Language Selection

English French German Italian Portuguese Spanish

Kernel: LWN Article (Outside Paywall Today) and Remembering the LAN (Way Before Wireguard)

Filed under
Linux
  • process_madvise(), pidfd capabilities, and the revenge of the PIDs

    Once upon a time, there were few ways for one process to operate upon another after its creation; sending signals and ptrace() were about it. In recent years, interest in providing ways for processes to control others has been on the increase, and the kernel's process-management API has been expanded accordingly. Along these lines, the process_madvise() system call has been proposed as a way for one process to influence how memory management is done in another. There is a new process_madvise() series which is interesting in its own right, but this series has also raised a couple of questions about how process management should be improved in general.
    The existing madvise() system call allows a process to make suggestions to the kernel about how its address space should be managed. The 5.4 kernel saw a couple of new types of advice that could be provided with madvise(): MADV_COLD and MADV_PAGEOUT. The former requests that the kernel place the indicated range of pages onto the inactive list, essentially saying that they have not been used in a long time. Those pages will thus be among the first considered for reclaim if the kernel needs memory for other purposes. MADV_PAGEOUT, instead, is a stronger statement that the indicated pages are no longer needed; it will cause them to be reclaimed immediately.

    These new requests are useful for processes that know what their future access patterns will be. But it seems that in certain environments — Android, in particular — processes lack that knowledge, but the management system does know when certain memory ranges are no longer needed. The bulk of a process's address space could be marked as MADV_COLD when that process is moved out of the foreground, for example. In such settings, letting one process call madvise() on behalf of another helps the system as a whole make the best use of its memory resources. That is the purpose behind the process_madvise() proposal.

  • KRSI and proprietary BPF programs

    The "kernel runtime security instrumentation" (or KRSI) patch set enables the attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That article focused on ABI issues, but it deferred another potential problem to our 2020 predictions: the possibility that vendors could start shipping proprietary BPF programs for use with frameworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though, leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carry a GPL-compatible license.
    It may be surprising to some that the kernel, while allowing BPF programs to declare their license, is entirely happy to load programs that have a proprietary license. This behavior, though, is consistent with how the kernel handles loadable modules: any module can be loaded, but modules without a GPL-compatible license will not have access to many kernel symbols (any that are exported with EXPORT_SYMBOL_GPL()). BPF programs interact with the kernel through special "helper functions", each of which must be explicitly exported; these, too, can have a "GPL only" marking on them. In current kernels, about 25% of the defined helpers are restricted to GPL-licensed code.

  • Scheduling for the Android display pipeline

    The default CPU-frequency governor used by Android is schedutil, which relies on the CPU utilization of the runnable tasks to select the frequency of the CPU they execute on: the higher the utilization, the higher the frequency of the CPU when they are runnable. This governor fits so well with the needs of mobile Android devices that, in Android, it also takes care of the SCHED_RT tasks, which are normally run at the maximum frequency in mainline Linux kernels.

    Schedutil chooses the lowest frequency sufficient not to overload the system, based on the measurement of the system utilization. This solution works well when tasks are independent and are able to run in parallel. But, whenever there is a dependency — tasks that are blocked on the completion of others — the single-task utilization accounting mechanism is no longer sufficient to define the requirements of the whole task set.

    For example, in the scenario shown below, schedutil sees that RenderThread only requires 50% of a CPU's capacity, so it sets the CPU frequency to 50% of the maximum. But RenderThread cannot run until the UI thread has done its work — the two tasks cannot run in parallel — so it misses its deadline.

  • Control-flow integrity for the kernel

    Control-flow integrity (CFI) is a technique used to reduce the ability to redirect the execution of a program's code in attacker-specified ways. The Clang compiler has some features that can assist in maintaining control-flow integrity, which have been applied to the Android kernel. Kees Cook gave a talk about CFI for the Linux kernel at the recently concluded linux.conf.au in Gold Coast, Australia.

