Language Selection

English French German Italian Portuguese Spanish

Kernel: LWN Article (Outside Paywall Today) and Remembering the LAN (Way Before Wireguard)

Filed under
Linux
  • process_madvise(), pidfd capabilities, and the revenge of the PIDs

    Once upon a time, there were few ways for one process to operate upon another after its creation; sending signals and ptrace() were about it. In recent years, interest in providing ways for processes to control others has been on the increase, and the kernel's process-management API has been expanded accordingly. Along these lines, the process_madvise() system call has been proposed as a way for one process to influence how memory management is done in another. There is a new process_madvise() series which is interesting in its own right, but this series has also raised a couple of questions about how process management should be improved in general.
    The existing madvise() system call allows a process to make suggestions to the kernel about how its address space should be managed. The 5.4 kernel saw a couple of new types of advice that could be provided with madvise(): MADV_COLD and MADV_PAGEOUT. The former requests that the kernel place the indicated range of pages onto the inactive list, essentially saying that they have not been used in a long time. Those pages will thus be among the first considered for reclaim if the kernel needs memory for other purposes. MADV_PAGEOUT, instead, is a stronger statement that the indicated pages are no longer needed; it will cause them to be reclaimed immediately.

    These new requests are useful for processes that know what their future access patterns will be. But it seems that in certain environments — Android, in particular — processes lack that knowledge, but the management system does know when certain memory ranges are no longer needed. The bulk of a process's address space could be marked as MADV_COLD when that process is moved out of the foreground, for example. In such settings, letting one process call madvise() on behalf of another helps the system as a whole make the best use of its memory resources. That is the purpose behind the process_madvise() proposal.

  • KRSI and proprietary BPF programs

    The "kernel runtime security instrumentation" (or KRSI) patch set enables the attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That article focused on ABI issues, but it deferred another potential problem to our 2020 predictions: the possibility that vendors could start shipping proprietary BPF programs for use with frameworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though, leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carry a GPL-compatible license.
    It may be surprising to some that the kernel, while allowing BPF programs to declare their license, is entirely happy to load programs that have a proprietary license. This behavior, though, is consistent with how the kernel handles loadable modules: any module can be loaded, but modules without a GPL-compatible license will not have access to many kernel symbols (any that are exported with EXPORT_SYMBOL_GPL()). BPF programs interact with the kernel through special "helper functions", each of which must be explicitly exported; these, too, can have a "GPL only" marking on them. In current kernels, about 25% of the defined helpers are restricted to GPL-licensed code.

  • Scheduling for the Android display pipeline

    The default CPU-frequency governor used by Android is schedutil, which relies on the CPU utilization of the runnable tasks to select the frequency of the CPU they execute on: the higher the utilization, the higher the frequency of the CPU when they are runnable. This governor fits so well with the needs of mobile Android devices that, in Android, it also takes care of the SCHED_RT tasks, which are normally run at the maximum frequency in mainline Linux kernels.

    Schedutil chooses the lowest frequency sufficient not to overload the system, based on the measurement of the system utilization. This solution works well when tasks are independent and are able to run in parallel. But, whenever there is a dependency — tasks that are blocked on the completion of others — the single-task utilization accounting mechanism is no longer sufficient to define the requirements of the whole task set.

    For example, in the scenario shown below, schedutil sees that RenderThread only requires 50% of a CPU's capacity, so it sets the CPU frequency to 50% of the maximum. But RenderThread cannot run until the UI thread has done its work — the two tasks cannot run in parallel — so it misses its deadline.

  • Control-flow integrity for the kernel

    Control-flow integrity (CFI) is a technique used to reduce the ability to redirect the execution of a program's code in attacker-specified ways. The Clang compiler has some features that can assist in maintaining control-flow integrity, which have been applied to the Android kernel. Kees Cook gave a talk about CFI for the Linux kernel at the recently concluded linux.conf.au in Gold Coast, Australia.

    Cook said that he thinks about CFI as a way to reduce the attack, or exploit, surface of the kernel. Most compromises of the kernel involve an attacker gaining execution control, typically using some kind of write flaw to change system memory. These write flaws come in many flavors, generally with some restrictions (e.g. can only write a single zero or only a set of fixed byte values), but in the worst case, they can be a "write anything anywhere at any time" flaw. The latter, thankfully, is relatively rare.

