Language Selection

English French German Italian Portuguese Spanish


Enter your Tux Machines username.
Enter the password that accompanies your username.

More in Tux Machines

Kernel: Restricted DMA and AMD Work in Linux 5.11

  • Restricted DMA

    A key component of system hardening is restricting access to memory; this extends to preventing the kernel itself from accessing or modifying much of the memory in the system most of the time. Memory that cannot be accessed cannot be read or changed by an attacker. On many systems, though, these restrictions do not apply to peripheral devices, which can happily use direct memory access (DMA) on most or all of the available memory. The recently posted restricted DMA patch set aims to reduce exposure to buggy or malicious device activity by tightening up control over the memory that DMA operations are allowed to access. DMA allows devices to directly read from or write to memory in the system; it is needed to get reasonable I/O performance from anything but the slowest devices. Normally, the kernel is in charge of DMA operations; device drivers allocate buffers and instruct devices to perform I/O on those buffers, and everything works as expected. If the driver or the hardware contains bugs, though, the potential exists for DMA transfers to overwrite unrelated memory, leading to corrupted systems and unhappy users. Malicious (or compromised) hardware can use DMA to compromise the system the hardware is attached to, making users unhappier still; examples of this type of attack have been posted over the years. One way to address this problem is to place an I/O memory-management unit (IOMMU) between devices and memory. The kernel programs the IOMMU to allow access to a specific region of memory; the IOMMU then keeps devices from straying outside of that region. Not all systems are equipped with an IOMMU, though; they are mostly limited to the larger processors found in desktop machines, data centers, and the like. Mobile systems usually lack an IOMMU.

  • A Fix Has Been Proposed For The Slower AMD Performance On Linux 5.11

    With the in-development Linux 5.11 kernel there are many great features and improvements especially for AMD users with some new drivers and other pleasant enhancements. But as I outlined back on Christmas day: Linux 5.11 Is Regressing Hard For AMD Performance With Schedutil. Fortunately, a fix is now en route to the Linux 5.11 kernel for fixing that performance regression affecting AMD Zen 2/3 desktops and servers.  As outlined in that original article after bisecting the sizable performance regressions and in follow-up tests, AMD hardware performing slower on Linux 5.11 came down to the CPU frequency invariance support introduced this cycle and is utilized by the "Schedutil" CPU frequency scaling governor. With Schedutil often being the default for AMD systems on newer versions of the Linux kernel, this regression on Linux 5.11 compared to prior kernel releases has been unfortunate. 

  • Linux 5.11 Is Now Looking Great For AMD Zen 2 / Zen 3 Performance - Phoronix

    Not only is the AMD "CPU frequency invariance regression" from that new support with the in-development Linux 5.11 kernel on course to address the performance shortcomings I outlined last month, but with the patched kernel for a number of workloads the performance is now ahead of where it was at with Linux 5.10.

System76 Brings Back the Darter Pro Linux Laptop with Longer Battery Life, Tiger Lake CPUs

The Darter Pro is one of System76's most versatile all-around Linux laptops and the 2021 refresh is here with 11th Gen Intel Core i5-1135G7 and i7-1165G7 CPUs with 4 cores / 8 threads and integrated Iris Xe graphics, up to 64GB dual-channel DDR4 3200MHz RAM, and up to 4TB M.2 SSD storage. Best of all, the new Darter Pro comes with System76’s Coreboot-based Open Firmware and Open Source Embedded Controller Firmware to give customers full control over the hardware, and also make the Linux laptop faster and more secure. Read more