    Cook said that he thinks about CFI as a way to reduce the attack, or exploit, surface of the kernel. Most compromises of the kernel involve an attacker gaining execution control, typically using some kind of write flaw to change system memory. These write flaws come in many flavors, generally with some restrictions (e.g. can only write a single zero or only a set of fixed byte values), but in the worst case, they can be a "write anything anywhere at any time" flaw. The latter, thankfully, is relatively rare.

  • Remembering the LAN

    We can have the LAN-like experience of the 90's back again, and we can add the best parts of the 21st century internet. A safe small space of people we trust, where we can program away from the prying eyes of the multi-billion-person internet. Where the outright villainous will be kept at bay by good identity services and good crypto.

    The broader concept of virtualizing networks has existed forever: the Virtual Private Network. New protocols make VPNs better than before, Wireguard is pioneering easy and efficient tunneling between peers. Marry the VPN to identity, and make it work anywhere, and you can have a virtual 90s-style LAN made up of all your 21st century devices. Let the internet be the dumb pipe, let your endpoints determine who they will talk to based on the person at the other end.

Linux Kernel 5.6 Source Tree Includes WireGuard VPN

  • Linux Kernel 5.6 Source Tree Includes WireGuard VPN

    The lean-coded, fast, modern, and secure WireGuard VPN protocol has made it into the Linux kernel as Linus Torvalds merged it into his source tree for version 5.6.

    The wait is closely coming to an end, with the next Linux kernel expected to be released in just a few months, considering that the latest refresh occurred on January 26.

    [...]

    Jason Donenfeld himself was excited about this step and shared that he tried to stay awake to see it happen, "refreshing Linus' git repo on my phone until I was dreaming."

    "I look forward to start refining some of rougher areas of WireGuard now," announced the original author and developer of the project.

    Torvalds is a supporter of the WireGuard project. When Donenfeld made the pull request in 2018 to have it integrated into the Linux kernel, Torvalds expressed hope that the merge would happen soon.

WireGuard VPN protocol will ship with Linux kernel 5.6

  • WireGuard VPN protocol will ship with Linux kernel 5.6

    The WireGuard VPN protocol will be included into the next Linux kernel as Linus Torvalds has merged it into his source tree for version 5.6.

    There is no set date for Linux kernel releases and being as version 5.5 was released this month, the next version will likely be released in a few months time.

    The addition of WireGurd in the next Linux kernel does also not come as a surprise as the code had already been merged into Dave Miller's repository back in December. However, the code was just recently pulled into Torvalds' source tree.

WireGuard is Now in Linus! WireGuard is Merged with Linux 5.3

  • WireGuard is Now in Linus! WireGuard is Merged with Linux 5.3 Kernel!

    WireGuard is now in Linus Tree: Recently, WireGuard founder said that he gonna merge the WireGuard with main line Linux Kernel 5.6. Yesterday (29-Jan-2020), Linus Torvalds announced the Wireguard & Linux Kernel 5.6 will be merged! You can found this message on his blog.

    [...]

    WireGuard is a simple open-source application that provides Virtual Private Network techniques to create a secure point connection!

    Many VPN providers adopting the Wireguard technique to provide the most secure VPN service!.

Ubuntu 20.04 LTS Adds WireGuard Support

  • Ubuntu 20.04 LTS Adds WireGuard Support

    While WireGuard was merged into Linux 5.6, the Ubuntu 20.04 LTS release is currently tracking Linux 5.4 and for the April release is likely to be shipping with Linux 5.5 as the 5.6 release will be cutting it too close. But Ubuntu 20.04's kernel has now back-ported WireGuard.

    There has been the talk in recent weeks over shipping Ubuntu 20.04 LTS with WireGuard support and indeed with Ubuntu's latest kernel in the Focal repository is the WireGuard module back-ported for this secure VPN tunnel.

Linus Torvalds Pulls WireGuard VPN into Linux 5.6 Kernel Source

  • Linus Torvalds Pulls WireGuard VPN into Linux 5.6 Kernel Source Tree
  • Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree

    Yesterday, Linux creator Linus Torvalds merged David Miller's net-next into his source tree for the Linux 5.6 kernel. This merger added plenty of new network-related drivers and features to the upcoming 5.6 kernel, with No.1 on the list being simply "Add WireGuard."