  • Remembering the LAN

    We can have the LAN-like experience of the 90's back again, and we can add the best parts of the 21st century internet. A safe small space of people we trust, where we can program away from the prying eyes of the multi-billion-person internet. Where the outright villainous will be kept at bay by good identity services and good crypto.

    The broader concept of virtualizing networks has existed forever: the Virtual Private Network. New protocols make VPNs better than before, Wireguard is pioneering easy and efficient tunneling between peers. Marry the VPN to identity, and make it work anywhere, and you can have a virtual 90s-style LAN made up of all your 21st century devices. Let the internet be the dumb pipe, let your endpoints determine who they will talk to based on the person at the other end.

Linux Kernel 5.6 Source Tree Includes WireGuard VPN

  • Linux Kernel 5.6 Source Tree Includes WireGuard VPN

    The lean-coded, fast, modern, and secure WireGuard VPN protocol has made it into the Linux kernel as Linus Torvalds merged it into his source tree for version 5.6.

    The wait is closely coming to an end, with the next Linux kernel expected to be released in just a few months, considering that the latest refresh occurred on January 26.

    [...]

    Jason Donenfeld himself was excited about this step and shared that he tried to stay awake to see it happen, "refreshing Linus' git repo on my phone until I was dreaming."

    "I look forward to start refining some of rougher areas of WireGuard now," announced the original author and developer of the project.

    Torvalds is a supporter of the WireGuard project. When Donenfeld made the pull request in 2018 to have it integrated into the Linux kernel, Torvalds expressed hope that the merge would happen soon.

WireGuard VPN protocol will ship with Linux kernel 5.6

  • WireGuard VPN protocol will ship with Linux kernel 5.6

    The WireGuard VPN protocol will be included into the next Linux kernel as Linus Torvalds has merged it into his source tree for version 5.6.

    There is no set date for Linux kernel releases and being as version 5.5 was released this month, the next version will likely be released in a few months time.

    The addition of WireGurd in the next Linux kernel does also not come as a surprise as the code had already been merged into Dave Miller's repository back in December. However, the code was just recently pulled into Torvalds' source tree.

WireGuard is Now in Linus! WireGuard is Merged with Linux 5.3

  • WireGuard is Now in Linus! WireGuard is Merged with Linux 5.3 Kernel!

    WireGuard is now in Linus Tree: Recently, WireGuard founder said that he gonna merge the WireGuard with main line Linux Kernel 5.6. Yesterday (29-Jan-2020), Linus Torvalds announced the Wireguard & Linux Kernel 5.6 will be merged! You can found this message on his blog.

    [...]

    WireGuard is a simple open-source application that provides Virtual Private Network techniques to create a secure point connection!

    Many VPN providers adopting the Wireguard technique to provide the most secure VPN service!.

Ubuntu 20.04 LTS Adds WireGuard Support

  • Ubuntu 20.04 LTS Adds WireGuard Support

    While WireGuard was merged into Linux 5.6, the Ubuntu 20.04 LTS release is currently tracking Linux 5.4 and for the April release is likely to be shipping with Linux 5.5 as the 5.6 release will be cutting it too close. But Ubuntu 20.04's kernel has now back-ported WireGuard.

    There has been the talk in recent weeks over shipping Ubuntu 20.04 LTS with WireGuard support and indeed with Ubuntu's latest kernel in the Focal repository is the WireGuard module back-ported for this secure VPN tunnel.

Linus Torvalds Pulls WireGuard VPN into Linux 5.6 Kernel Source

  • Linus Torvalds Pulls WireGuard VPN into Linux 5.6 Kernel Source Tree
  • Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree

    Yesterday, Linux creator Linus Torvalds merged David Miller's net-next into his source tree for the Linux 5.6 kernel. This merger added plenty of new network-related drivers and features to the upcoming 5.6 kernel, with No.1 on the list being simply "Add WireGuard."

