Email: email@example.com • Twitter: @benhutchingsuk • Debian: benh • Gitweb: git.decadent.org.uk • Github: github.com/bwhacks
I was assigned 20 hours of work by Freexian's Debian LTS initiative and worked all 20 hours this month.
I rebased the Debian package of Linux onto 3.16.80 and send out a request for testing.
I also replied to questions from other LTS contributors sent to the lts-security alias and on the public mailing list.
I was assigned 16.5 hours of work by Freexian's Debian LTS initiative and carried over 3.75 hours from November. I worked all 20.25 hours this month.
I prepared and, after review, released Linux 3.16.79. I rebased the Debian package onto 3.16.79 and sent out a request for testing.
I also released Linux 3.16.80, but haven't yet rebased the Debian package onto this.
I was assigned 24.5 hours of work by Freexian's Debian LTS initiative and carried over 0.5 hours from October. I worked 21.25 hours this month, so will carry over 3.75 hours to December.
I released Linux 3.16.76, rebased the Debian package onto that, and sent out a request for testing.
I backported the mitigation for TSX Asynchronous Abort (CVE-2019-11135) and reporting of iTLB multihit (CVE-2018-12207) to 3.16 (this work started in October). I applied these and a GPU security fix, uploaded the Debian package and issued DLA-1989-1.
I backported the latest security update for Linux 4.9 from stretch to jessie and issued DLA-1990-1 for that.
I prepared and, after, review, released Linux 3.16.77 and 3.16.78. I rebased the Debian package onto 3.16.78 and sent out a request for testing.
I was assigned 22.75 hours of work by Freexian's Debian LTS initiative. I worked almost all those hours this month, but will carry over 0.5 hours to November.
I prepared and, after review, released Linux 3.16.75, including various important fixes. I then rebased the Debian package onto that, and sent out a request for testing. I prepared and sent out Linux 3.16.76-rc1 for review.
I handled a misdirected request to update the tzdata package, adding that and the related Perl library to the dla-needed.txt file. I responded to a support request regarding Intel microcode updates for security issues. I also spent some time working on security issues that are still under embargo.
This conference only has a single track, so I attended almost all the talks. This time I didn't take notes but I've summarised all the talks I attended. This is the second and last part of that; see part 1 if you missed it.
Speaker: Jesper Dangaard Brouer
Details and slides: https://kernel-recipes.org/en/2019/xdp-closer-integration-with-network-stack/
The speaker introduced XDP and how it can improve network performance.
The Linux network stack is extremely flexible and configurable, but this comes at some performance cost. The kernel has to generate a lot of metadata about every packet and check many different control hooks while handling it.
The eXpress Data Path (XDP) was introduced a few years ago to provide a standard API for doing some receive packet handling earlier, in a driver or in hardware (where possible). XDP rules can drop unwanted packets, forward them, pass them directly to user-space, or allow them to continue through the network stack as normal.
He went on to talk about how recent and proposed future extensions to XDP allow re-using parts of the standard network stack selectively.
This talk was supposed to be meant for kernel developers in general, but I don't think it would be understandable without some prior knowledge of the Linux network stack.
Speaker: Jens Axboe
Details and slides: https://kernel-recipes.org/en/2019/talks/faster-io-through-io_uring/
Video: Youtube. (This is part way through the talk, but the earlier part is missing audio.)
The normal APIs for file I/O, such as
blocking, i.e. they make the calling thread sleep until I/O is
complete. There is a separate kernel API and library for asynchronous
I/O (AIO), but it is very restricted; in particular it only supports
direct (uncached) I/O. It also requires two system calls per
operation, whereas blocking I/O only requires one.
io_uring API was introduced as an entirely new API for
asynchronous I/O. It uses ring buffers, similar to hardware DMA
rings, to communicate operations and completion status between
user-space and the kernel, which is far more efficient. It also
removes most of the restrictions of the current AIO API.
The speaker went into the details of this API and showed performance comparisons.
Speaker: Bradley Kuhn
The speaker talked about the importance of the GNU GPL to the development of Linux, in particular the ability of individual developers to get complete source code and to modify it to their local needs.
He described how, for a large proportion of devices running Linux, the complete source for the kernel is not made available, even though this is required by the GPL. So there is a need for GPL enforcement—demanding full sources from distributors of Linux and other works covered by GPL, and if necessary suing to obtain them. This is one of the activities of his employer, Software Freedom Conservancy, and has been carried out by others, particularly Harald Welte.
In one notable case, the Linksys WRT54G, the release of source after a lawsuit led to the creation of the OpenWRT project. This is still going many years later and supports a wide range of networking devices. He proposed that the Conservancy's enforcement activity should, in the short term, concentrate on a particular class of device where there would likely be interest in creating a similar project.
Speaker: Eric Leblond
Details and slides: https://kernel-recipes.org/en/2019/talks/suricata-and-xdp/
The speaker described briefly how an Intrusion Detection System (IDS) interfaces to a network, and why it's important to be able to receive and inspect all relevant packets.
He then described how the Suricata IDS uses eXpress Data Path (XDP, explained in an earlier talk) to filter and direct packets, improving its ability to handle very high packet rates.
Speaker: Greg Kroah-Hartman
Details and slides: https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
Common Vulnerabilities and Exposures Identifiers (CVE IDs) are a standard, compact way to refer to specific software and hardware security flaws.
The speaker explained problems with the way CVE IDs are currently assigned and described, including assignments for bugs that don't impact security, lack of assignment for many bugs that do, incorrect severity scores, and missing information about the changes required to fix the issue. (My work on CIP's kernel CVE tracker addresses some of these problems.)
The average time between assignment of a CVE ID and a fix being published is apparently negative for the kernel, because most such IDs are being assigned retrospectively.
He proposed to replace CVE IDs with "change IDs" (i.e. abbreviated git commit hashes) identifying bug fixes.
Speaker: Enric Balletbo i Serra
The speaker talked about how the Chrome OS developers have tried to reduce the difference between the kernels running on Chromebooks, and the upstream kernel versions they are based on. This has succeeded to the point that it is possible to run a current mainline kernel on at least some Chromebooks (which he demonstrated).
Speaker: Daniel Bristot de Oliveira
Details and slides: https://kernel-recipes.org/en/2019/talks/formal-modeling-made-easy/
The speaker explained how formal modelling of (parts of) the kernel could be valuable. A formal model will describe how some part of the kernel works, in a way that can be analysed and proven to have certain properties. It is also necessary to verify that the model actually matches the kernel's implementation.
He explained the methodology he used for modelling the real-time
scheduler provided by the
PREEMPT_RT patch set. The model used a
number of finite state machines (automata), with conditions on state
transitions that could refer to other state machines. He added (I
think) tracepoints for all state transitions in the actual code and a
kernel module that verified that at each such transition the model's
conditions were met.
In the process of this he found a number of bugs in the scheduler.
Speaker: Jonathan Corbet
Details and slides: https://kernel-recipes.org/en/2019/kernel-documentation-past-present-and-future/
The speaker is the maintainer of the Linux kernel's in-tree documentation. He spoke about how the documentation has been reorganised and reformatted in the past few years, and what work is still to be done.
Speaker: Jose E Marchesi
The speaker introduced and demonstrated his project, the "poke" binary editor, which he thinks is approaching a first release. It has a fairly powerful and expressive language which is used for both interactive commands and scripts. Type definitions are somewhat C-like, but poke adds constraints, offset/size types with units, and types of arbitrary bit width.
The expected usage seems to be that you write a script ("pickle") that defines the structure of a binary file format, use poke interactively or through another script to map the structures onto a specific file, and then read or edit specific fields in the file.