Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Saturday, 20 Jan 18 - Tux Machines is a community-driven public service/news site which has been around for over a decade and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Type Title Author Replies Last Postsort icon
Story Red Hat Corporate News Roy Schestowitz 20/01/2018 - 10:43am
Story Slack as a Snap Roy Schestowitz 20/01/2018 - 10:25am
Story Linux Foundation: Upcoming Free Webinars, ONAP, Hyperledger Roy Schestowitz 20/01/2018 - 9:37am
Story Linux Gaming For Older/Lower-End Graphics Cards In 2018 Roy Schestowitz 20/01/2018 - 9:31am
Story Red Hat Patch Warning Roy Schestowitz 20/01/2018 - 9:20am
Story Android Leftovers Rianne Schestowitz 20/01/2018 - 8:48am
Story Security: Updates, SOS Fund, IR, ME, and WPA Roy Schestowitz 19/01/2018 - 11:14pm
Story First Impressions: Asus Tinkerboard and Docker Roy Schestowitz 19/01/2018 - 10:51pm
Story today's howtos Roy Schestowitz 19/01/2018 - 8:18pm
Story PlayOnLinux For Easier Use Of Wine Mohd Sohail 19/01/2018 - 7:31pm

Linux Kernel: KPTI, SEV, CBS

Filed under
Linux
  • Experimental KPTI Support For x86 32-bit Linux

    For the Kernel Page Table Isolation (KPTI) support currently within the Linux kernel for addressing the Meltdown CPU vulnerability it's currently limited to 64-bit on the x86 side, but for the unfortunate souls still running x86 32-bit operating systems, SUSE is working on such support.

  • AMD Secure Encrypted Virtualization Is Ready To Roll With Linux 4.16

    With the Linux 4.16 kernel cycle that is expected to begin immediately following the Linux 4.15 kernel debut on Sunday, AMD's Secure Encrypted Virtualization (SEV) technology supported by their new EPYC processors will be mainline.

    Going back to the end of 2016 have been Linux patches for Secure Encrypted Virtualization while with Linux 4.16 it will finally be part of the mainline kernel and supported with KVM (Kernel-based Virtual Machine) virtualization.

  • Deadline scheduler part 2 — details and usage

    Linux’s deadline scheduler is a global early deadline first scheduler for sporadic tasks with constrained deadlines. These terms were defined in the first part of this series. In this installment, the details of the Linux deadline scheduler and how it can be used will be examined.

    The deadline scheduler prioritizes the tasks according to the task’s job deadline: the earliest absolute deadline first. For a system with M processors, the M earliest deadline jobs will be selected to run on the M processors.

    The Linux deadline scheduler also implements the constant bandwidth server (CBS) algorithm, which is a resource-reservation protocol. CBS is used to guarantee that each task will receive its full run time during every period. At every activation of a task, the CBS replenishes the task’s run time. As the job runs, it consumes that time; if the task runs out, it will be throttled and descheduled. In this case, the task will be able to run only after the next replenishment at the beginning of the next period. Therefore, CBS is used to both guarantee each task’s CPU time based on its timing requirements and to prevent a misbehaving task from running for more than its run time and causing problems to other jobs.

Graphics: Mesa and AMDGPU

Filed under
Graphics/Benchmarks
  • Mesa 17.3.3 Released With RADV & ANV Vulkan Driver Fixes

    Mesa 17.3.3 is now available as the latest point release for the Mesa 17.3 stable series.

    This bi-weekly point release to Mesa presents several RADV Vega/GFX9 fixes, various Intel ANV Vulkan driver fixes, a DRI3 fix, and random fixes to the OpenGL drivers like RadeonSI, Etnaviv, and even Swrast.

  • R600g "Soft" FP64 Shows Signs Of Life, Enabling Older GPUs To Have OpenGL 4 In 2018

    Most pre-GCN AMD graphics cards are still limited to OpenGL 3.3 support at this time due to not supporting FP64. Only the HD 5800/6900 series on R600g currently have real double-precision floating-point support working right now so at present they are on OpenGL 4.3 rather than 3.3, but those other generations may be catching up soon thanks to the "soft" FP64 code.

