Kernel: Linux Plumbers Conference, LWN, and Phoronix
Linux Plumbers Conference: BOFs Call for Proposals Now Open
We have formally opened the CfP for Birds of a Feather. Select the BOFs track when submitting a BOF here.
Short subjects: Realtime, Futexes, and ntfs3
Even in the dog days of (northern-hemisphere) summer, the kernel community is a busy place. There are many developments that show up on your editor's radar, but which, for whatever reason, do not find their way into a full-length feature article. The time has come to catch up with a few of those topics; read on for updates on the realtime patch set, the effort to reinvent futexes, and the ntfs3 filesystem.
A firewall for device drivers
Device drivers, along with the hardware they control, have long been considered to be a trusted part of the system. This faith has been under assault for some time, though, and it fails entirely in some situations, including virtual machines that do not trust the host system they are running under. The recently covered virtio-hardening work is one response to this situation, but that only addresses a small portion of the drivers built into a typical kernel. What is to be done about the rest? The driver-filter patch from Kuppuswamy Sathyanarayanan demonstrates one possible approach: disable them altogether.
Virtual machines typically have direct access to little or no physical hardware; instead, they interact with the world by way of emulated devices provided by the host. That puts the host in a position of power, since it is in total control over how those virtual devices work. If a driver has not been written with the idea that the devices it manages could be hostile, chances are good that said driver can be exploited to compromise the guest and exfiltrate data — even when the guest is running with encrypted memory that is normally inaccessible to the host.
The virtio work hardens a handful of virtio drivers to prevent them from misbehaving if the host decides to not play by the rules. Getting there was a lot of work (which still has not reached the point of being merged), and there is a decidedly non-zero chance that vulnerabilities remain. Even if the virtio work is perfect, though, the kernel contains thousands of other drivers, most of which have not received anything close to the same amount of attention; few of them can be expected to be sufficiently robust to stand up to a malicious device. If the host can convince a guest to load the driver for such a device, the security game may well be over.
Linux Pipe Code Again Sees Patch To Restore Buggy/Improper User-Space Behavior - Phoronix
It was just last month that the Linux kernel saw a pipe code change to address a user-space regression due to the kernel's policy about not breaking the user-space even if that non-kernel code is in the wrong. A similar kernel regression fix was merged today.
Last month's issue was around the EPOLL interface being misused by some Android libraries and a kernel change at the end of 2019 ended up breaking those libraries like Realm. So after several kernel releases with that change breaking some user-space Android applications and the upstream library since correcting its usage, Linus Torvalds changed the kernel behavior as to not break any old user-space out there misusing the interface. Linus Torvalds has long enforced the policy of kernel changes not breaking existing user-space behavior even at times when the user-space is misusing interfaces.
Intel AMX Patches For The Kernel Posted A 10th Time, But To Miss Out On Linux 5.15 - Phoronix
Going back to June of last year there has been work on Intel bringing up Advanced Matrix Extension (AMX) that will debut with next-gen Xeon "Sapphire Rapids" processors as a new programming paradigm. Over the past year they have published patches for the Linux kernel and open-source toolchains with GCC and LLVM Clang. One year later, the AMX kernel patches are up to their tenth revision but will miss out on the imminent Linux 5.15 merge window.
Intel open-source engineers have been working on a set of more than two dozen patches around AMX handling for the Linux kernel. Among the kernel work involved is that a new system call is needed for applications to actually request feature access to Advanced Matrix Extensions, handling for applications without AMX permissions, and other changes.
Emmanuele Bassi: Publishing your documentation
The main function of library-web, the tool that published the API reference of the various GNOME libraries, was to take release archives and put their contents in a location that would be visible to a web server. In 2006, this was the apex of automation, of course. These days? Not so much. Since library-web is going the way of the Dodo, and we do have better ways to automate the build and publishing of files with GitLab, how do we replace library-web in 2021? The answer is, unsurprisingly: continuous integration pipelines. I will assume that you’re already building—and testing—your library using GitLab’s CI; if you aren’t, then you have bigger problems than just publishing your API. Also: Private Flatpak installations in Builder
Turing Pi V2 mini-ITX cluster board takes four Raspberry Pi CM4 or NVIDIA Jetson SoMs
The Turing Pi V2 is a mini-ITX cluster board that builds on the Turing Pi mini-ITX cluster board taking up to 7 Raspberry Pi Compute Modules introduced in 2019, but instead supports up to four Raspberry Pi CM4 (Compute Modules 4) or NVIDIA Jetson Nano/TX2 NX/Xavier NX SO-DIMM system-on-modules. The Turing Pi 2 board is equipped with two Mini PCIe sockets, two Gigabit Ethernet ports, two SATA III ports, four USB 3.0 ports, a 40-pin GPIO header, and a 24-pin ATX connector for power.
OpenEmbedded Dunfell updated rebuild
Yesterday I discovered that the problem has been fixed "upstream", at the OpenEmbedded git repository, Dunfell branch. So, downloaded the latest, put the updated layers into my "dunfell" project, and have commenced a rebuild. [...] The current release of EasyOS has Xorg server 1.19.7, very old, to fix working with the framebuffer in the initrd. However, have decided that is not important, and have reverted to 1.20.8. Note, EasyOS does not use systemd, that 'systemd-boot' does nothing, it is just a dependency requirement of some packages. And, for the record, EasyOS does not have 'avahi', 'pam', 'polkit', or 'pulseaudio' either. For now, staying with 'alsa' only for audio.
6 Must-Have Open-Source Tools to Secure Your Linux Server
Over the years, I have come across many blogs that claim Linux is impenetrable by security attackers too many times to count. While it is true that GNU/Linux operating systems for desktops and servers come with a lot of security checks in place to mitigate attacks, protection is not “enabled by default”. This is because your cybersecurity ultimately depends on the tools you have employed to sniff out vulnerabilities, viruses, malware, and to prevent malicious attacks. In today’s article, we turn our attention to system administrators and security enthusiasts who need to ensure the confidentiality of the data on network servers and local setups. What’s even cooler about these apps is that they are open-source and 100% free!
