Language Selection

English French German Italian Portuguese Spanish

Login

Enter your Tux Machines username.
Enter the password that accompanies your username.

More in Tux Machines

Fedora and Red Hat: UEFI Nextcloud, OpenShift, Open Virtual Network (OVN) and Microsoft

  • Richard Hughes: Hunting UEFI Implants

    Last week I spent 3 days training on how to detect UEFI firmware implants. The training was run by Alex Matrosov via Hardwear.io and was a comprehensive deep-dive into UEFI firmware internals so that we could hunt for known and unknown implants. I’d 100% recommend this kind of training, it was excelent. Although I understood the general concepts of the protection mechanisms like SMM, HP Sure Start and Intel BIOSGuard before doing the training, it was really good to understand how the technologies really worked, with real world examples of where hardware vendors were getting the implementation wrong – giving the bad guys full control of your hardware. The training was superb, and Alex used lots of hands-on lab sessions to avoid PowerPoint overload. My fellow students were a mixture of security professionals and employees from various government departments from all over the world. We talked, a lot. My personal conclusion quite simply is that we’re failing as an industry. In the pursuit to reduce S3 resume time from 2s to 0.5s we introduce issues like the S3 bootscript vulnerability. With the goal to boot as quickly as possible, we only check the bare minimum certificate chain allowing additional malicious DXEs to be added to an image. OEMs are choosing inexpensive EC hardware from sketchy vendors that are acting as root of trust and also emulating hardware designed 30 years ago, whilst sharing the system SPI chip. By trying to re-use existing power management primitives like SMM as a security boundary the leaky abstractions fail us. Each layer in the security stack is assuming that the lower below it is implemented correctly, and so all it takes is one driver with SMM or CSME access to not check a memory address in a struct correctly and everything on top (e.g. BootGuard, ALSR, SELinux, etc) is broken. Coreboot isn’t the panacea here either as to get that to run you need to turn off various protections like BootGuard, and some techniques like Sure Start mean that Coreboot just isn’t a viable option. The industry seems invested into EDK2, for better or worse. This shouldn’t just be important to the few people just buying stuff from Purism – 10,000x laptops are being sold on Amazon for every laptop sold by vendors that care about this stuff. Most of the easy-to-exploit issues are just bugs with IBV or ODM-provided code, some of which can be fixed with a firmware update. Worst still, if you allow your “assumed secure” laptop out of sight then all bets are off with security. About a quarter of people at the UEFI training had their “travel laptop” tampered with at some point – with screws missing after “customs inspections” or with tamper seals broken after leaving a laptop in a hotel room. You really don’t need to remove the screws to image a hard drive these days. But, lets back away from the state-sponsored attacker back to reality for a minute. The brutal truth is that security costs money. Vendors have to choose between saving 10 cents on a bill-of-materials by sharing a SPI chip (so ~$10K over a single batch), or correctly implementing BIOSGuard. What I think the LVFS now needs to do is provide some easy-to-understand market information to people buying hardware. We already know a huge amount of information about the device from signed reports and from analyzing the firmware binaries. What we’re not doing very well is explaining it to the user in a way they can actually understand. I didn’t understand the nuances between BIOSGuard and BootGuard until a few days ago, and I’ve been doing this stuff for years.

  • Build your own cloud with Fedora 31 and Nextcloud Server

    Nextcloud is a software suite for storing and syncing your data across multiple devices. You can learn more about Nextcloud Server’s features from https://github.com/nextcloud/server. This article demonstrates how to build a personal cloud using Fedora and Nextcloud in a few simple steps. For this tutorial you will need a dedicated computer or a virtual machine running Fedora 31 server edition and an internet connection.

  • OpenShift 4.3: Dashboard refinements and the new Project dashboard

    The Cluster Overview dashboard we introduced in Red Hat OpenShift 4.2 was a significant and well-received addition to the Web Console, and our team has greatly enjoyed seeing how OpenShift users (and even our own developers) have been using it to identify and resolve issues they otherwise may not have noticed. We’ve made a number of changes both big and small to the dashboard based on our user research findings and the feedback we’ve collected from readers like you. This post covers some of the key improvements and introduces a new member of the dashboard family that we think developers in particular are going to love.

