Language Selection

English French German Italian Portuguese Spanish

Kernel: LWN Coverage (No Longer Paywalled) and Initial HDMI 2.0 Support With Nouveau Slated For The Next Linux Kernel

Filed under
Linux
  • Revenge of the modems

    Back in the halcyon days of the previous century, those with a technical inclination often became overly acquainted with modems—not just the strange sounds they made when connecting, but the AT commands that were used to control them. While the AT command set is still in use (notably for GSM networks), it is generally hidden these days. But some security researchers have found that Android phones often make AT commands available via their USB ports, which is something that can potentially be exploited by rogue USB devices of various sorts.

    A paper [PDF] that was written by a long list of researchers (Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Ruales, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler) and presented at the 27th USENIX Security Symposium described the findings. A rather large number of Android firmware builds were scanned for the presence of AT commands and many were found to have them. That's not entirely surprising since the baseband processors used to communicate with the mobile network often use AT commands for configuration. But it turns out that Android vendors have also added their own custom AT commands that can have a variety of potentially harmful effects—making those available over USB is even more problematic.

    They started by searching through 2018 separate Android binary images (it is not clear how that number came about, perhaps it is simply coincidental) from 11 different vendors. They extracted and decompressed the various pieces inside the images and then searched those files for AT command strings. That process led to a database of 3500 AT commands, which can be seen at the web site for ATtention Spanned—the name given to the vulnerabilities.

  • XFS, LSM, and low-level management APIs

    The Linux Security Module (LSM) subsystem allows security modules to hook into many low-level operations within the kernel; modules can use those hooks to examine each requested operation and decide whether it should be allowed to proceed or not. In theory, just about every low-level operation is covered by an LSM hook; in practice, there are some gaps. A discussion regarding one of those gaps — low-level ioctl() operations on XFS filesystems — has revealed a thorny problem and a significant difference of opinion on what the correct solution is.

    In late September Tong Zhang pointed out that xfs_file_ioctl(), the 300-line function that dispatches the various ioctl() operations that can be performed on an XFS filesystem, was making a call to vfs_readlink() without first consulting the security_inode_readlink() LSM hook. As a result, a user with the privilege to invoke that operation (CAP_SYS_ADMIN) could read the value of a symbolic link within the filesystem, even if the security policy in place would otherwise forbid it. Zhang suggested that a call to the LSM hook should be added to address this problem.

  • Initial HDMI 2.0 Support With Nouveau Slated For The Next Linux Kernel

    Days after Nouveau DRM maintainer Ben Skeggs began staging changes for this open-source NVIDIA driver ahead of the next kernel cycle, this evening Ben Skeggs submitted the DRM-Next pull request to queue this work for the Linux 4.20/5.0 kernel cycle.

    As covered in that previous article, there isn't a whole lot on the Nouveau kernel driver front at this time. Skeggs summed up these open-source NVIDIA driver changes as: "Just initial HDMI 2.0 support, and a bunch of other cleanups."

  • Device-to-device memory-transfer offload with P2PDMA

    One of the most common tasks carried out by device drivers is setting up DMA operations for data transfers between main memory and the device. Often, data read into memory from one device will be immediately written, unchanged, to another device. Common examples include carrying the image between the camera and screen on a mobile phone, or downloading files to be saved on a disk. Those transfers have an impact on the CPU even if it does not use the data directly, due to higher memory use and effects like cache trashing. There are cases where it is possible to avoid usage of the system memory completely, though. A patch set (posted by Logan Gunthorpe with contributions by Christoph Hellwig and Steve Wise) has been in the works for some time that addresses this case for PCI devices using peer-to-peer (P2P) transfers, with a focus on offering an offload option for the NVMe fabrics target subsystem.