    As previously reported, WireGuard was pulled into net-next in December—so its inclusion into Linus' 5.6 source tree isn't exactly a surprise. It does represent clearing another potential hurdle for the project; there is undoubtedly more refinement work to be done before the kernel is finalized, but with Linus having pulled it in-tree, the likelihood that it will disappear between now and 5.6's final release (expected sometime in May or early June) is vanishingly small.

Isolated clients with Wireguard

VPNs will change forever with the arrival of WireGuard

  • VPNs will change forever with the arrival of WireGuard into Linux

    After years of development WireGuard, a revolutionary approach to Virtual Private Networks (VPN) was finally fast-tracked to the Linux kernel. Now, at long last, WireGuard is in Linus Torvald's code tree. That means WireGuard should appear in the Linux kernel 5.6 release. This may be as early as April 2020.

    This has the potential to change everything about VPNs -- not just in Linux, but in the entire VPN world. That's because essentially all VPN services run off Linux servers. Some VPN services, such as StrongVPN and Mullvad VPN, have already seen the writing on the wall and are moving their software stacks to WireGuard.

What is WireGuard? Why Linux Users Going Crazy Over it?

  • What is WireGuard? Why Linux Users Going Crazy Over it?

    WireGuard is an easy to configure, fast, and secure open source VPN that utilizes state-of-the-art cryptography. It’s aim is to provide a faster, simpler and leaner general purpose VPN that can be easily deployed on low-end devices like Raspberry Pi to high-end servers.

    Most of the other solutions like IPsec and OpenVPN were developed decades ago. Security researcher and kernel developer Jason Donenfeld realized that they were slow and difficult to configure and manage properly.

    This made him create a new open source VPN protocol and solution which is faster, secure easier to deploy and manage.

    WireGuard was originally developed for Linux but it is now available for Windows, macOS, BSD, iOS and Android. It is still under heavy development.

WireGuard will make your VPN connection much faster

  • WireGuard will make your VPN connection much faster — here's how

    VPN services may soon be a lot faster, thanks to a promising protocol called WireGuard that is now being incorporated into the mainstream Linux kernel.

    Linux isn't used much on the desktop, at least not obviously. But it's what underpins both Android and Chrome OS, and it powers most of the web's servers, including nearly all of Google's servers and those of many of the best VPN services.

    And WireGuard is smaller, simpler and faster than either OpenVPN or IKEv2/IPsec, the prevalent VPN protocols used by commercial VPN services like ExpressVPN, NordVPN and Private Internet Access. Yet only a few services, including Mullvad, IVPN, NordVPN and StrongVPN offer WireGuard as an option yet.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

IBM/Red Hat/Fedora Leftovers

  • Fedora Community Blog: CPE Weekly Update – Week of January 17th – 22nd
  • Friday's Fedora Facts: 2022-03 – Fedora Community Blog

    Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)! I have weekly office hours on Wednesdays in the morning and afternoon (US/Eastern time) in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. See the upcoming meetings for more information.

  • Architecting the way: Andrew Block

    One of Andrew Block’s favorite things about Red Hat? Being able to contribute back to the open source community. He says, "As long as you are innovating and making yourself better, let’s go ahead and work better together." Block is among the first Distinguished Architects at Red Hat. Distinguished Architects are senior-level technical contributors who've continued to advance in their careers working directly with customers and applying experience and knowledge of Red Hat technologies. We had a chance to chat with Block about his experience working with Red Hat customers and the innovation that architects can help bring to their organizations.

  • Meet Red Hat’s bankers: Insights from Monica Sasso

    As you sit in a meeting room (virtual or in-person), take a moment to think through the perspectives, experiences and insights of those around you being brought to that meeting. We did just that and quickly realized the wealth of knowledge from our colleagues at the table from around the world, who were former financial services leaders. Our "bankers," as we call them, have a broad and deep understanding of financial services because they’ve experienced it first-hand.