Fedora and Red Hat Leftovers

  • A possible step toward integrity measurement for Fedora

    The Fedora 34 release is planned for April 20 — a plan that may well come to fruition, given that the Fedora project appears to have abandoned its tradition of delayed releases. As part of that schedule, any proposals for system-wide changes were supposed to be posted by December 29. That has not stopped the arrival of a late proposal to add file signatures to Fedora's RPM packages, though. This proposal, meant to support the use of the integrity measurement architecture (IMA) in Fedora, has not been met with universal acclaim. The purpose of IMA is to measure whether the integrity of the system is intact, where "integrity" means that the important files in the system have not been corrupted. At its core, this measurement is carried out by reading a file's contents, computing a hash, and comparing that hash to the expected value; if the values match, the file has not been altered. This measurement can be used to prevent the execution (or reading) of corrupted files; it can also be used as part of a remote attestation scheme to convince a remote party that the local system has not been subjected to unauthorized modifications. To perform this measurement, IMA clearly must know what the expected hash for each file is; those hashes are signed with a key trusted by the kernel and stored as extended attributes. Generally, the private key used to sign these hashes is kept in some secure location, while the public key is either stored in a device like a trusted platform module (TPM) or built into the kernel binary. If all works as intended, IMA can thus be used to ensure that systems only run executables that have been blessed by some central authority, that those executables only read configuration files that have been similarly blessed, and so on. It is a mechanism for ensuring that the owner of a system keeps control of it; whether this is a good thing or not depends entirely on who the "owner" is defined to be. The actual proposal does not go so far as to implement IMA on Fedora systems; it is limited to including signatures with every file that is shipped in Fedora packages. These signatures "will be made with a key that’s kept by the Fedora Infrastructure team, and installed on the sign vaults". Fedora users would then be able to use IMA to keep their systems from using files that have been modified since they were packaged. An actual IMA setup for Fedora can be expected to come at some future time.

  • Fedora Loves Python 2020 report – Fedora Community Blog

    Inspired by a similar report from the Copr team, I’ve decided to look back at 2020 from the perspective of Python in Fedora (and little bit in RHEL/CentOS+EPEL as well). Here are the things we have done in Fedora (and EL) in 2020. By we I usually mean the Python Maint team at Red Hat and/or the Fedora’s Python SIG.

  • Introducing the Red Hat build of Eclipse Vert.x 4.0 - Red Hat Developer

    If you are interested in reactive, non-blocking, and asynchronous Java development, you are likely familiar with Eclipse Vert.x. The project started in 2011 and successfully moved to the Eclipse Foundation in 2013. Since then, Vert.x has undergone nine years of rigorous development and grown into a thriving community. It is one of the most widely used reactive frameworks, with support for multiple extensions, including extensions for messaging or streaming with Kafka or Artemis, developing applications with gRPC and GraphQL, and so much more. The Red Hat build of Eclipse Vert.x 4.0 is now generally available. This release improves Vert.x’s core APIs and handling. Developers who migrate can expect enhancements to futures and promises, distributed tracing, and deployment on Red Hat OpenShift. In this article, I introduce these updates and offer tips for migrating and deploying your Eclipse Vert.x 4.0 applications on OpenShift.

  • Implementing the ACSC "Essential Eight" baseline for security automation in Red Hat Enterprise Linux

    Achieving compliance with a security policy and maintaining compliance can be tedious. At Red Hat, we believe that such things should be automated and not become an unnecessary burden. To this end, we offer a whole ecosystem of services that automate security compliance. We ship several widely used security policies with our products. Today, we will go over the "Essential Eight" baseline in a bit more detail. The "Essential Eight" is a set of mitigation strategies created by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) that leads the Australian Government’s efforts to improve cybersecurity.

  • Painless services: implementing serverless with rootless Podman and systemd

    Serverless is an event-driven computing paradigm where applications are allocated dynamically to serve a request or consume events. When the application is not in use, there are no computing resources allocated. The serverless ecosystem offers a large number of runtimes, which start/stop/monitor software (e.g., Knative, Kubeless and many others). They come with different features, and they can trigger applications based on different kind of events (e.g., HTTP requests, messages, etc.). Even if systemd cannot be considered a real serverless runtime, the socket activation feature provides a foundation for a serverless architecture.

  • Convert your Windows install into a VM on Linux |

    I use VirtualBox frequently to create virtual machines for testing new versions of Fedora, new application programs, and lots of administrative tools like Ansible. I have even used VirtualBox to test the creation of a Windows guest host. Never have I ever used Windows as my primary operating system on any of my personal computers or even in a VM to perform some obscure task that cannot be done with Linux. I do, however, volunteer for an organization that uses one financial program that requires Windows. This program runs on the office manager's computer on Windows 10 Pro, which came preinstalled. This financial application is not special, and a better Linux program could easily replace it, but I've found that many accountants and treasurers are extremely reluctant to make changes, so I've not yet been able to convince those in our organization to migrate.