  • AMDGPU DC Gets More Raven Ridge Improvements, Audio Fixes

    Harry Wentland of AMD has sent out the latest batch of patches for the AMDGPU DC display code stack. Fortunately it lightens up the DRM driver by about six thousand lines thanks to removing some unused code.

    Besides gutting out a chunk of unused code, the DC code has a few audio fixes (no word yet on supporting newer audio formats with DC), fixes on driver unload, a "bunch" of continued Raven Ridge display updates, and various other code clean-ups.

  • AMDGPU Firmware Blobs Updated For Video Encode/Decode

    There are updated AMDGPU microcode/firmware files now available for recent Radeon GPUs.

    The updated firmware files now available via the main linux-firmware.git repository are centered around the video blocks: UVD video decoding, VCE video encode, and the new VCN video encode/decode block with Raven Ridge.

Games: DRAG, Geneshift, Balloonatics and More

Filed under
Gaming

Tumbleweed Update

Filed under
SUSE
  • Tumbleweed Rolls Forward with New versions of Mesa, Squid, Xen

    This week provided a pretty healthy amount of package updates for openSUSE’s rolling distribution Tumbleweed.

    There were three snapshots released since the last blog and some of the top packages highlighted this week are from Mesa, Squid, Xen and OpenSSH.

    The Mesa update from version 17.2.6 to 17.3.2 in snapshot 20180116 provided multiple fixes in the RADV Vulkan driver and improvements of the GLSL shader cache. The Linux Kernel provides some fixes for the security vulnerabilities of Meltdown in version 4.14.13 and added a prevent buffer overrun on memory hotplug during migration for KVM with s390. The snapshot had many more package updates like openssh 7.6p1, which tightened configuration access rights. A critical fix when updating Flatpak packages live was made with the gnome-software version 3.26.4 update. File systems package btrfsprogs 4.14.1 provided cleanups and some refactoring while wireshark 2.4.4 made some fixes for dissector crashes. Xen 4.10.0_10 added a few patches. Rounding out the snapshot, ModemManager 1.6.12 fixed connection state machine when built against libqmi and blacklisted a few devices to include some Pycom devices.

  • openSUSE Tumbleweed Rolls To Mesa 17.3, Linux 4.14.13

    OpenSUSE has continued rolling in the new year with several key package updates in January.

    Exciting us a lot is that openSUSE Tumbleweed has migrated from Mesa 17.2 to now Mesa 17.3. Mesa 17.3.2 is the version currently in openSUSE's rolling-release.

Compact Quark-based embedded computer sells for $120

Filed under
Linux

Advantech’s “UBC-222” is an embedded computer that runs Yocto Linux on an Intel Quark X1000 with up to 1GB DDR3, dual 10/100 LAN ports, and a mini-PCIe socket with LTE-ready SIM slot.

Read more

Press Coverage About Wine 3.0

Filed under
Microsoft
Software
  • Windows apps on Linux: Wine 3.0 is out now with Direct3D 10, 11 support

    Wine 3.0 is now available to help you run Windows applications and games on Linux, macOS, and BSD systems.

    Wine -- or 'Wine is Not an Emulator' -- is a compatibility layer that implements the Windows API on top of Unix and Linux, to help you run Windows apps when needed.

    Currently, about 25,000 applications are compatible with Wine, with the most popular all being games, including Final Fantasy XI, Team Fortress 2, EVE, and StarCraft.

  • Wine 3.0 is here to run Windows software on your Linux box

    When people make the switch from Windows to Linux, they often experiment with Wine. If you aren’t familiar, it is a compatibility layer that can sometimes get Windows software to run on Linux and BSD. I say "sometimes" because it isn’t a flawless experience. In fact, it can be quite frustrating to use. I suggest using native Linux software as an alternative, but understandably, that isn’t always possible.

    If you depend on Wine, or want to start trying it out, I am happy to say that version 3.0 is finally available. It is quite the significant update too, as it features over 6,000 changes!

