Vue normale
[$] BTF, Rust, and the kernel toolchain
BPF Type Format (BTF), BPF's debugging information format, has undergone rapid evolution to match the evolving needs of BPF programs. José Marchesi spoke at Kangrejos about some of that work — and how it could impact Rust, specifically. He discussed debug information, kernel-specific relocations, and the planned changes to kernel stack unwinding. Each of these will require some amount of work to fully support in Rust, but preliminary signs look promising.
[$] Coccinelle for Rust
Tathagata Roy has been working to make the Coccinelle tool that is used (among other things) to automate the refactoring of C code work on Rust code as well. Roy gave a presentation at Kangrejos about that work, including the creative approaches necessary to work with Rust's more complicated control flow and syntax.
Security updates for Friday
Remote exploit of CUPS
Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:
A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
The vulnerability relies on a few related problems in CUPS libraries and utilities; versions before 2.0.1 or 2.1b1 (depending on the component) may be affected.
Red Hat has released a security bulletin as well.
[$] Getting PCI driver abstractions upstream
Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of how the Rust-for-Linux project could improve at getting device and driver abstractions upstream. As a case study, he used some of his recent work that attempts to make it possible to write a PCI driver entirely in Rust. There wasn't time to go into as much detail as he would have liked, but he did demonstrate that it is possible to interface with the kernel's module loader in a way that is much harder to screw up than the current standard approach in C.
[$] What the Nova GPU driver needs
In March, Danilo Krummrich announced the new Nova GPU driver — a successor to Nouveau for controlling NVIDIA GPUs. At Kangrejos 2024, Krummrich gave a presentation about what it is, why it's needed, and where it's going next. Hearing about the needs of the driver provoked extended discussion on related topics, including what level of safety is reasonable to expect from drivers, given that they must interact with the hardware.
[$] Resources for learning Rust for kernel development
Dirk Behme led a second session, back-to-back with his session on error handling at Kangrejos 2024, discussing providing better guidance for users of the kernel's Rust abstractions. Just after that, Carlos Bilbao and Miguel Ojeda had their own time slot dedicated to collecting resources that could be of use to someone trying to come up to speed on kernel development in Rust. The attendees provided a lot of guidance in both sessions, and discussed what they could do to make things easier for people coming from non-Rust backgrounds.
OpenSSH 9.9 released
The OpenSSH project has released version 9.9. This version includes support for the new post-quantum cryptography standard from NIST. The release also includes the next step in the deprecation of DSA keys — they are now disabled by default at compile time, and are expected to be removed entirely in early 2025. The release also contains the normal mixture of bug fixes and small usability improvements.
Security updates for Friday
[$] Best practices for error handling in kernel Rust
Dirk Behme led a session discussing the use of Rust's question-mark operator in the kernel at Kangrejos 2024. He was particularly concerned with the concept of "silent" errors that don't print any messages to the console. Other attendees were less convinced that this was a problem, but his presentation sparked a lot of discussion about whether the Rust-for-Linux project could improve error handling in kernel Rust code.
[$] A discussion of Rust safety documentation
Kangrejos 2024 started off with a talk from Benno Lossin about his recent work to establish a standard for safety documentation in Rust kernel code. Lossin began his talk by giving a brief review of what safety documentation is, and why it's needed, before moving on to the current status of his work. Safety documentation is easier to read and write when there's a shared vocabulary for discussing common requirements; Lossin wants to establish that shared vocabulary for Rust code in the Linux kernel.
Security proof for Linux's random number generator
Four researchers have published a formal proof that Linux's new deterministic random bit generator (DRBG) is secure in a particular sense — specifically, that the number of queries that would need to be made to it to uncover its internal state depends on the quality of the entropy it can collect from different sources. As long as it can gather enough entropy, it produces secure random numbers.
Since the significant structural changes in Linux 4 and Linux 5.17, there has been no research on the provable security of Linux-DRBG. For the first time (to the best of our knowledge), we formally model the Linux-DRBG in Linux 6.4.8 and prove its security in the seedless robustness model
Thanks to Jason Donenfeld for bringing the paper to our attention.
Security updates for Tuesday
[$] Application monitoring with OpenSnitch
OpenSnitch is an
"interactive application firewall
". Like other firewalls, it uses a
series of rules to decide what network traffic should be permitted. Unlike
many other firewalls, though, OpenSnitch does not ask the user to create a list of rules
ahead of time. Instead, the list of rules can be built up
incrementally as applications make connections — and the user can peruse both
the rules that have built up over time, and statistics on the connections that
have been attempted.
[$] NIST finalizes post-quantum encryption standards
On August 13, the US National Institute of Standards and Technology (NIST) published the final form of its new post-quantum cryptographic standards. One key-exchange mechanism and two digital-signature schemes are now officially sanctioned by the institute. Adopting the new standards should be fairly painless for most developers, but the overhead added by the schemes could pose challenges for some applications.
Forgejo changes license to GPLv3+
The Forgejo project has announced that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.
A copyleft license makes reusing other copyleft software easier. Recently, we discovered that some of the dependencies we used were incompatible with the license Forgejo was distributed with, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.
Security updates for Friday
[$] A review of file descriptor memory safety in the kernel
On July 30, Al Viro sent a patch set to the linux-fsdevel mailing list with a comprehensive cover letter explaining his recent work on ensuring that the kernel's internal representation of file descriptors are used correctly in the kernel. File descriptors are ubiquitous; many system calls need to handle them. Viro's review identified a few existing bugs, and may prevent more in the future. He also had suggestions for ways to keep uses consistent throughout the kernel.
[$] Custom string formatters in Python
Python has had formatted string literals (f-strings), a syntactic shorthand for building strings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt have proposed PEP 750 ("Tag Strings For Writing Domain-Specific Languages") which would generalize and expand that mechanism to provide Python library writers with additional flexibility. Reactions to the proposed change were somewhat positive, although there was a good deal of discussion of (and opposition to) the PEP's inclusion of lazy evaluation of template parameters.