Vue normale
Huang: IRIS (Infra-Red, in situ) Project Updates
The technique works because although silicon looks opaque at visible light, it is transparent starting at near-infrared wavelengths (roughly 1000 nm and longer). Today's commodity optics and CMOS cameras are actually capable of working with lights at this wavelength; thus, IRIS is a low-cost and effective technique for confirming the construction of chips down to block level. For example, IRIS can readily help determine if a chip has the correct amount of RAM, number of CPU cores, peripherals, bond pads, etc. This level of verification would be sufficient to deter most counterfeits or substitutions.
The 6.8 kernel has been released
So it took a bit longer for the commit counts to come down this release than I tend to prefer, but a lot of that seemed to be about various selftest updates (networking in particular) rather than any actual real sign of problems. And the last two weeks have been pretty quiet, so I feel there's no real reason to delay 6.8.
Significant changes in this release include the deadline servers scheduling feature, support for memory-management auto-tuning in DAMON, the large anonymous folios feature, the kernel samepage merging advisor, the ability to prevent writes to block devices containing mounted filesystems, the listmount() and statmount() system calls, the first device driver written in Rust, the removal of the (never finished) bpfilter packet-filtering system, three new system calls for managing Linux security modules, support for data-type profiling in the perf tool, guest-first memory for KVM virtualization, the Intel Xe graphics driver, and a lot more. See the LWN merge-window summaries (part 1, part 2) for more information.
[$] Development statistics for 6.8
Huston: KeyTrap!
It's by no means "[devastating]" for the DNS, and the fix is much the same as the previous fix. As well as limiting the number of queries that a resolver can generate to resolve a queried name, a careful resolver will limit both the elapsed time and perhaps the amount of the resolver's processing resources that are used to resolve any single query name.It's also not a novel discovery by the ATHENE folk. The vulnerability was described five years ago by a student at the University of Twente. I guess the issue was that the student failed to use a sufficient number of hysterical adjectives in describing this DNS vulnerability in the paper!
Security updates for Tuesday
Today's hardware vulnerability: register file data sampling
RFDS may allow a malicious actor to infer data values previously used in floating point registers, vector registers, or integer registers. RFDS does not provide the ability to choose which data is inferred
Only Atom cores are affected, but those cores can be found inside a number of processors. See this documentation commit for more information.
[$] A new filesystem for pidfds
[$] LWN.net Weekly Edition for March 14, 2024
[$] The first half of the 6.9 merge window
[$] Toward a real "too small to fail" rule
Man Yue Mo: Gaining kernel code execution on an MTE-enabled Pixel 8
So, by using the GPU to access physical addresses directly, I'm able to completely bypass the protection that MTE offers. Ultimately, there is no memory safe code in the code that manages memory accesses. At some point, physical addresses will have to be used directly to access memory.
Security updates for Tuesday
Firefox 124.0 released
GNOME 46 released
GNOME 46 is code-named 'Kathmandu', in recognition of the amazing work done by the organizers of GNOME.Asia 2023." Significant changes include a new global search feature, enhancements to the Files app, improved remote login support, and more.
[$] LWN.net Weekly Edition for March 21, 2024
The "Nova" driver for NVIDIA chipsets
We just started to work on Nova, a Rust-based GSP-only driver for Nvidia GPUs. Nova, in the long term, is intended to serve as the successor of Nouveau for GSP-firmware-based GPUs.With Nova we see the chance to significantly decrease the complexity of the driver compared to Nouveau for mainly two reasons. First, Nouveau's historic architecture, especially around nvif/nvkm, is rather complicated and inflexible and requires major rework to solve certain problems (such as locking hierarchy in VMM / MMU code for VM_BIND currently being solved with a workaround) and second, with a GSP-only driver there is no need to maintain compatibility with pre-GSP code.
Besides that, we also want to take the chance to contribute to the Rust efforts in the kernel and benefit from from more memory safety offered by the Rust programming language.
Given that the effort has just begun, it will be a while before this driver shows up in a distribution release.
Redis is no longer free software
Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code.
Distributors like Fedora are already looking at removing Redis as a consequence. (Thanks to Emmanuel Seyman).