  • Copr - look back at 2021

    We did eight releases of Mock. We moved Mock’s wiki to GitHub Pages to allow indexing by search engines https://rpm-software-management.github.io/mock/ and created a Fedora-based Jekyll container for local documentation testing (https://github.com/praiskup/jekyll-github-pages-fedora-container).

  • Contribute at the Fedora Linux 36 Test Week for Kernel 5.16

    The kernel team is working on final integration for kernel 5.16. This version was just recently released, and will arrive soon in Fedora. As a result, the Fedora kernel and QA teams have organized a test week from Sunday, January 23, 2022 through Sunday, January 29, 2022. Refer to the wiki page for links to the test images you’ll need to participate. Read below for details.

  • Irving Wladawsky-Berger: A Blockchain-based Framework for Safeguarding the Integrity of Real-World Assets

    Blockchains first came to light in 2008 as the architecture underpinning bitcoin, the best known and most widely held cryptocurrency. It’s a truly brilliant architecture built on decades-old fundamental research in cryptography, distributed data, game theory and other advanced technologies. The blockchain’s original vision was limited to enabling bitcoin users to transact directly with each other with no need for a financial institution or government agency to certify the validity of the transactions. But, like the Internet and other transformative technologies, blockchain has now transcended its original objectives. Blockchains are a kind of distributed ledger technologies (DLT), which also include non-blockchain DLTs. Over the past decade, an increasing number of people, including me, consider blockchains and DLTs as major next steps in the evolution of the Internet. In 2016 the World Economic Forum (WEF) named The Blockchain in its annual list of Top Ten Emerging Technologies citing its potential to fundamentally change the way markets and governments work. “Like the Internet, the blockchain is an open, global infrastructure upon which other technologies and applications can be built,” said the WEF. “And like the Internet, it allows people to bypass traditional intermediaries in their dealings with each other, thereby lowering or even eliminating transaction costs.”

  • Flathub to verify first-party apps and allow developers to collect monies | GamingOnLinux

    Flathub and Flatpak packages are the future of Linux apps according to more people and GNOME are continuing to invest in it. They have some big plans to improve it too. Writing in a new blog post on the GNOME Foundation website, they went over a number of things and not just Flathub related but that's what we're going to focus on for this article. The plans actually sounds pretty good! Firstly, Flathub is going to gain a way to process and verify apps from first-party teams. As in, developers who directly publish their app and manage the Flatpak package process for Flathub. A way to actually properly distinguish official apps from community builds will be quite important for so many reasons (security, privacy and so on). Not only that but GNOME want to give developers a way to collect donations and subscriptions too, which is also important to help make it more sustainable. Sounds like it's possible a way will be added for developers to share some of the revenue with Flathub too, ensuring it too is sustainable.

Audiocasts/Shows: Hackaday Podcast, Linux From Scratch, Linux Mint 20.3 "Una" Xfce, and More

  • Hackaday Podcast 152: 555 Timer Extravaganza, EMF Chip Glitching 3 Ways, A Magnetic Mechanical Keyboard, And The Best Tricorder Ever | Hackaday

    Join Hackaday Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi as they bring you up to speed on the best stories and projects from the week. There’s some pretty unfortunate news for the physical media aficionados in the audience, but if you’re particularly keen on 50 year old integrated circuits, you’ll love hearing about the winners of the 555 Timer Contest. We’ll take a look at a singing circuit sculpture powered by the ESP32, extol the virtues of 3D printed switches, follow one hacker’s dream of building the ultimate Star Trek tricorder prop, and try to wrap our heads around how electronic devices can be jolted into submission. Stick around to the end as we take a close look at some extraordinary claims about sniffing out computer viruses, and wrap things up by wondering why everyone is trying to drive so far.

  • Linux From Scratch: Another Day, Another Compiler - Invidious

    We're back for more LFS, last week we didn't make a ton of progress but hopefully this week it goes at least a little bit better but I'm not making any promises

  • Linux Mint 20.3 "Una" Xfce overview | Light, simple, efficient. - Invidious

    In this video, I am going to show an overview of Linux Mint 20.3 "Una" Xfce and some of the applications pre-installed.

