Language Selection

English French German Italian Portuguese Spanish

Kernel: Restricted DMA and AMD Work in Linux 5.11

Filed under
Linux

  • Restricted DMA

    A key component of system hardening is restricting access to memory; this extends to preventing the kernel itself from accessing or modifying much of the memory in the system most of the time. Memory that cannot be accessed cannot be read or changed by an attacker. On many systems, though, these restrictions do not apply to peripheral devices, which can happily use direct memory access (DMA) on most or all of the available memory. The recently posted restricted DMA patch set aims to reduce exposure to buggy or malicious device activity by tightening up control over the memory that DMA operations are allowed to access.
    DMA allows devices to directly read from or write to memory in the system; it is needed to get reasonable I/O performance from anything but the slowest devices. Normally, the kernel is in charge of DMA operations; device drivers allocate buffers and instruct devices to perform I/O on those buffers, and everything works as expected. If the driver or the hardware contains bugs, though, the potential exists for DMA transfers to overwrite unrelated memory, leading to corrupted systems and unhappy users. Malicious (or compromised) hardware can use DMA to compromise the system the hardware is attached to, making users unhappier still; examples of this type of attack have been posted over the years.

    One way to address this problem is to place an I/O memory-management unit (IOMMU) between devices and memory. The kernel programs the IOMMU to allow access to a specific region of memory; the IOMMU then keeps devices from straying outside of that region. Not all systems are equipped with an IOMMU, though; they are mostly limited to the larger processors found in desktop machines, data centers, and the like. Mobile systems usually lack an IOMMU.

  •  

  • A Fix Has Been Proposed For The Slower AMD Performance On Linux 5.11

    With the in-development Linux 5.11 kernel there are many great features and improvements especially for AMD users with some new drivers and other pleasant enhancements. But as I outlined back on Christmas day: Linux 5.11 Is Regressing Hard For AMD Performance With Schedutil. Fortunately, a fix is now en route to the Linux 5.11 kernel for fixing that performance regression affecting AMD Zen 2/3 desktops and servers. 

    As outlined in that original article after bisecting the sizable performance regressions and in follow-up tests, AMD hardware performing slower on Linux 5.11 came down to the CPU frequency invariance support introduced this cycle and is utilized by the "Schedutil" CPU frequency scaling governor. With Schedutil often being the default for AMD systems on newer versions of the Linux kernel, this regression on Linux 5.11 compared to prior kernel releases has been unfortunate. 

  • Linux 5.11 Is Now Looking Great For AMD Zen 2 / Zen 3 Performance - Phoronix

    Not only is the AMD "CPU frequency invariance regression" from that new support with the in-development Linux 5.11 kernel on course to address the performance shortcomings I outlined last month, but with the patched kernel for a number of workloads the performance is now ahead of where it was at with Linux 5.10.

More in Tux Machines

IBM/Red Hat: Kafka Monthly Digest, Red Hat Upselling, and Cockpit 239

  • Kafka Monthly Digest – February 2021

    This is the 37th edition of the Kafka Monthly Digest! In this edition, I’ll cover what happened in the Apache Kafka community in February 2021.

  • 5 ways Red Hat Insights can improve your sysadmin Life

    The way we do things is changing fast. This has become a necessity as our systems get more complex, our workloads evolve, and our deployments rapidly grow in size. Thanks to the innovations brought about by openness and collaboration, we can develop tools and services to cope with these quickly evolving times. For us to reap the benefits of these advancements, we should open ourselves to carefully exploring how various tools suit our requirements and fit into or change our norms. By doing so, we may simplify a lot of our mundane tasks, reduce overhead, and address the major pain points in our operations. Having worked as a sysadmin in the past, I've discovered many automation tools and services that have made my life easier. One of the most recent is Red Hat Insights. In this article, I share five ways this service that is included with your Red Hat Enterprise Linux (RHEL) subscription can improve your life as an admin.

  • Cockpit Project: Cockpit 239

    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from Cockpit version 239.

LibreOffice 7.1.1 Community available for download

LibreOffice 7.1.1 Community, the first minor release of the LibreOffice 7.1 family, targeted at technology enthusiasts and power users, is available for download from https://www.libreoffice.org/download/. LibreOffice 7.1.1 includes over 90 bug fixes and improvements to document compatibility. For enterprise-class deployments, TDF strongly recommends the LibreOffice Enterprise family of applications from ecosystem partners, with long-term support options, professional assistance, custom features and Service Level Agreements: https://www.libreoffice.org/download/libreoffice-in-business/. LibreOffice Community and the LibreOffice Enterprise family of products are based on the LibreOffice Technology platform, the result of years of development efforts with the objective of providing a state of the art office suite not only for the desktop but also for mobile and the cloud. Products based on LibreOffice Technology are available for major desktop operating systems (Windows, macOS, Linux and Chrome OS), mobile platforms (Android and iOS) and the cloud. They may have a different name, according to each company brand strategy, but they share the same LibreOffice unique advantages, robustness and flexibility. Read more

croc Is A Tool For Resumable, Encrypted File And Folder Transfers Between Computers (Command Line)

croc is a free and open source command line tool for secure file transfers between computers. It uses relay-assisted peer-to-peer transactions and end-to-end encryption via password-authenticated key exchange. The program is written in Go and is available for Microsoft Windows, macOS, Linux and *BSD. The idea behind croc is being able to transfer files and folders between cross-platform computers securely, fast and easy. With support for resumable, peer-to-peer transfers. As a bonus feature, croc is also able to securely transfer a short text or URL directly. The data transfer is done using a relay, either using raw TCP sockets or websockets. When the sender and the receiver are on the same LAN, croc uses a local relay, otherwise a public relay is used. Thanks to this, croc can send files between computers in the same LAN, or over the Internet, without having port-forwarding enabled. The data going through the relay is encrypted using a PAKE-generated session key. For this, croc uses code phrases, a combination of three random words. By default, a code phrase can only be used once between two parties, so an attacker would have a chance of less than 1 in 4 billion to guess the code phrase correctly to steal the data. Read more

Linux distributions: All the talent and hard work that goes into building a good one

I regularly read the Linux Mint Blog, not only because it is useful to keep up with what is happening with the Linux Mint distribution but also because it occasionally gives very interesting insights into the development and maintenance of a Linux distribution in general, and the Linux Mint distribution(s) in particular. To be honest, I was disappointed some years ago when Clem (Clement Lefebvre) discontinued his Segfault blog, because it always contained good technical information and interesting insights. Read more