Yay for more kernel self-protection! (The article is a little hard to parse: the details on the security improvements read like it's been through several translations.) The primary take-away continues to be: you MUST design systems that update their kernels. (Note that the prerequisite for being able to update kernels is that all the code needed for your system MUST be upstream.)

As for security features I've been tracking in 4.6:
- KASLR on arm64 (though requires the bootloader to provide entropy)
- Kernel memory protection by default on ARMv7+
- Kernel memory protection by default on arm64
- Kernel memory protection mandatory on x86
- __ro_after_init markings for write-once data

For 4.7, I think it's likely we'll see:
- split of physical/virtual text base address randomization for x86 KASLR
- KASLR on MIPS
- LoadPin LSM to control kernel module and firmware origins

For 4.8, I'm hoping we'll see:
- randomization of base addresses for page tables, vmalloc, and other memory regions for x86 KASLR
- gcc plugin infrastructure
- per-build structure layout randomization
EXCLUSIVE: Linux kernel 4.6 comes out on Sunday with new security features. It’s important to update your systems, says maintainer Greg Kroah Hartman. Read the interview:
Shared publiclyView activity