  • Have three WINEs this weekend, because WINE 3.0 has landed

    Version 3.0 of Wine Is Not an Emulator – aka WINE – has arrived, and offers all sorts of new emulation-on-Android possibilities.

    WINE lets users run Windows applications on Linux, MacOS, Solaris, and FreeBSD, plus other POSIX-compliant operating system. To do so it “translates Windows API calls into POSIX calls on-the-fly”, an arrangement its developers rate as more efficient than virtualization while “allowing you to cleanly integrate Windows applications into your desktop.”

  • Wine 3.0 Released To Run Windows Apps On Linux Efficiently — Download It Here

    Just recently, we told you that the support for Linux distros in VirtualBox is about to get a lot better with the release of Linux kernel 4.16. But, what if you wish to run Windows apps on your host Linux system? For that, Wine has got your back.

Top 6 open source desktop email clients

Filed under
OSS

Mobile and web technologies still haven't made the desktop obsolete, and despite some regular claims to the contrary, desktop clients don't seem to be going away anytime soon.

And with good reason. For many, the preference for a native application (and corresponding native performance), easy offline use, a vast array of plugins, and meeting security needs will long outweigh pressures to switch to a webmail email client. Whether you're sticking with a desktop email client because of a corporate mandate or just personal preference, there are still many great options to choose from. And just because you may be stuck on Windows doesn't mean Outlook is your only option; many open source clients are cross-platform.

Read more

The 5 Best Linux Distributions for Development

Filed under
Linux

When considering Linux, there are so many variables to take into account. What package manager do you wish to use? Do you prefer a modern or old-standard desktop interface? Is ease of use your priority? How flexible do you want your distribution? What task will the distribution serve?

It is that last question which should often be considered first. Is the distribution going to work as a desktop or a server? Will you be doing network or system audits? Or will you be developing? If you’ve spent much time considering Linux, you know that for every task there are several well-suited distributions. This certainly holds true for developers. Even though Linux, by design, is an ideal platform for developers, there are certain distributions that rise above the rest, to serve as great operating systems to serve developers.

Read more

Meltdown and Spectre Linux Kernel Status - Update

Filed under
Linux
Security

I keep getting a lot of private emails about my previous post previous post about the latest status of the Linux kernel patches to resolve both the Meltdown and Spectre issues.

These questions all seem to break down into two different categories, “What is the state of the Spectre kernel patches?”, and “Is my machine vunlerable?”

Read more

today's leftovers

Filed under
Misc

OSS: Jio, VMware Openwashing, and Testing Jobs

Filed under
OSS
  • Jio is committed to use open source technology: Akash Ambani

    Speaking at the India Digital Open Summit 2018, Akash Ambani, Director of Reliance Jio Infocomm, said that open source is very important for his company.

    “The year 2017 was the tipping point for AR and VR globally. In India, AR and VR are in the initial stages of adoption but at Jio, we believe it will grow at a 50 percent compounded rate for the next five years,” Akash said.

    He also spoke on the evolution of artificial intelligence and blockchain.

  • VMware and Pivotal’s PKS Distribution Marries Kubernetes with BOSH [Ed: It looks like the author has been reduced to Microsoft propaganda and other openwashing puff pieces sponsored by proprietary software giants. We have given up on several writers who used to support GNU/Linux. Seeing their activity, it seems as though they ended up with neither gigs nor credibility (used to get far more writing assignments from LF, often for Microsoft openwashing).]
  • Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

    Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

    And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

    A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.

    In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

Security: Spectre and Meltdown, Industrial System Sabotage, VDP, Windows in Healthcare

Filed under
Security
  • Some thoughts on Spectre and Meltdown

     

    Contrast that with what happened this time around. Google discovered a problem and reported it to Intel, AMD, and ARM on June 1st. Did they then go around contacting all of the operating systems which would need to work on fixes for this? Not even close. FreeBSD was notified the week before Christmas, over six months after the vulnerabilities were discovered. Now, FreeBSD can occasionally respond very quickly to security vulnerabilities, even when they arise at inconvenient times — on November 30th 2009 a vulnerability was reported at 22:12 UTC, and on December 1st I provided a patch at 01:20 UTC, barely over 3 hours later — but that was an extremely simple bug which needed only a few lines of code to fix; the Spectre and Meltdown issues are orders of magnitude more complex.  

