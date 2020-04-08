Language Selection

Kernel: UEFI, LWN on Linux (Paywall Lapse) and BPF

Linux
Linux
  • Why you want a Linux bootloader even on UEFI systems

    So while you can directly load Linux through UEFI with the kernel's EFISTUB support (also), the result is not up to the standards that people want and expect from a Linux boot environment, at least on servers. It might be okay for a Linux machine with a single disk where the user will only ever boot the most recent kernel or the second most recent one (in case the most recent one doesn't work), and if that doesn't work they'll boot from some alternate Linux live media or recovery media.

  • Avoiding retpolines with static calls

    January 2018 was a sad time in the kernel community. The Meltdown and Spectre vulnerabilities had finally been disclosed, and the required workarounds hurt kernel performance in a number of ways. One of those workarounds — retpolines — continues to cause pain, with developers going out of their way to avoid indirect calls, since they must now be implemented with retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance; after a long gestation period, the "static calls" mechanism may finally be nearing the point where it can be merged upstream.
    Indirect calls happen when the address of a function to be called is not known at compile time; instead, that address is stored in a pointer variable and used at run time. These indirect calls, as it turns out, are readily exploited by speculative-execution attacks. Retpolines defeat these attacks by turning an indirect call into a rather more complex (and expensive) code sequence that cannot be executed speculatively.

    Retpolines solved the problem, but they also slow down the kernel, so developers have been keenly interested in finding ways to avoid them. A number of approaches have been tried; a few of which were covered here in late 2018. While some of those techniques have been merged, static calls have remained outside of the mainline. They have recently returned in the form of this patch set posted by Peter Zijlstra; it contains the work of others as well, in particular Josh Poimboeuf, who posted the original static-call implementation.

    An indirect call works from a location in writable memory where the destination of the jump can be found. Changing the destination of the call is a matter of storing a new address in that location. Static calls, instead, use a location in executable memory containing a jump instruction that points to the target function. Actually executing a static call requires "calling" to this special location, which will immediately jump to the real target. The static-call location is, in other words, a classic code trampoline. Since both jumps are direct — the target address is found directly in the executable code itself — no retpolines are needed and execution is fast.

  • Per-system-call kernel-stack offset randomization

    In recent years, the kernel has (finally) upped its game when it comes to hardening. It is rather harder to compromise a running kernel than it used to be. But "rather harder" is relative: attackers still manage to find ways to exploit kernel bugs. One piece of information that can be helpful to attackers is the location of the kernel stack; this patch set from Kees Cook and Elena Reshetova may soon make that information harder to come by and nearly useless in any case.
    The kernel stack will always be an attractive target. It typically contains no end of useful information that can be used, for example, to find the location of other kernel data structures. If it can be written to, it can be used for return-oriented programming attacks. Many exploits seen in the wild (Cook mentioned this video4linux exploit as an example) depend on locating the kernel stack as part of the sequence of steps to take over a running system.

    In current kernels, the kernel stack is allocated from the vmalloc() area at process creation time. Among other things, this approach makes the location of any given process's kernel stack hard to guess, since it depends on the state of the memory allocator at the time of its creation. Once the stack has been allocated, though, its location remains fixed for as long as the process runs. So if an attacker can figure out where the kernel stack for a target process is, that information can be used for as long as that process lives.

    As it turns out, there are a number of ways for an attacker to do that. Despite extensive cleanup work, there are still numerous kernel messages that will expose addresses of data structures, including the stack, in the kernel log. There are also attacks using ptrace() and cache timing that can be used to locate the stack. So the protection offered by an uncertain stack location is not as strong as one might like it to be.

  • Some 5.6 kernel development statistics

    When the 5.6 kernel was released on March 29, 12,665 non-merge changesets had been accepted from 1,712 developers, making this a fairly typical development cycle in a number of ways. As per longstanding LWN tradition, what follows is a look at where those changesets came from and who supported the work that created them. This may have been an ordinary cycle, but there are still a couple of differences worth noting.
    As Linus Torvalds pointed out in the release announcement, the current coronavirus pandemic does not appear to have seriously affected kernel development — so far. One should not, though, lose track of the fact that the 5.6 merge window closed in early February, well before the impact of this disaster was broadly felt outside of China. Most of the work merged for 5.6 was done even earlier, of course. Given the delays involved in getting work into the mainline, the full effect may not be felt until the 5.8 cycle.

    It goes without saying that we hope those effects are minimal, and that the people in our community (and beyond) come through this experience as well as possible.

    Of the developers working on 5.6, 214 were first-time contributors. Many projects would be delighted to have that many new contributors in a nine-week period, but that is low for the kernel — the lowest since 3.11, which featured 203 first-time contributors and was released in September 2013.

  • eBPF - Rethinking the Linux Kernel

    Thomas Graf talks about how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.

Fedora: Disruptive Technologies, Management, GNOME Shell, Testing and PHP 8.0 as Software Collection

  • Investing in Disruptive Technologies

    Previous articles have highlighted some of the challenges in attempting to develop disruptive technologies and products in a traditional corporate environment – basically it doesn’t work.

  • Fedora program update 2020-15

    Here’s your report of what has happened in Fedora this week. The Final freeze is underway and the Go/No-Go meeting is Thursday! I have weekly office hours in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else.