More in Tux Machines

OSS and Sharing Leftovers

  • HarfBuzz 2.0 Released For Advancing Open-Source Text Shaping
    The HarfBuzz open-source text shaping library that is used by GNOME, KDE, Firefox, LibreOffice, Chrome OS, Java, and countless other desktop applications has reached version 2.0.
  • 5 open source intrusion detection tools that are too good to ignore
    As cybersecurity professionals, we try to prevent attackers from gaining access to our networks but protecting perimeters that have grown exponentially with the rise of mobile devices, distributed teams, and the internet of things (IoT) is not easy. The unpalatable truth is that sometimes the attackers are going to get through and the cost of a data breach grows the longer it takes you to uncover the attack. By employing a solid intrusion detection system (IDS) backed up by a robust incident response plan, you can reduce the potential damage of a breach.
  • How Open Source Marketers Can Leverage Community For Success
    If you’re an open source marketer, you have some unique challenges to overcome. Not only does one of your primary audiences -- developers -- shy away from marketing, despite the fact open source needs it (as I wrote about previously), but you must let go of the traditional mindset that your job is to differentiate the product from its competitors. Products built on open source differentiate themselves, of course, but when you’re talking about the open core, that’s just not how it works.
  • Petter Reinholdtsen: Release 0.2 of free software archive system Nikita announced
    This morning, the new release of the Nikita Noark 5 core project was announced on the project mailing list. The free software solution is an implementation of the Norwegian archive standard Noark 5 used by government offices in Norway.
  • UTSA creates web-based open source dashboard of North Pole
    UTSA professors Hongjie Xie and Alberto Mestas-Nuñez examine images of sea ice in the Arctic Ocean. Xie along with Xin Miao at Missouri State University started working on the project five years ago. Now the National Science Foundation has given the green light in the way of funding to develop the online system which uses high resolution imaging either obtained on-site, via satellites, or via airborne monitoring. The system will allow the scientific community the ability to readily extract detailed information of various ice properties including submerged ice, ice concentration, melt ponds or ice edge—the boundary between an area of ice and the open sea. The on-demand database will be dynamic and allowed to include new algorithms as well as additional datasets as they become available. Currently, the cloud-based system holds about a terabyte of images but that number will surely grow. The earliest dataset is from 1998 from the Sheba expedition which conducted 13 flights over the Beaufort Sea. Now researchers will include close to 1760 declassified images.
  • Open Access Is the Law in California
    Governor Jerry Brown recently signed A.B. 2192, a law requiring that all peer-reviewed, scientific research funded by the state of California be made available to the public no later than one year after publication. EFF applauds Governor Brown for signing A.B. 2192 and the legislature for unanimously passing it—particularly Assemblymember Mark Stone, who introduced the bill and championed it at every step. To our knowledge, no other state has adopted an open access bill this comprehensive. As we’ve explained before, it’s a problem when cutting-edge scientific research is available only to people who can afford expensive journal subscriptions and academic databases. It insulates scientific research from a broader field of innovators: if the latest research is only available to people with the most resources, then the next breakthroughs will only come from that group. A.B. 2192 doesn’t solve that problem entirely, but it does limit it. Under the new law, researchers can still publish their papers in subscription-based journals so long as they upload them to public open access repositories no later than one year after publication.
  • How to use Pandoc to produce a research paper
    This article takes a deep dive into how to produce a research paper using (mostly) Markdown syntax. We'll cover how to create and reference sections, figures (in Markdown and LaTeX) and bibliographies. We'll also discuss troublesome cases and why writing them in LaTeX is the right approach.
  • LLVM Continues Working On Its Transition From SVN To Git
    In addition to LLVM's multi-year effort on re-licensing their code, some developers also remain hard at work on officially migrating the project from an SVN development workflow to Git. For the past few years LLVM has been wanting to move from SVN to Git. While there are read-only Git copies of the LLVM repositories already and it's been that way for a while, officially moving over their code-bases to Git has proven to be a challenge for preserving all of the branches, keeping accurate commit messages, etc, for a sane transfer process. This is just like the complex process of moving the GCC compiler over to Git as well.
  • Enterprise Java caretakers float new rules of engagement for future feature updates
    The Eclipse Foundation, saddled with oversight of Java EE last year after Oracle washed its hands of the thankless business of community governance, wants to revise the process by which enterprise Java – rechristened Jakarta EE when Oracle declined to grant use of its Java trademark – gets improved. Mike Milinkovich, executive director of the Eclipse Foundation, on Tuesday posted a draft of the Eclipse Foundation Specification Process (EFSP), seeking community review and comment. The intent is to replace the Java Community Process (JCP), the current system for evolving the technical specifications related to Java technology, as least as it applies to the enterprise flavored brew of Java. The need to replace the JCP for Jakarta EE arises from intellectual property concerns. As software developer Richard Monson-Haefel observed over the summer, "Unfortunately, Oracle was not able to donate all of the Java EE 8 specification documents (e.g. JMS, EJB, Servlet) because these specifications were developed under the Java Community Process and included the efforts of hundreds of people, many of who are not Oracle employees."
  • Security updates for Friday

Is New Ubuntu 18.10 Worth Installing?

The new Ubuntu release "Cosmic Cuttlefish" has hit the OS market after 6 months of development. I've been using it since it came out and now here is what I have to say about it. In this article, I'll talk about the new things it brings in and also if it's the release worth upgrading to. So let's go. Read
more

Red Hat and Fedora Leftovers

Android Leftovers