  • Menacing Malware Shows the Dangers of Industrial System Sabotage

     

    At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers [sic] were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.

  • 25 per cent of hackers don't report bugs due to lack of disclosure policies

     

    One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).

  • 'Professional' hack [sic] on Norwegian health authority compromises data of three million patients [iophk: "Windows TCO"]

My Linux story: Coding not required

Filed under
Linux

For more than 15 years, I have earned a living working exclusively with open source products. How did I get here?

In many ways, my journey started before Linux existed. In college, I had friends who were admins in the engineering computer lab. Although I did not do too well in my CS programming classes, as a hobby and to spend time with my friends I learned about newgroups, ftp sites, and Unix systems. As a data aide student intern, I realized I made a good translator between the astronomers and the C programmer computer support staff. I could read just enough code to identify the problem, but not enough to actually fix it.

Read more

Amazing Facts about Linux Operating System You Probably Don't Know

Filed under
Linux

It was almost 30 years ago when the first version of Linux came into the market and since then, this operating system has made its important stature beside Microsoft Windows. Linux has turned out to be one of the most acknowledged and extensively used operating system. Enthused by UNIX, Linux has smartly managed to attract a lot of tech giants such as Facebook, Google, Yahoo, Twitter, Amazon, and much more. However, when it comes to assessing the exact rate of adoption of Linux in the market, the task is a bit tough since the sources to get copies are wide in number. Appreciating workers' and developers' hard-work, Linux has been designed in such a way that exploring and learning things on this operating system has become quite captivating and enthralling.

In this post, let's know more about amazing features and facts of this operating system.

Read more

Red Hat News

Filed under
Red Hat

Raising Funds for GNU/Linux

Filed under
GNU
Linux
  • $25k Linux Journalism Fund

    Linux Journal's new parent, Private Internet Access, has established a $25k fund to jump-start the next generation of Linux journalism—and to spend it here, where Linux journalism started in 1994.

    This isn't a contest, and there are no rules other than the ones that worked for journalism before it starting drowning in a sea of "content".

  • Nearly six years after the Kickstarter, Stainless Games claim Carmageddon is still coming to Linux

    Another year has passed and it's now nearing six years since the Carmageddon: Reincarnation Kickstarter that was supposed to have a Linux version. The developer said it is still coming, apparently.

Linux Foundation Events: India Digital Open Summit 2018, Open Source Networking Day, Open Source Leadership Summit

Filed under
Linux

GPL Violations: Grsecurity Carries on Bullying Bruce Perens, Israel Complies with AGPL, Xiaomi Violates GPL

Filed under
GNU
  • Linux's Grsecurity dev team takes blog 'libel' fight to higher court

    Open Source Security, Inc., the maker of the Grsecurity Linux kernel patches, suffered a setback last month when San Francisco magistrate judge Laurel Beeler granted a motion by defendant Bruce Perens to dismiss the company's defamation claim, with the proviso that the tossed legal challenge could be amended.

    The code biz and its president Brad Spengler sued Perens over a blog post in June in which Perens said that using the firm's Grsecurity software could expose customers to a contributory infringement claim under the terms of the Linux kernel's GPLv2 license.

    Open Source Security contends that statement has damaged its business.

  • Israel’s Information and Communications Technology Authority Bows to Pressure to Comply with Affero GPL

    Under pressure from open source advocates, the Israeli Information and Communications Technology (ICT) Authority recently shared its first open source software, extensions made by the ICT Authority to the CKAN data portal platform to help make the platform usable in Hebrew.

    The CKAN software is an open source data portal platform used since 2016 by the ICT Authority to make Israeli government data open and available on its government database website. The CKAN software is licensed under the GNU AGPL Version 3 license, an “ultra-strong” open source license that requires users of modified versions of CKAN software to offer its source code, even in the absence of distribution, to users interacting with software over the Internet.

