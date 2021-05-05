Kernel: Patatt, Coreboot, Bootlin, and Latest Linux 5.14 Changes
After UMN Debacle, Patatt Aims To Provide Cryptographic Attestation For Patches
Linux kernel developer Konstantin Ryabitsev has been working on Patatt as a cryptographic-based patch attestation system. While started a while ago, there is renewed interest in such patch attestation following the University of Minnesota "hypocrite commit" debacle.
Patatt allows for optionally adding end-to-end cryptographic attestation to patches and its design is based on the DKIM email signature standard. Patatt can be used for signing code patches in workflows involving email patch submission, such as is the case for the Linux kernel development.
Hardware assisted root of trust mechanism and coreboot internals
I started working for 9elements in October 2020 and my first assignment was to get Intel CBnT working on the OCP Deltalake using coreboot firmware. Intel Converged Bootguard and TXT is a hardware assisted method to set up a root of trust. In this blog post I will discuss some of the changes needed in coreboot to get this working. Setting CBnT up properly was definitely a challenge, but the work did not stop there. So while Intel CBnT provides a method to verify or measure the initial start-up code, it is not enough. You want to trust the code you run from start, the reset vector, to end, typically a bootloader. CBnT only takes care of the start. You have to make sure that each software component trusts the assets it uses and the next program it loads. This concept is called a chain of trust. Now in 2021 I have an assignment that involves supporting the older Intel Bootguard technology. Since Bootguard is very similar to CBnT, I'll also touch on that.
Bootlin “Buildroot system development” course updated to Buildroot 2021.02
Bootlin has been offering for several years a Buildroot system development course, which allows engineers interested in learning and understanding the Buildroot embedded Linux build system to get up to speed very quickly.
In preparation for our public Buildroot system development course next week, we updated our training materials, both slides and labs to Buildroot 2021.02, which is the latest stable Buildroot release as of today, and is also a Long Term Support release.
Linux 5.14 To Feature Enhanced Support For MikroTik 10G/25G NIC - Phoronix
The Linux 5.14 kernel this summer will feature improved support for a new MikroTik 10G/25G NIC.
This network card works with the Linux kernel's existing Atheros atl1c network driver in the Linux kernel but for the 5.14 cycle is being extended to better support the capabilities of this MikroTik NIC. Details on this NIC though are light with it seemingly not launched yet.
Two pull requests so far have made it into "net-next" ahead of the Linux 5.14 cycle for improving this MikoTik 10G/25G NIC. First up is the initial support so the MikoTik NIC with the atl1c driver can enjoy a higher link speed, RX checksum offload, improved TX performance, and other improvements.
Is Gentoo Linux an anachronism?
When I started visiting the Gentoo Linux discussion forums in 2007 there were at least three pages of posts daily, if not more. These days there is usually one page. I’m sure the number of Gentoo Linux users has dropped significantly since then. Interest in the distribution has certainly decreased since its heyday: Google Trends – gentoo linux. I don’t think the drop in interest is limited to individuals either. Articles such as ‘Flying Circus Internet Operations GmbH – Migrating a Hosting Infrastructure from Gentoo to NixOS‘ lead me to suspect that some companies have switched to other distributions over the years. NASDAQ’s use of ‘a modified version of Gentoo Linux’ was publicised in 2011 (How Linux Mastered Wall Street) but I do not know if it still uses the distribution and, in any case, that is only a single significant entity. I personally have never come across another user (corporation or individual) of Gentoo Linux, although I do know several companies and individuals using distributions such as Ubuntu and Fedora. Gentoo Linux is certainly not for everyone. In recent years the user base seems to have settled down to a smaller number of people, primarily consisting of enthusiasts who appreciate its advanced features and are prepared to put in the extra effort and time required to create and maintain a working installation. I’m sure it also still has a place in some specialised commercial applications, but I have my doubts its deployment comes anywhere near that of the major distributions such as Ubuntu, Red Hat, Fedora, etc. If I were only interested in using an OS that enabled me to perform typical personal and professional tasks, I wouldn’t be using Gentoo Linux. Some people touted Gentoo Linux’s configurability as giving it a speed advantage over binary distributions but, having correctly installed and used Gentoo Linux and various other distributions on the same hardware, I cannot say I noticed an improvement in performance. [...] I personally would now only consider installing Gentoo Linux on a machine with at least 16 GB RAM and a CPU with at least four cores and a speed of circa 3 GHz or more. Additionally, although I have been a user of KDE in Gentoo Linux all these years, I would probably switch from KDE to a simpler, less resource-hungry and less feature-rich (some might say less ‘bloated’!) desktop environment such as LXQt in new installations of Gentoo Linux. One thing that has improved a lot since I started using Gentoo Linux over a decade ago is the package manager Portage, at least in terms of dependency resolution and blockage handling. I used to have to do a lot more work to resolve problems during package upgrades; ‘merging world’ (upgrading installed packages) is generally a lot less troublesome than it used to be ten years ago. Portage is a lot slower than it used to be, but that’s because it does a lot more than it used to do. I used to have to use revdep-rebuild – a utility to resolve reverse dependencies and rebuild affected packages – frequently, but not any more. Building software from source code takes time, though, so plenty of RAM and a fast CPU are important for installing packages, however good the package manager itself.