    As previously reported, WireGuard was pulled into net-next in December—so its inclusion into Linus' 5.6 source tree isn't exactly a surprise. It does represent clearing another potential hurdle for the project; there is undoubtedly more refinement work to be done before the kernel is finalized, but with Linus having pulled it in-tree, the likelihood that it will disappear between now and 5.6's final release (expected sometime in May or early June) is vanishingly small.

Isolated clients with Wireguard

VPNs will change forever with the arrival of WireGuard

  • VPNs will change forever with the arrival of WireGuard into Linux

    After years of development WireGuard, a revolutionary approach to Virtual Private Networks (VPN) was finally fast-tracked to the Linux kernel. Now, at long last, WireGuard is in Linus Torvald's code tree. That means WireGuard should appear in the Linux kernel 5.6 release. This may be as early as April 2020.

    This has the potential to change everything about VPNs -- not just in Linux, but in the entire VPN world. That's because essentially all VPN services run off Linux servers. Some VPN services, such as StrongVPN and Mullvad VPN, have already seen the writing on the wall and are moving their software stacks to WireGuard.

What is WireGuard? Why Linux Users Going Crazy Over it?

  • What is WireGuard? Why Linux Users Going Crazy Over it?

    WireGuard is an easy to configure, fast, and secure open source VPN that utilizes state-of-the-art cryptography. It’s aim is to provide a faster, simpler and leaner general purpose VPN that can be easily deployed on low-end devices like Raspberry Pi to high-end servers.

    Most of the other solutions like IPsec and OpenVPN were developed decades ago. Security researcher and kernel developer Jason Donenfeld realized that they were slow and difficult to configure and manage properly.

    This made him create a new open source VPN protocol and solution which is faster, secure easier to deploy and manage.

    WireGuard was originally developed for Linux but it is now available for Windows, macOS, BSD, iOS and Android. It is still under heavy development.

WireGuard will make your VPN connection much faster

  • WireGuard will make your VPN connection much faster — here's how

    VPN services may soon be a lot faster, thanks to a promising protocol called WireGuard that is now being incorporated into the mainstream Linux kernel.

    Linux isn't used much on the desktop, at least not obviously. But it's what underpins both Android and Chrome OS, and it powers most of the web's servers, including nearly all of Google's servers and those of many of the best VPN services.

    And WireGuard is smaller, simpler and faster than either OpenVPN or IKEv2/IPsec, the prevalent VPN protocols used by commercial VPN services like ExpressVPN, NordVPN and Private Internet Access. Yet only a few services, including Mullvad, IVPN, NordVPN and StrongVPN offer WireGuard as an option yet.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Kernel and Graphics: Linux Stuff and GPUs

  • Facebook/Meta Tackling Transparent Page Placement For Tiered-Memory Linux Systems - Phoronix

    Back during the Linux 5.15 cycle Intel contributed an improvement for tiered memory systems where less used memory pages could be demoted to slower tiers of memory storage. But once demoted that kernel infrastructure didn't have a means of promoting those demoted pages back to the faster memory tiers should they become hot again, though now Facebook/Meta engineers have been working on such functionality.  Prior to the Linux 5.15 kernel, during the memory reclaim process when the system RAM was under memory pressure was to simply toss out cold pages. However, with Linux 5.15 came the ability to shift those cold pages to any slower memory tiers. In particular, modern and forthcoming servers with Optane DC persistent memory or CXL-enabled memory, etc. Therefore the pages are still accessible if needed but not occupying precious system DRAM if they aren't being used and to avoid just flushing them out or swapping to disk. 

  • Linux 5.17 To Boast Latency Optimization For AF_UNIX Sockets - Phoronix

    Net-next has been queuing a number of enticing performance optimizations ahead of the Linux 5.17 merge window kicking off around the start of the new year. Covered already was a big TCP optimization and a big improvement for csum_partial() that is used in the network code for checksum computation. The latest optimization is improving the AF_UNIX code path for those using AF_UNIX sockets for local inter-process communication.  A new patch series was queued up on Friday in net-next for improving the AF_UNIX code. That patch series by Kuniyuki Iwashima of Amazon Japan is ultimately about replacing AF_UNIX sockets' single big lock with per-hash locks. The series replaces the AF_UNIX big lock and also as part of the series has a speed-up to the autobind behavior. 