  • Open Virtual Network unidlingOpen Virtual Network unidling

    Open Virtual Network (OVN) is a project born as a sub-component of Open vSwitch (OVS), which is a performant, programmable, multi-platform virtual switch. OVN allows OVS users to natively create overlay networks by introducing virtual network abstractions such as virtual switches and routers. Moreover, OVN provides methods for setting up Access Control Lists (ACLs) and network services such as DHCP. Many Red Hat products, like Red Hat OpenStack Platform, Red Hat Virtualization, and Red Hat OpenShift Container Platform, rely on OVN to configure network functionalities.

  • Using Red Hat Universal Base Image with Azure Pipelines and Red Hat Quay.io

MPV 0.32 Released

  • MPV 0.32 Released with RAR5 Support & Initial Bash Completion

    MPV media player released version 0.32.0 today with some new features and various bug-fixes. MPV 0.32.0 features RAR5 support and initial implementation of bash completion.

  • MPV Player 0.32 Released With RAR5 Support, Bash Completion

    MPV 0.32 is out today as the newest update to this open-source video player based on MPlayer. MPV 0.32 adds support for RAR5 compressed content within its libarchive stream implementation. This latest version of RAR supports multi-threaded compression, other compression and decompression speed improvements, and other design improvements.

Programming With Dtrace, Python and LLVM Founder Picks RISC-V

  • On The Benefits of Static Trace Points

    Years ago IBM coined the term First Failure Data Capture (FFDC). Capture enough data about a failure, just as it occurs the first time, so that reproducing the failure is all but unnecessary. An observability framework is a set of tools that enable system administrators to monitor and troubleshoot systems running in production, without interfering with efficient operation. In other words, it captures enough data about any failure that occurs so that a failure can be root-caused and possibly even fixed without the need to reproduce the failure in vitro. Of course, FFDC is an aspirational goal. There will always be a practical limit to how much data can be collected, managed, and analyzed without impacting normal operation. The key is to identify important exceptional events and place hooks in those areas to record those events as they happen. These exceptional events are hopefully rare enough that the captured data is manageable. And the hooks themselves must introduce little or no overhead to a running system. The trace point facility The trace point facility, also known as ftrace, has existed in the Linux kernel for over a decade. Each static trace point is an individually-enabled call out that records a set of data as a structured record into a circular buffer. An area expert determines where each trace point is placed, what data is stored in the structured record, and how the stored record should be displayed (i.e., a print format specifier string). The format of the structured record acts as a kernel API. It is much simpler to parse than string output by printk. User space tools can filter trace data based on values contained in the fields (e.g., show me just trace events where "status != 0"). Each trace point is always available to use, as it is built into the code. When triggered, a trace point can do more than capture the values of a few variables. It also records a timestamp and whether interrupts are enabled, and which CPU, which PID, and which executable is running. It is also able to enable or disable other trace points, or provide a stack trace. Dtrace and eBPF scripts can attach to a trace point, and hist triggers are also possible. Trace point buffers are allocated per CPU to eliminate memory contention and lock waiting when a trace event is triggered. There is a default set of buffers ready from system boot onward. However, trace point events can be directed into separate buffers. This permits several different tracing operations to occur concurrently without interfering with each other. These buffers can be recorded into files, transmitted over the network, or read from a pipe. If a system crash should occur, captured trace records still reside in these buffers and can be examined using crash dump analysis tools.

  • Announcing Mu version 1.0.3

    We didn’t intend to cut this release but changes in the way the latest OSX works meant that code highlighting didn’t work correctly. We also managed to apply a fix to an annoying bug relating to where Mu set the current working directory for scripts run in Python3 mode. OSX Catalina has posed a number of problems, from the incorrect rendering mentioned above, to the way the application should be installed and problems with permissions when flashing a BBC micro:bit. The simple answer to the installation story is, once you’ve installed Mu in your Applications folder, you should first open it with CTRL-click (not a double click) and select the “Open” button in the resulting pop-up. Subsequent runs of Mu can be started in the usual “double click” way. If you don’t do the “CTRL-click” trick you’ll see a pop-up complaining about Mu not being checked for malicious software.

