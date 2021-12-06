Language Selection

LWN's Kernel Coverage Today

Thursday 7th of April 2022
Linux
  • Problems emerge for a unified /dev/random /dev/urandom [LWN.net]

    In mid-February, we reported on the plan to unite the two kernel devices that provide random numbers; /dev/urandom was to effectively just be another way to access the random numbers provided by /dev/random. That change made it as far as the mainline during the Linux 5.18 merge window, but it was quickly reverted when problems were found. It may be possible to do that unification someday, but, for now, there are environments that need their random numbers early on—without entropy or the "Linus jitter dance" being available on the platform.

    A bunch of changes for the kernel random-number generator (RNG) were merged by Linus Torvalds on March 21. Those changes included unifying the two RNG devices, because it was hoped that no mainstream platforms would lack a source of unpredictable data that would allow the RNG pool to initialize in short order at boot time. For several years now, the jitter dance has used CPU execution time jitter to initialize the pool in less than a second; it uses the differences in code-execution speed of repetitive operations due to unpredictability in modern CPUs, from caches, branch prediction, and the like. But some systems lack jitter and have no other source of unpredictable data. That leads to the boot process hanging waiting for the RNG pool to initialize.

  • Pointer tagging for x86 systems [LWN.net]

    Pointers are a fact of life for developers working in numerous languages. It is often convenient to be able to associate a small amount — a few bits at most — of ancillary information with a pointer. This can often be done within the pointer value itself with some careful masking and shifting. CPU manufacturers have been adding ways to support the addition of this sort of "tag" to pointers; the most recent may be AMD's "upper address ignore" (UAI) feature, support for which was recently posted by Bharata B Rao. This feature has an uncertain future in Linux, though, as the result of a fundamental design decision.

    On a 64-bit system, a pointer is, naturally, 64 bits wide. But the CPU does not actually need all of those bits to dereference an address stored in a pointer. There are no systems (yet) that require — or can provide — all of the memory that can be addressed by 64 bits, meaning that there are ranges of address space that do not map to physical memory. Normally, user-space addresses start at (or near) zero and increase from there; that means that the highest-order bits will be zero even with the largest possible addresses. As a result, it can be possible to use those high-order bits to store other types of information.

    There are numerous use cases for stashing metadata into those unused bits. Memory allocators could use that space to track different memory pools, for example, or for garbage collection. Database management systems have their own uses for that space. Applications can implement this sort of tagging now, but it must be done with care; an address with extra bits set is no longer a valid pointer, so that metadata must be masked out before dereferencing that pointer or passing it into code that does not understand the tagging scheme. That is error-prone and may slow down the application.

  • 5.18 Merge window, part 1 [LWN.net]

    As of this writing, 4,127 non-merge changesets have found their way into the mainline repository for the 5.18 development cycle. That may seem like a relatively slow start to the merge window, but there are a lot of changes packed into those commits. Read on for a summary of the most significant changes to land in the first half of the 5.18 merge window.

  • A way out for a.out [LWN.net]

    The a.out executable format dates back to the earliest days of Linux — and before. It has not been used in any serious way for decades, but support still exists in the Linux kernel and has resisted all attempts at its removal. Back in January, Borislav Petkov tried yet again to delete support for this format, leading to another extended discussion. There is one difference this time around, though: the effort to get rid of a.out support might just succeed.

    The a.out format dates back to the first edition of Unix. When MINIX came along, it naturally used that format for its executable files; that, in turn, led to a.out being used in Linux as well. It is a simple format, and its implementation on Linux was even simpler; among other things, every Linux shared library had to be centrally assigned its own portion of the address space, since libraries could not be relocated at run time. Still, Linux used a.out for some time, until support for the newfangled ELF format was first added to the 0.99.13 development kernel in 1993.

    There was a time when the crazier people among us manually converted our Slackware systems from a.out to ELF in order to be able to try it out and gain the benefits before distributions were updated. They still bear the scars from that time. Not that your editor would ever admit to knowing anybody who would have engaged in any such activity.

    ELF has been the standard executable format for Linux on most architectures since 1995. One might think that would have provided enough time for any users of a.out binaries to grudgingly move on to ELF; its adoption can probably be judged to not be a passing fad at this point. But, in the real world, surprises lurk.

  • Systemd discusses its kernel-version needs

    A query regarding the possibility of dropping support for older kernels in systemd led to some discussion on the systemd-devel mailing list recently. As might be guessed, exactly which kernel would be the minimum supported, what kernel features systemd is using, and when those kernel features became available, were all part of that conversation. A component like systemd that is closely tied to the kernel, and the interfaces different versions provide, has a number of different factors to consider when making a decision of this sort.

    Zbigniew Jędrzejewski-Szmek started things off by asking if changing the minimum required kernel version for systemd to 4.4 would cause problems for anyone. He said that if it did, "please substantiate why you are running new systemd with such old kernels". Currently, systemd minimally requires Linux 3.15 or later, as noted in its README file.