  • Xiaomi Violating GPL 2.0 License With Mi A1 Kernel Sources

    Xiaomi is in violation of the GPL 2.0 license of the Linux Kernel project by still not releasing the kernel sources for the Mi A1 Android One and has been publicly criticized on the matter by established Android developer Francisco Franco earlier this week. While the smartphone was released in September and the Chinese consumer electronics manufacturer’s official policy is to publicize kernel sources for its devices within three months of their market launch, the Android One edition of the Mi A1 remains undetailed in this regard. Mr. Franco — best known for his work on the Franco Kernel, one of the most popular custom OS cores in the Android ecosystem — had some harsh words for the company on Twitter, calling its laidback approach to publicizing the kernel sources for the Mi A1 “an embarrassment” for the open source community and the type of software it allows it to create its commercial devices in the first place.

Syndicate content

More in Tux Machines

KDE: Linux and Qt in Automotive, KDE Discover, Plasma5 18.01 in Slackware

  • Linux and Qt in Automotive? Let’s meet up!
    For anyone around the Gothenburg area on Feb 1st, you are most welcome to the Automotive MeetUp held at the Pelagicore and Luxoft offices. There will be talks about Qt/QML, our embedded Linux platform PELUX and some ramblings about open source in automotive by yours truly ;-)
  • What about AppImage?
    I see a lot of people asking about state of AppImage support in Discover. It’s non-existent, because AppImage does not require centralized software management interfaces like Discover and GNOME Software (or a command-line package manager). AppImage bundles are totally self-contained, and come straight from the developer with zero middlemen, and can be managed on the filesystem using your file manager This should sound awfully familiar to former Mac users (like myself), because Mac App bundles are totally self-contained, come straight from the developer with zero middlemen, and are managed using the Finder file manager.
  • What’s new for January? Plasma5 18.01, and more
    When I sat down to write a new post I noticed that I had not written a single post since the previous Plasma 5 announcement. Well, I guess the past month was a busy one. Also I bought a new e-reader (the Kobo Aura H2O 2nd edition) to replace my ageing Sony PRS-T1. That made me spend a lot of time just reading books and enjoying a proper back-lit E-ink screen. What I read? The War of the Flowers by Tad Williams, A Shadow all of Light by Fred Chappell, Persepolis Rising and several of the short stories (Drive, The Butcher of Anderson Station, The Churn and Strange Dogs) by James SA Corey and finally Red Sister by Mark Lawrence. All very much worth your time.

GNU/Linux: Live Patching, Gravity of Kubernetes, Welcome to 2018

  • How Live Patching Has Improved Xen Virtualization
    The open-source Xen virtualization hypervisor is widely deployed by enterprises and cloud providers alike, which benefit from the continuous innovation that the project delivers. In a video interview with ServerWatch, Lars Kurth, Chairman of the Xen Project Advisory Board and Director, Open Source Solutions at Citrix, details some of the recent additions to Xen and how they are helping move the project forward.
  • The Gravity of Kubernetes
    Most new internet businesses started in the foreseeable future will leverage Kubernetes (whether they realize it or not). Many old applications are migrating to Kubernetes too. Before Kubernetes, there was no standardization around a specific distributed systems platform. Just like Linux became the standard server-side operating system for a single node, Kubernetes has become the standard way to orchestrate all of the nodes in your application. With Kubernetes, distributed systems tools can have network effects. Every time someone builds a new tool for Kubernetes, it makes all the other tools better. And it further cements Kubernetes as the standard.
  • Welcome to 2018
    The image of the technology industry as a whole suffered in 2017, and that process is likely to continue this year as well. That should lead to an increased level of introspection that will certainly affect the free-software community. Many of us got into free software to, among other things, make the world a better place. It is not at all clear that all of our activities are doing that, or what we should do to change that situation. Expect a lively conversation on how our projects should be run and what they should be trying to achieve. Some of that introspection will certainly carry into projects related to machine learning and similar topics. There will be more interesting AI-related free software in 2018, but it may not all be beneficial. How well will the world be served, for example, by a highly capable, free facial-recognition system and associated global database? Our community will be no more effective than anybody else at limiting progress of potentially freedom-reducing technologies, but we should try harder to ensure that our technologies promote and support freedom to the greatest extent possible. Our 2017 predictions missed the fact that an increasing number of security problems are being found at the hardware level. We'll not make the same mistake in 2018. Much of what we think of as "hardware" has a great deal of software built into it — highly proprietary software that runs at the highest privilege levels and which is not subject to third-party review. Of course that software has bugs and security issues of its own; it couldn't really be any other way. We will see more of those issues in 2018, and many of them are likely to prove difficult to fix.