  • Mike Driscoll: PyDev of the Week: Thomas Wouters

    I’m a self-taught programmer, a high school dropout, a core CPython developer, and a former PSF Board Director from Amsterdam, The Netherlands. I’ve been playing with computers for a long time, starting when my parents got a Commodore 64 with a couple books on BASIC, when I was 6 or 7. I learned a lot by just playing around on it. Then in 1994 I discovered the internet, while I was still in high school. This was before the days of the World Wide Web or (most) graphics, but I was sucked in by a programmable MUD, a text-based “adventure” environment, called LambdaMOO. LambdaMOO lets you create your own part of the world by making rooms and objects, and programming their behaviour, in a programming language that was similar to Python (albeit unrelated to it). One thing led to another and I dropped out of high school and got a job at a Dutch ISP (XS4ALL), doing tech support for customers. A year later I moved to the Sysadmin department, where I worked for ten years. I gradually moved from system administration to programming, even before I learned about Python. Besides working with computers I also like playing computer games of all kinds, and non-computer games like board games or card games. I do kickboxing, and I have a bunch of lovely cats, about whom I sometimes tweet. I’m pretty active on IRC as well, and I’m a channel owner of #python on Freenode. I also keep ending up in administration-adjacent situations, like the PSF Board of Directors and the Python Steering Council, not so much because I like it but because I don’t mind doing it, I’m apparently not bad at it, and it’s important stuff that needs to be done well.

  • Dividing Deep Into Enhancing Photos With Python

    Python is the most reliable and renowned content management system for websites of any kind to create dynamically attractive web resources for their uses. Python has got everything that developers can ask for to provide reliable user experience to end consumers and develop the business online. For any website, maintaining the quality of the images becomes challenging because the high-quality image would result in the slow loading speed of the landing pages, which might result in poor user experience. There are many tools available online that can compress the images and makes them uploadable on the website. However, the resulted images would often lose all the visual appeal after they are compressed through an online tool.

  • Text Translation with Google Translate API in Python

    Unless you have been hiding under a rock, you have probably used Google Translate on many occasions in your life. Whenever you try to translate a word or a sentence from a certain language to another, it is the Google Translate API which brings you the desired results in the background. Though you can translate anything by simply going to the Google Translate web page, you can also integrate Google Translate API into your web applications or desktop programs. The best thing about the API is that it is extremely easy to set up and use. You can actually do a lot of things with the help of the Google Translate API ranging from detecting languages to simple text translation, setting source and destination languages, and translating entire lists of text phrases. In this article, you will see how to work with the Google Translate API in the Python programming language.

  • Python Community Interview With Kelly and Sean of Teaching Python

    This week I’m joined by Kelly Paredes and Sean Tibor, the hosts of the Teaching Python podcast. Join us as we discuss the benefits of learning Python outside of the code itself, and what it’s like to learn Python when you’re not planning to become a professional developer. So, without further ado, let’s meet Kelly and Sean!

  • With SiFive, We Can Change the World

    My quest is to build beautiful things that help change the world, and I’ve been fortunate to spend the last 15 years in Silicon Valley, working with some of the major players shaping all sorts of technology. Today, I’m super excited to join SiFive - the company I believe is best positioned to transform the silicon industry, to lead the Platform Engineering team. With experience building and leading large-scale production systems that power our industry, I’m looking forward to making the dream of customized chips a reality with SiFive’s amazing team of engineers. The end of Moore’s Law is a profound time, leading to new accelerators, new demand for custom ASICs, and new opportunities - and I believe that it is time for the semiconductor industry to change its approach to innovation. This industry has been defined by proprietary technologies that are difficult to use, don’t interoperate well, and have poor user experience. I believe that open tooling, world class engineering, and a focus on end-to-end user experience can transform the industry. Similarly, the RISC-V architecture pro-vides unique opportunities for SoC customization at every level. This is only possible with SiFive’s ambi-tious design methodology, which is unmatched in the industry. My background includes experience creating and leading a number of large-scale technologies, including compiler technologies like the LLVM Compiler Infrastructure project, the Clang C and C++ compiler, the MLIR machine learning infrastructure, and others. I also spearheaded the creation of Swift - a program-ming language that powers Apple’s ecosystem - and led a team at Tesla that applies a wide range of tech in the autonomous driving space. Most recently, I built and managed an array of AI-related compiler, runtime, and programing language teams for Google Brain and TensorFlow.

