ubuntu user should already be familiar with: packages. With each new Ubuntu release, most of the repositories’ packages are updated, bringing improved security and new features.
While this isn’t exactly new to Ubuntu 22.04, it does include many security-specific updates. Some examples of this include openSSL 3 and GCC 11.
OpenSSL is the backbone of all secure communications.
OpenSSL 3 is particularly interesting as a major upgrade since many legacy algorithms have been deprecated and disabled by default, including MD2 and DES.
Therefore, unless users specifically want to use the less secure algorithms, you will get the best security by default.
5. CCG 11
GCC, on the other hand, is the compiler that many developers use to turn their code into programs that can be run on your computer.
It brings many improvements, but there is one in particular that greatly improves security. Significantly improved static analysis helps developers find software vulnerabilities faster, preventing vulnerable code from being released.
This may not affect users directly, many developers use Ubuntu to develop their applications. Therefore, many programs you download, even on non-Ubuntu systems, should be more secure than ever.
6. Private home directories
As a traditionally desktop-focused distro, Ubuntu has often opted for convenience over security. However, as they push harder and harder for cloud adoption, that had to change.
Previously, anyone with access to the computer could open and view any user’s home directory. However, as you can imagine, this presented a lot of problems for non-desktop users. Therefore, the switch to private home directories was necessary.
This may be slightly less practical for multi-user systems, it can be changed relatively easily. And, for the less technically savvy, they benefit from better security without having to do anything!
7. nftables as default firewall backend
For over 25 years, firewalls have been a key part of keeping your computer isolated from the wider Internet. Meanwhile, Linux distributions have generally used two different firewall solutions: iptables and xtables.
However, recently a different solution has entered the scene: nftables. Offering significant improvements in performance and flexibility, it allows network administrators to better protect your device.
Undoubtedly, many good upgrades have been made in Ubuntu 22.04 LTS. Not only limited to the user experience, but it’s also a significant leap in terms of security.
Of course, there is more to come, but the improvements mentioned above are good achievements!
For more technical details, you can consult Official Ubuntu blog post.