  • Noodlings 36 | The Wires and Tubes

    This is my segment where I like to look back in time and see how the world of technology has advanced and how things have stayed the same. I find we often forget how far we have come and how good we have it while not always remember how we got here. Having some historical perspective on computers and technology can help to drive some appreciation for what we have today.

Proprietary Security: Windows and McAfee

  • This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back | Hackaday

    A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered.

  • CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA

    CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

  • McAfee Releases Security Update for McAfee Agent for Windows  | CISA

    McAfee has released McAfee Agent for Windows version 5.7.5, which addresses vulnerabilities CVE-2021-31854 and CVE-2022-0166. An attacker could exploit these vulnerabilities to take control of an affected system.

today's howtos

  • FTP server container Podman fast and right and 4 dirty steps

    FTP server container stands for “File Transfer Protocol” and is an excellent protocol for downloading files from a remote or local server or uploading files onto the server. Using FTP proves to be a primary task after it has been set up correctly. It works by having a server listening for connections (on port 21 by default) from clients. The clients can access a remote directory with their user account and then download or upload files there, depending on the permissions that have been granted to them. It’s also possible to configure anonymous authorization, which means users will not need their account to connect to the FTP server. On Centos Linux, there are many different FTP server containers and client software packages available. You can even use default GUI and command-line tools as an FTP client. In addition, a stylish and highly-configurable FTP server package is vsftpd, known for many Linux systems, including Centos. This guide will go over the step-by-step instructions to install vsftpd on Centos. We’ll also see how to configure the container FTP server through various settings, then use the command line, GNOME GUI, or FTP client software to connect to the FTP server. Creating FTP users tutorial.

  • How to Back Up Your Linux System With Rsync - JumpCloud

    It’s easy to take for granted the importance of having a server backup — until you experience a system failure, a natural disaster, or a malware attack. This can potentially paralyze your business through the loss of vital records such as financial and customer data. Your ability to recover will only be as good as your last backup. Server backups provide the much-needed confidence that data is not lost and can be recovered in case of any eventuality. However, each operating system has a different way to handle this, and while some provide built-in utilities to accomplish this, others must be established from the ground up. Like many other areas of management, Linux operating systems have more options, but require more knowledge to set them up successfully.

  • How to Deploy a Ghost Blog With Docker – CloudSavvy IT

    Ghost is a popular content creation platform that’s written in JavaScript with Node.js. The open-source software comes with everything you need to author, theme, publish, and maintain your own blog. Ghost is open-source software supported by the official Ghost(Pro) hosted service. You can install it on your own server by adding Node.js and using the Ghost CLI to set up your stack. Ghost is also available as a Docker image which bundles all the dependencies for you. In this guide, we’ll use Docker to quickly get a new Ghost blog operational. Install Docker and Docker Compose on your host before proceeding any further. While you can deploy Ghost using Docker alone, Compose makes it simpler to supply and manage the config values your site will need to get started.

  • How to Check Directory Size From the Linux Command Line – CloudSavvy IT

    While the Linux command ls can display the sizes of files, it doesn’t work properly with directories, which will always be displayed as 4096 bytes. You’ll need to use the du command to recurse into subdirectories and print out a total.

  • How to Change Your Linux Password

    Once you’ve set up a new Linux PC, one of your first tasks should be to change your Linux password. After all, one of the most important parts of keeping your computer secure is creating a secure password that others can’t guess or crack. Whether you’re running macOS, Windows, or Linux, it’s crucial to be mindful of your password and change it regularly. So, how do you change your password in Linux? It’s a pretty straightforward process, so let’s take a look.

  • How to install Roblox Player and Studio on a Chromebook

    Today we are looking at how to install Roblox Studio and the Windows version of Roblox on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • Configure Filebeat-Elasticsearch Authentication - kifarunix.com

    This tutorial will take you through how you can configure filebeat-elasticsearch authentication. You realize that when you enable Elastic basic authentication, you need to valid user credentials to authenticate and validate access to restricted Elastic resources.