  • LLVM Founder Chris Lattner Joins SiFive To Lead Platform Engineering

    This move for Chris comes after serving at Apple more than a decade where he led their LLVM-based toolchain efforts as well as developing the Swift programming language, a brief stint at Tesla focusing on their Autopilot software, and then for the past two and a half years has been at Google. At Google is where he was working on TensorFlow and the Machine Learning IR and other compiler-related efforts.

Leftovers: IBM, MicroK8s and Devices

  • Broadridge Signs With IBM For Greater Cloud Capabilities

    Red Hat, which IBM acquired in 2018 is the most pervasive container solution on the planet today, said Schlesinger. “It allows us to containerize our apps and then allows us to run them on any cloud unchanged, whether our private cloud, Azure, AWS or IBM.”

  • IBM Power-based cloud instances available… from Google

    IBM and Google may be competitors in the cloud platform business, but that doesn't prevent them from working together. Google is partnering with IBM to offer "Power Systems as a service" on its Google Cloud platform. IBM’s Power processor line is the last man standing in the RISC/Unix war, surviving Sun Microsystems’ SPARC and HP’s PA-RISC. Along with mainframes it’s the last server hardware business IBM has, having divested its x86 server line in 2014. IBM already sells cloud instances of Power to its IBM Cloud customers, so this is just an expansion of existing offerings to a competitor with a considerable data center footprint. Google said that customers can run Power-based workloads on GCP on all of its operating systems save mainframes — AIX, IBM i, and Linux on IBM Power.

  • An intro to MicroK8s

    MicroK8s is the smallest, fastest multi-node Kubernetes. Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux as well as Mac and Windows using Multipass. Perfect for: Developer workstations, IoT, Edge, CI/CD. Anyone who’s tried to work with Kubernetes knows the pain of having to deal with getting setup and running with the deployment. There are minimalist solutions in the market that reduce time-to-deployment and complexity but the light weight solutions come at the expense of critical extensibility and missing add-ons.

  • QNAP Launches Two Bay TS-251D NAS: Gemini Lake, HDMI, PCIe Expandability

    QNAP has announced its new budget-friendly two-bay NAS aimed at home users and supporting hardware-accelerated media playback. The TS-251D can store up to 32 TB of data using today’s hard drives and can be further expanded with a PCIe card to add SSD caching or other options. The QNAP TS-251D NAS is based on Intel’s dual-core Celeron J4005 processor with UHD 600 Graphics core and hardware decoding for multiple modern video codecs. The SoC is accompanied by 2 GB or 4 GB of DDR4 memory that can be expanded by the end user. The NAS has two bays that can support 2.5-inch or 3.5-inch HDDs or SSDs with a SATA 6 Gbps interface, though RAID modes are not supported. The unit has one GbE port, one HDMI 2.0 output, two USB 3.0 ports, three USB 2.0 connectors, and an IR sensor for an optional remote.

  • Coffee Lake module boasts extended temp operation

    Axiomtek’s Linux-friendly “CEM520” is a COM Express Basic Type 6 module with an Intel 8th Gen “Coffee Lake” Core or Xeon CPU, 4x SATA, PCIe x16, 8x PCIe x1, and support for -20 to 70°C and triple independent displays. Axiomtek has released the Intel 8th Gen based CEM520, which follows its earlier 6th Gen Skylake Core and Xeon E3 based CEM500 COM Express Basic Type 6 module. Other Coffee Lake driven Basic Type 6 modules include Avalue’s recent ESM-CFH.