Linux Kernel Development

  • New Sound Drivers Coming In Linux 4.16 Kernel
    Due to longtime SUSE developer Takashi Iwai going on holiday the next few weeks, he has already sent in the sound driver feature updates targeting the upcoming Linux 4.16 kernel cycle. The sound subsystem in Linux 4.16 sees continued changes to the ASoC code, clean-ups to the existing drivers, and a number of new drivers.
  • Varlink: a protocol for IPC
    One of the motivations behind projects like kdbus and bus1, both of which have fallen short of mainline inclusion, is to have an interprocess communication (IPC) mechanism available early in the boot process. The D-Bus IPC mechanism has a daemon that cannot be started until filesystems are mounted and the like, but what if the early boot process wants to perform IPC? A new project, varlink, was recently announced; it aims to provide IPC from early boot onward, though it does not really address the longtime D-Bus performance complaints that also served as motivation for kdbus and bus1. The announcement came from Harald Hoyer, but he credited Kay Sievers and Lars Karlitski with much of the work. At its core, varlink is simply a JSON-based protocol that can be used to exchange messages over any connection-oriented transport. No kernel "special sauce" (such as kdbus or bus1) is needed to support it as TCP or Unix-domain sockets will provide the necessary functionality. The messages can be used as a kind of remote procedure call (RPC) using an API defined in an interface file.
  • Statistics for the 4.15 kernel
    The 4.15 kernel is likely to require a relatively long development cycle as a result of the post-rc5 merge of the kernel page-table isolation patches. That said, it should be in something close to its final form, modulo some inevitable bug fixes. The development statistics for this kernel release look fairly normal, but they do reveal an unexpectedly busy cycle overall. This development cycle was supposed to be relatively calm after the anticipated rush to get work into the 4.14 long-term-support release. But, while 4.14 ended up with 13,452 non-merge changesets at release, 4.15-rc6 already has 14,226, making it one of the busiest releases in the kernel project's history. Only 4.9 (16,214 changesets) and 4.12 (14,570) brought in more work, and 4.15 may exceed 4.12 by the time it is finished. So far, 1,707 developers have contributed to this kernel; they added 725,000 lines of code while removing 407,000, for a net growth of 318,000 lines of code.
  • A new kernel polling interface
    Polling a set of file descriptors to see which ones can perform I/O without blocking is a useful thing to do — so useful that the kernel provides three different system calls (select(), poll(), and epoll_wait() — plus some variants) to perform it. But sometimes three is not enough; there is now a proposal circulating for a fourth kernel polling interface. As is usually the case, the motivation for this change is performance. On January 4, Christoph Hellwig posted a new polling API based on the asynchronous I/O (AIO) mechanism. This may come as a surprise to some, since AIO is not the most loved of kernel interfaces and it tends not to get a lot of attention. AIO allows for the submission of I/O operations without waiting for their completion; that waiting can be done at some other time if need be. The kernel has had AIO support since the 2.5 days, but it has always been somewhat incomplete. Direct file I/O (the original use case) works well, as does network I/O. Many other types of I/O are not supported for asynchronous use, though; attempts to use the AIO interface with them will yield synchronous behavior. In a sense, polling is a natural addition to AIO; the whole point of polling is usually to avoid waiting for operations to complete.

