LWN Kernel Articles: Popcorn, Authenticated Btrfs and XFS
Popcorn Linux pops up on linux-kernel
The end of April saw the posting of a complex patch set called "Popcorn Linux distributed thread execution". It is the first appearance on the kernel mailing lists of an academic project (naturally called Popcorn Linux) that has been underway since 2013 or so. This project has, among other goals, the objective of turning a tightly networked set of computers into something that looks like a single system — a sort of NUMA machine with even larger than usual inter-node costs. The posted code, which is a portion of the larger project, is focused on process migration and memory sharing across machines. It is an interesting proof of concept, but one should not expect to see it merged in anything close to its current form.
Each node in a Popcorn system is a separate Linux host sitting on the network. Popcorn itself is started by loading a kernel module that is charged with connecting the larger system together. The module reads a list of IP addresses (IPv4 only) directly from a file (/etc/popcorn/nodes by default). Each machine will make a TCP connection to every node listed ahead of itself in this file, then wait for an incoming connection from every node listed afterward. Thereafter, each node is known by an integer ID which is simply its position in the nodes file.
There is a hard-coded maximum of 62 nodes. No sort of authentication is done for incoming node connections, which might seem like a bit of a security issue; indeed, the patch set warns against running Popcorn on machines connected to the Internet. There does not seem to be any provision for nodes going up or down or being absent entirely. Comments in the patch set say that the TCP-based communication system "is intended for Popcorn testing and development purposes only", suggesting that, someday, somebody will get around to implementing something better.
Authenticated Btrfs
Developers who are concerned about system integrity often put a fair amount of effort into ensuring that data stored on disk cannot be tampered with without being detected. Technologies like dm-verity and fs-verity are attempts to solve this problem, as is the recently covered integrity policy enforcement security module. More Recently, Johannes Thumshirn has posted a patch series adding filesystem-level authentication to Btrfs; it promises to provide integrity with a surprisingly small amount of code.
Integrity-verification code at the filesystem or storage level generally works by calculating (and storing) checksums of each block of data. When it comes time to read that data, the checksum is calculated anew and compared to the stored value; if the two match, one can be confident that the data has not been modified (or corrupted by the hardware) since the checksum was calculated. If there is reason to believe that the stored checksum is what the creator of the data intended, then the data, too, should be as intended.
Solutions like dm-verity and fs-verity work by storing checksums apart from the data; fs-verity, for example, places the checksum data in a hidden area past the end of the file. The developers of more modern filesystems, though, have generally taken the idea that storage devices are untrustworthy (if not downright malicious) to heart; as a result, they design the ability to calculate, store, and compare checksums into the filesystem from the beginning. Btrfs is one such filesystem; as can be seen from the on-disk format documentation, most structures on disk have a checksum built into them. Checksums for file data is stored in a separate tree. So much of the needed infrastructure is already there.
Checksums in Btrfs, though, were primarily intended to catch corruption caused by storage hardware. The thing about hardware is that, while it can be creative indeed in finding new ways to mangle data, it's generally not clever enough to adjust checksums to match. Attackers tend to be a bit more thorough. So the fact that a block of data stored in a Btrfs filesystem matches the stored checksum does not, by itself, give much assurance that the data has not been messed with in a deliberate way.
To gain that assurance, Btrfs needs to use a checksum that cannot readily be altered by an attacker. Btrfs already supports a number of checksum algorithms, but none of them have that property. So the key to adding the needed sort of authentication to Btrfs is to add another checksum algorithm with the needed assurance. Thumshirn chose to add an HMAC checksum based on SHA-256.
Atomic extent swapping for XFS
Normally, files exist in a filesystem to keep data contained within them separated; seeing data exchanged directly between files is often a sign of filesystem corruption. There are, however, use cases where it is desirable to be able to perform a controlled swap of data between a pair of files. Darrick Wong has recently posted a patch set implementing this feature for the XFS filesystem, but also making it available in a general way.
As it happens, XFS has had a data-swapping capability for some time: the rigorously undocumented XFS_IOC_SWAPEXT ioctl() command will exchange extents of data in two files. This feature exists for one purpose in particular: defragmentation of filesystems. The xfs_fsr utility does its job by scanning a filesystem for the most highly fragmented files — those that are split up into the largest number of extents. It then creates a new file with a single extent large enough to hold one of the fragmented files and copies the data over. The final step is an XFS_IOC_SWAPEXT operation to atomically replace the old file's data blocks with the new, defragmented version.
It seems, however, that there are other interested users out there. Application developers would like a way to replace some or all of the contents of a file in an atomic and safe way — one which preferably does not leave the file corrupted if the system goes down partway through. Currently such tasks must be handled by creating a temporary file, populating it, and renaming it over the original; this works, but it is a multi-step affair that is hard to get right.
Cockpit Project: Cockpit 219
Logs can now be filtered by keywords and free text. Keywords include units, time constraints, priority, and arbitrary journal fields. Dropdowns adjust the query string — so there’s no need to remember the most common journal keywords. Also, copying and pasting this query string across machines allows administrators to have a precise filtered view of logs. A pause button has been included next to the filters, to pause the streaming of logs. When toggled, it changes to a resume button, letting you quickly switch back to a stream of incoming journal entries.
mesa 20.1.0-rc3
Hi all, I'd like to announce the third release candidate for the 20.1 branch, Mesa 20.1.0-rc3. As always, please test it and report any issues you may find to https://gitlab.freedesktop.org/mesa/mesa/issues/new And to help us track issues and merge requests relevant to this branch, please add them to the 20.1.0 release milestone: https://gitlab.freedesktop.org/mesa/mesa/milestones/14 There's a good amount of fixes here, but there are still open issues that we'll need to close before the final release, which is currently planned for the 27th. The next release candidate is scheduled for 7 days from now, on 2020-05-20. EricAlso: Mesa 20.1-RC3 Released With Another Week Worth Of Fixes Plus Intel Rocket Lake Support
ZDNet, Linux and Huawei can prove to be quite an explosive mix
When American tech journalists see the words "vulnerability" and "Huawei" in close proximity these days, they tend to get over-excited and, as a result, produce copy that goes quite wonky. A classic example of this was seen this week when the site, ZDNet, one of the tech powerhouses, reported on a patch submitted to the Linux kernel project by someone who called Huawei Kernel Self Protection. The patch was found to have some trivial flaws by the maker of the Grsecurity kernel patch, Brad Spengler – a man who loves publicity and knows that picking a hole in a patch put out by someone who was seemingly associated with Huawei would generate interest among the US press. He was right. But it's a pity that ZDNet did not take some time to check its facts, with its security writer Catalin Cimpanu theorising that this patch had "sparked interest in the Linux community as (sic) could signal Huawei's wish to possibly contribute to the official kernel". Cimpanu has a history of screwing up when it comes to Linux. Huawei has been a contributor to the Linux kernel for quite a few years now. As one commenter on the US news aggregation site Slashdot pointed out, in 2017, Huawei was 15th in the list for top companies contributing to the Linux kernel, 4.8– 4.13, and third (after Intel and Google) in in the list of companies bringing in the most new developers. Again, there are numerous people in numerous companies who make contributions to the Linux kernel on their own time; all patches are scrutinised by Linux creator Linus Torvalds, or one of his trusted lieutenants, before they are finally merged. Hence, the excitement over some flaws in a patch is not really understandable.