  • Nvidia Pascal GPU, DX12 and VKD3D: Slideshow time! - Boiling Steam

    So Horizon Zero Dawn had a sale recently on Fanatical, and I thought… OK I’ll grab it! It’s time. I first installed it on my workstation that only has a GTX1060 3GB GPU – not a workhorse but a decent card nonetheless for low-to-medium end gaming. I knew very well that Horizon Zero Dawn is a DX12 game and that Pascal architecture (Nvidia 10xx basically) and earlier versions do not play very well with DX12 games running through vkd3d-proton, the DX12 to Vulkan translation layer. Still, I could imagine getting somewhere around 30 FPS on low-to-medium settings, and use FSR if necessary to get to better framerates. Nothing prepared me for the performance I was about to experience.

Linux 5.16-rc3

So rc3 is usually a bit larger than rc2 just because people had some
time to start finding things.

So too this time, although it's not like this is a particularly big
rc3. Possibly partly due to the past week having been Thanksgiving
week here in the US. But the size is well within the normal range, so
if that's a factor, it's not been a big one.

The diff for rc3 is mostly drivers, although part of that is just
because of the removal of a left-over MIPS Netlogic driver which makes
the stats look a bit wonky, and is over a third of the whole diff just
in itself.

If you ignore that part, the statistics look a bit more normal, but
drivers still dominate (network drivers, sound and gpu are the big
ones, but there is noise all over). Other than that there's once again
a fair amount of selftest (mostly networking), along with core
networking, some arch updates - the bulk of it from a single arm64
uaccess patch, although that's mostly because it's all pretty small -
and random other changes.

Full shortlog below.

Please test,

             Linus
Read more Also: Linux 5.16-rc3 Released With Alder Lake ITMT Fix, Other Driver Fixes - Phoronix

Audiocasts/Shows: Endless OS 4.0.0, GIMP, BSD, KDE, and Elementary

today's howtos

  1. How to install FreeOffice 2021 on Ubuntu 20.04 Linux

    One of the best free alternatives to Microsoft Office is FreeOffice, developed by a German software company- SoftMaker. Recently, they have upgraded their Office suite to version 21. And here we learn the steps to install FreeOffice 2021 version on Ubuntu 20.04 Linux using the command terminal. This free office suite is a part of the commercial one from the same developers known as SoftMaker Office 21 (also available for Linux), of course, the premium will have more features but that doesn’t mean the free version- FreeOffice 2021 deprives to full fill all daily office documents (MS-Word alternative) related requirements. It offers a Microsoft office ribbon-like interface and three modules- TextMaker 21 to create documents; PlanMaker 21 to create sheets (Excel alternative) and Presentations 21 for making slides like MS-Powerpoint.

  2. Pin Custom Folders to Left Panel ‘Files’ Icon Context Menu in Ubuntu 20.04 | UbuntuHandbook

    In Windows 10, user may right-click on the ‘File Explorer’ icon on panel to access pinned folders (e.g., Desktop, Downloads and Documents) quickly. Ubuntu has first implemented this feature in Ubuntu 21.10, though it seems to be not working properly due to bug. Ubuntu 20.04 may manually add the context (right-click) menu options so user can right-click on the ‘Files’ icon to choose open favorite folders quickly.

  3. How To Install Perl on AlmaLinux 8 - idroot

    In this tutorial, we will show you how to install Perl on AlmaLinux 8. For those of you who didn’t know, Perl (Practical Extraction and Reporting Language) is a general-purpose programming language originally developed for text manipulation and now used for a wide range of tasks including system administration, web development, network programming, GUI development, and more. The major features of Perl are easy to use, supports object-oriented and procedural programming languages, and has built-in support for processing text. The most impressive feature of Perl is that it supports a large collection of third-party modules. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Perl programming language on AlmaLinux 8. You can follow the same instructions for Rocky Linux.

  4. How to play Total War: WARHAMMER on Linux

    Total War: Warhammer is a turn-based real-time tactics video game developed by Creative Assembly and published by Sega. It takes place in the War Hammer 40K universe. Here’s how you can play it on your Linux PC.

  5. How to install Funkin' Vs. Camellia on a Chromebook

    Today we are looking at how to install Funkin' Vs. Camellia on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.