  • Red Hat's StackRox Acquisition Bolsters Its Hybrid Multi-Cloud Strategy

    The startup has container security capabilities that are missing in Red Hat's OpenShift Kubernetes platform. [...] "We are working on looking at a few things, and that will have to be run through them because they're the bank now," he said. "They're a partner, but they're also our shareholders." It's doubtful that Red Hat would have to go to the IBM bank to finance this purchase. Although no details of the deal were made public, most media reports are putting the price tag at just north of $100 million, far less than the $250 million it paid for CoreOS in 2018. As to be expected from Red Hat, which has traditionally insisted that all of its software be open source, Red Hat plans to open source StackRox’s proprietary software after the acquisition closes sometime in the first quarter of 2021. Red Hat said it will continue to support the existing KubeLinter open source community, as well as the new communities that form around StackRox’s other offerings as soon as they are open sourced.

Free/Open Source Software Leftovers

  • Open source means surrendering your monopoly over commercial exploitation

    There are ways that you can influence how others use your FOSS software, mainly having to do with making sure that everyone else keeps this same promise. You cannot stop someone from making money from your software, but you can obligate them to share their improvements with everyone else, which you can incorporate back into the original product to make it more compelling for everyone. The GPL family of licenses is designed for this purpose.1

    Furthermore, if your business is a consumer of free and open source software, rather than a producer, you need to be aware that you may be subject to those obligations. It’s not a free lunch: you may be required to return your improvements to the community. FOSS licenses are important, and you should make it your business to understand them, both as a user, contributor, and author of free and open source software.

    FOSS is eating the world, and it’s a very attractive choice for businesses for a good reason. This is the reason. It increases wealth for everyone. Capitalism concerns itself with making monopolies — FOSS instead concerns itself with the socialized creation of software wealth.

  • People of WordPress: Thelma Mutete –

    From a young age Thelma was encouraged by her father to ‘work hard, and dream big’. In High School, she pursued a career in Computer Science. She said: “I did not know what I would be doing or how I would get there but I just knew that I was going to pursue a career in information technology.” She wrote her first line of code at the age of 16 living in Zimbabwe, Africa. This was to mark the beginning of her enthusiasm for computer programming. When she joined the school’s computer class, Thelma thought she would learn Excel and Word. Instead, the assignment was to write her first program in C. She said: “It was not easy, but it was very exciting. l remember writing up simple code for a Video Club – a check-in/out for VHS tapes and CDs. Thus began my fascination with computers.” Seven years later, she went on to university to study for a Bachelors in Business Management and Information Technology. Her third year internship was at a local web design and hosting company. Though she had hoped her placement would be at a local bank or telecommunications company, the chance to discover website design turned out to be the best thing that could have happened. In 2017, Thelma went on to work for a company designing websites using HTML, CSS, PHP, JavaScript and Joomla. She had heard about WordPress but had not used it. She recalls: “People have this misconception that WordPress is not for real developers and it is not secure and at that time I was one of those people.”

  • Google forcing users to Chrome after appearance of Edge

    ANALYSIS Google's recent move to limit the use of its APIs in Chrome, such as Chrome sync and Click to Call, appears to be driven by the launch of Microsoft's Edge browser based on the open-source version of Chrome, known as Chromium.

  • A license change for Nmap

    It may be kind of an obvious statement, but licensing terms matter in our communities. Even a misplaced word or three can be fatal for a license, which is part of the motivation for the efforts to reduce license proliferation in free-software projects. Over the last few months, various distribution projects have been discussing changes made to the license for the Nmap network scanner; those changes seemed to be adding restrictions that would make the software non-free, though that was not the intent. But the incident does serve to show the importance of license clarity. On October 3, Nmap 7.90 was released; it came with a new license, the Nmap Public Source License (NPSL) version 0.92. The link here goes to the Wayback Machine as the usual location for the NPSL was updated to version 0.93 in mid-January. Previous versions of Nmap were available under the GPLv2, with some additional wording with regard to the project's definition of a "derivative work". As part of the release announcement and changelog for Nmap 7.90, the license change was made openly: "Upgraded the Nmap license [from] a sort of hacked-up version of GPLv2 to a cleaner and better organized version (still based on GPLv2) now called the Nmap Public Source License to avoid confusion." It did not take long for distributions to start noticing and reacting to the change.

  • Linux Foundation's Joshipura: Disaggregation is at the heart of open source, cloud-native and edge

    While disaggregation's roots in the telecom industry are deeper than shiny new concepts such as cloud-native and ORAN, it's foundational to open source and those new technologies, according to the Linux Foundation's Aprit Joshipura. During a Wednesday keynote address for FierceTelecom Winter Blitz Week, Joshipura defined disaggregation as the separation of hardware and software, as well as the separation of horizontal layers of software. Network disaggregation is "kind of old news," he said.