  • Using Fedora to quickly implement REST API with JavaScript

    Fedora Workstation uses GNOME Shell by default and this one was mainly written in JavaScript. JavaScript is famous as a language of front-end development but this time we‘ll show it‘s usage for back-end. We‘ll implement a new API using the following technologies: JavaScript, Express and Fedora Workstation. A web browser is being used to call the service (eg. Firefox from the default Fedora WS distro).

  • Contribute at the Fedora Test Week for Kernel 5.6

    The kernel team is working on final integration for kernel 5.6. This version was just recently released, and will arrive soon in Fedora. As a result, the Fedora kernel and QA teams have organized a test week from Monday, April 13, 2020 through Monday, April 20, 2020. Refer to the wiki page for links to the test images you’ll need to participate. Read below for details.

  • Contribute at the Kernel and IoT edition Fedora test days

    Fedora test days are events where anyone can help make sure changes in Fedora work well in an upcoming release. Fedora community members often participate, and the public is welcome at these events. If you’ve never contributed to Fedora before, this is a perfect way to get started. There are two upcoming test days in the upcoming week. The first, starts on Monday 13 April through Monday 20 April, is to test the Kernel 5.6. Wednesday April 15, the test day is focusing on Fedora 32 IoT Edition. Come and test with us to make the upcoming Fedora 32 even better. Read more below on how to do it.

  • Kamil Páral: Stay informed about QA events

    Hello, this is a reminder that you can easily stay informed about important upcoming QA events and help with testing Fedora, especially now during Fedora 32 development period. The first obvious option for existing Fedora contributors is to subscribe to the test-announce mailing list. We announce all our QA meetings, test days, composes nominated for testing and other important information in there.

  • Remi Collet: PHP 8.0 as Software Collection

    Version 8.0.0-alpha1 will be soon released. It's still in development and will enter soon in the stabilization phase for the developers, and the test phase for the users. RPM of this upcoming version of PHP 8.0, are available in remi repository for Fedora 31, 32 and Enterprise Linux 7, 8 (RHEL, CentOS, ...) in a fresh new Software Collection (php80) allowing its installation beside the system version. As I strongly believe in SCL potential to provide a simple way to allow installation of various versions simultaneously, and as I think it is useful to offer this feature to allow developers to test their applications, to allow sysadmin to prepare a migration or simply to use this version for some specific application, I decide to create this new SCL.

  • Sci-fi space station building and management sim 'Meeple Station' has released

    The full release comes with quite a lot of new toys to play with too. There's now a complete story mode that allows you to discover the history behind the mysterious Meeple race, a full tutorial, a Hyperdrive to travel between randomly generated systems, the combat system has been revamped, a new events system added and a lot more.

  • The amusing and unique FPS 'Shotgun Farmers' has a fun Easter event going on

    Shotgun Farmers, a first-person shooter where your bullets dig into the ground to grow new guns has a super fun Easter event going on where you all have a great big 'Carrocket Launcher'. This is a limit-time event, that will be available until April 24. Not only that, there's a new outfit to unlock too with the 'BUN BUN' which is only unlockable during this Easter event. So if collecting is your thing, you might want to get playing. My own FOMO is rising right now I will admit. What's wonderful about Shotgun Farmers though, is that all cosmetics are entirely free to earn when you play (there's no micro-transactions here).

  • A QQGameHall storm

    Mar 31 2020, 11:13:38: I get a message from Frank in the #curl IRC channel over on Freenode. I’m always “hanging out” on IRC and Frank is a long time friend and fellow freuent IRCer in that channel. This time, Frank informs me that the curl web site is acting up: “I’m getting 403s for some mailing list archive pages. They go away when I reload” That’s weird and unexpected. An important detail here is that the curl web site is “CDNed” by Fastly. This means that every visitor of the web site is actually going to one of Fastly’s servers and in most cases they get cached content from those servers, and only infrequently do these servers come back to my “origin” server and ask for an updated file to send out to a web site visitor. [...] What we know about this. Friends on Twitter and googling for this name informs us that this is a “game launcher” done by Tencent. I’ve tried to contact them via Twitter (as I have no means of contacting them otherwise that seems even remotely likely to work). I have not checked what these user-agent POSTs, because I didn’t log that. I suspect it was just a zero byte POST. The URL they post to is the CA cert bundle file with provide on the curl CA extract web page. The one we convert from the Mozilla version into a PEM for users of the world to enjoy. (Someone seems to enjoy this maybe just a little too much.) The user-agents seemed to come (mostly) from China which seems to add up. Also, the look of the graph when it goes up and down could indicate an eastern time zone. This program uses libcurl. Harry in the #curl channel found files in Virus Total and had a look. It is, I think, therefore highly likely that this “storm” is caused by an application using curl! My theory: this is some sort of service that was deployed, or an upgrade shipped, that wants to get an updated CA store and they get that from our site with this request. Either they get it far too often or maybe there are just a very large amount them or similar. I cannot understand why they issue a POST though. If they would just have done a GET I would never have noticed and they would’ve fetched perfectly fine cached versions from the CDN… Feel free to speculate further!

  • Mozilla VR Blog: Unity WebXR Exporter Update

    We are happy to release an updated version of our Unity Exporter. It now supports WebXR, the new cross browser API for VR and AR on the web. Unity is a great tool for building cross platform experiences, and this plugin expands the list of available targets. Take your existing VR app to the web and reach new users easily across desktop and mobile headsets. It also has support for running in a traditional browser outside of a VR headset which you can use to progressively add VR functionality to your games or apps.

Android Leftovers