Advice for data centers looking to change operating systems

Which OS a data center uses can vary, but the majority of platforms are based on or have compatibility with Linux. Linux is well known for its incredible flexibility and versatility, largely thanks to its open source nature and highly active global community. Because anyone can use Linux freely, developers around the world have built custom configurations suited to almost any purpose. Linux's modular nature also makes it a natural fit for the cloud -- easy to scale and match the pace of potentially rapid data center growth. Some of the biggest cloud platforms in the world are based on hardened versions of Linux, including AWS, Google Cloud Platform and Microsoft Azure. Many of today's existing data center OSes are compatible with Linux, but each OS often has a specific purpose. For example, Kubernetes provides a way to configure Docker containers into clusters of interacting services. It automatically accounts for resource density replication and service grouping and intelligently schedules these factors. Photon, on the other hand, operates as a minimal Linux container host with a focus on quick booting on VMware platforms.

Games: Steam Deck Milestone and More

  • 2100 Games On The Steam Deck, with Metro 2033 Redux and Resonance of Fate as Verified - Boiling Steam

    A rather slow week again after the 2000 games milestone on the Steam Deck. There are now 2100 games (1997 at the time of writing) working on the Steam Deck – in two categories as usual...

  • Steam Deck gets a small update to fix Downloads, adds Triggers for Keyboard | GamingOnLinux

    Here we go again Steam Deck fans, another upgrading ready and waiting to be downloaded. This time though, it's a pretty small one with only a few changes. All welcome changes though of course. Some users noticed recently that downloading on the Steam Deck might cause the Steam Client to freeze. Obviously a pretty major problem and one thankfully Valve has solved quite quickly since the last update.

  • Valve marks the first month of the Steam Deck | GamingOnLinux

    Valve has released a news post going over some of the changes and improvements of the Steam Deck over the first month since the initial release. There's a lot that's been going on, with updates releasing rather regularly. Most of it, we've already gone over in articles you can follow on the Steam Deck tag and videos on the GamingOnLinux YouTube Channel. Some of what's mentioned includes jumping over 2,000 Verified and Playable titles, which is a nice healthy number for such a new system. There's quite a lot of issues there though, they know this, and so the feedback system was introduced to see how different the experience is compared with Deck Verified and what players actually see.

Security Leftovers

  • Red Hat gets RHEL 8.2 certified for high level US government security

    Linux slinger Red Hat has achieved Common Criteria certification for Red Hat Enterprise Linux 8.2. This means it is cleared as a platform suitable for US users with critical workloads in classified and sensitive deployments, including national security agencies, finance and healthcare organizations.

  • Ubuntu plocate security review
  • VMware Releases Security Updates | CISA

    VMware has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • Protecting Against the Spring4Shell Vulnerability | eSecurityPlanet

    Spring4Shell (CVE-2022-22965) is a remote code execution (RCE) vulnerability that affects Spring Core, a comprehensive framework for Java-based enterprise applications. Spring4Shell gets its name from the Log4Shell vulnerability, one of the most critical zero-day threats ever, which affected a Java software component called Log4j and allowed hackers to take control of web servers and networks. Spring4Shell is a critical vulnerability for web applications and cloud services. Any RCE is a serious threat, and GitHub is already full of POCs (proofs of concept) that disclose the exploit publicly, so cybercriminals can’t miss it.

  • Secure your Edge Solutions with Red Hat and ZettaSet

    Modern environments, especially edge computing and 5G, are complex, highly distributed, highly multi-tenant. Such environments push enterprise data close to the edge and create numerous exposure points and attack surfaces that did not exist in legacy monolithic deployments. In the previous article, we outlined five security considerations for edge deployments. The key component that will be addressed in this post is data. Let’s walk through how Red Hat OpenShift and Zettaset XCrypt for OpenShift customers can take advantage of a platform for microservices deployments with the granular and high performance data protection and management capabilities that modern architectures require.

gzip-1.12 released

Thanks to Paul Eggert and Lasse Collin for all the work
on fixing the exploitable zgrep bug, and to Paul for
handling most of the other changes.

Here are the compressed sources:
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz   (1.3MB)
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz   (808KB)

Here are the GPG detached signatures[*]:
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz.sig
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

91fa501ada319c4dc8f796208440d45a3f48ed13  gzip-1.12.tar.gz
W0+xTTgxTgny/IocUQ581UCj6g4+ubBCAEa4LDv0EIU  gzip-1.12.tar.gz
318107297587818c8f1e1fbb55962f4b2897bc0b  gzip-1.12.tar.xz
zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY  gzip-1.12.tar.xz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gzip-1.12.tar.gz.sig

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to update
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key jim@meyering.net

  gpg --recv-keys 7FD9FCCB000BEEEE

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=gzip&download=1' | gpg --import -

This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16d
  Gnulib v0.1-5194-g58c597d13b

NEWS

* Noteworthy changes in release 1.12 (2022-04-07) [stable]

** Changes in behavior

  'gzip -l' no longer misreports file lengths 4 GiB and larger.
  Previously, 'gzip -l' output the 32-bit value stored in the gzip
  header even though that is the uncompressed length modulo 2**32.
  Now, 'gzip -l' calculates the uncompressed length by decompressing
  the data and counting the resulting bytes.  Although this can take
  much more time, nowadays the correctness pros seem to outweigh the
  performance cons.

  'zless' is no longer installed on platforms lacking 'less'.

** Bug fixes

  zgrep applied to a crafted file name with two or more newlines
  can no longer overwrite an arbitrary, attacker-selected file.
  [bug introduced in gzip-1.3.10]

  zgrep now names input file on error instead of mislabeling it as
  "(standard input)", if grep supports the GNU -H and --label options.

  'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
  [bug present since the beginning]

  Configure-time options like --program-prefix now work.
Read more