Security: OpenSSL, IoT, and LWN Coverage of 'Intelpocalypse'

  • Another Face to Face: Email Changes and Crypto Policy
    The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended. One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.
  • Some Basic Rules for Securing Your IoT Stuff

    Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked [sic] IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

  • A look at the handling of Meltdown and Spectre
    The Meltdown/Spectre debacle has, deservedly, reached the mainstream press and, likely, most of the public that has even a remote interest in computers and security. It only took a day or so from the accelerated disclosure date of January 3—it was originally scheduled for January 9—before the bugs were making big headlines. But Spectre has been known for at least six months and Meltdown for nearly as long—at least to some in the industry. Others that were affected were completely blindsided by the announcements and have joined the scramble to mitigate these hardware bugs before they bite users. Whatever else can be said about Meltdown and Spectre, the handling (or, in truth, mishandling) of this whole incident has been a horrific failure. For those just tuning in, Meltdown and Spectre are two types of hardware bugs that affect most modern CPUs. They allow attackers to cause the CPU to do speculative execution of code, while timing memory accesses to deduce what has or has not been cached, to disclose the contents of memory. These disclosures can span various security boundaries such as between user space and the kernel or between guest operating systems running in virtual machines. For more information, see the LWN article on the flaws and the blog post by Raspberry Pi founder Eben Upton that well describes modern CPU architectures and speculative execution to explain why the Raspberry Pi is not affected.
  • Addressing Meltdown and Spectre in the kernel
    When the Meltdown and Spectre vulnerabilities were disclosed on January 3, attention quickly turned to mitigations. There was already a clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but the defenses against the two Spectre variants had not been developed in public and still do not exist in the mainline kernel. Initial versions of proposed defenses have now been disclosed. The resulting picture shows what has been done to fend off Spectre-based attacks in the near future, but the situation remains chaotic, to put it lightly. First, a couple of notes with regard to Meltdown. KPTI has been merged for the 4.15 release, followed by a steady trickle of fixes that is undoubtedly not yet finished. The X86_BUG_CPU_INSECURE processor bit is being renamed to X86_BUG_CPU_MELTDOWN now that the details are public; there will be bug flags for the other two variants added in the near future. 4.9.75 and 4.4.110 have been released with their own KPTI variants. The older kernels do not have mainline KPTI, though; instead, they have a backport of the older KAISER patches that more closely matches what distributors shipped. Those backports have not fully stabilized yet either. KPTI patches for ARM are circulating, but have not yet been merged.
  • Is it time for open processors?
    The disclosure of the Meltdown and Spectre vulnerabilities has brought a new level of attention to the security bugs that can lurk at the hardware level. Massive amounts of work have gone into improving the (still poor) security of our software, but all of that is in vain if the hardware gives away the game. The CPUs that we run in our systems are highly proprietary and have been shown to contain unpleasant surprises (the Intel management engine, for example). It is thus natural to wonder whether it is time to make a move to open-source hardware, much like we have done with our software. Such a move may well be possible, and it would certainly offer some benefits, but it would be no panacea. Given the complexity of modern CPUs and the fierceness of the market in which they are sold, it might be surprising to think that they could be developed in an open manner. But there are serious initiatives working in this area; the idea of an open CPU design is not pure fantasy. A quick look around turns up several efforts; the following list is necessarily incomplete.
  • Notes from the Intelpocalypse
    Rumors of an undisclosed CPU security issue have been circulating since before LWN first covered the kernel page-table isolation patch set in November 2017. Now, finally, the information is out — and the problem is even worse than had been expected. Read on for a summary of these issues and what has to be done to respond to them in the kernel. All three disclosed vulnerabilities take advantage of the CPU's speculative execution mechanism. In a simple view, a CPU is a deterministic machine executing a set of instructions in sequence in a predictable manner. Real-world CPUs are more complex, and that complexity has opened the door to some unpleasant attacks. A CPU is typically working on the execution of multiple instructions at once, for performance reasons. Executing instructions in parallel allows the processor to keep more of its subunits busy at once, which speeds things up. But parallel execution is also driven by the slowness of access to main memory. A cache miss requiring a fetch from RAM can stall the execution of an instruction for hundreds of processor cycles, with a clear impact on performance. To minimize the amount of time it spends waiting for data, the CPU will, to the extent it can, execute instructions after the stalled one, essentially reordering the code in the program. That reordering is often invisible, but it occasionally leads to the sort of fun that caused Documentation/memory-barriers.txt to be written.