Slashdot Mirror
Greg Kroah-Hartman: Outside Phone Vendors Aren't Updating Their Linux Kernels (linux.com)
"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!"
One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")
Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.
"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")
Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.
"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."
It seems the default line from vendors is - well, if you want the latest Android, buy a new phone. Samsung and others need to get off their collective bums. Either roll us the updates, or drop phone prices radically. Complete BS dropping a few hundred (times number of people in your household) every 2-3 years when the old phones are still perfectly fine. We've only replaced when phones have been severely damaged in drops (rare).
Android update policy is a total crap shoot so it is no surprise that the kernels are basically left to rot?
The makers should be hauled over the coals and shamed in public for this huge great security hole in millions and millions of devices.
If this was Apple then it would be headline news and the APPL stock would drop. But, it is not so really who cares eh?
therefor no incentive to update.
[($)]
For the foreseeable future, kernel development is non-male, non-white and non-heterosexual.
Famous lawyer and jurist, Edgar Allen Poe is spinning in his grave.
I wouldn't judge too harshly on that. My Nokia 8 tells me there are security updates about every month or two and I find it slightly annoying. I think more people would find it annoying if it were more frequent, and there would be more incentive to turn it off (bad idea).
The other factor to consider of course is, are the Intel (and ARM I guess...) security problems really that big a deal? Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be a big deal for a cellphone because you're not virtualising anything (AFAIK).
That being said there probably are other vulnerabilities that are being patched. I don't pay that close attention to kernel development
One thing I know, and that is that I am ignorant...
Then they should make their own rightwing conservative operating system.
For men only.
Das racist.
Editors, edit.
Its always been the same issue, over and over and over. If you need sources for 3rd party closed drivers, you cant update the kernel without them.
This needs to be fixed. This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.
A new virus hits the Linux kernel: AIDS.
We are. It's called Red Flag Linux.
red flag linux is communist's distro.
natsoc's distro is hitlerlinux
Found the n00b. AIDS was an MS-DOS virus which exploited the fact that .COM would be executed before .EXE if both files had the same name and existed within the same directory.
Go back to sucking on mommy's tit, child. Adults are talking.
neither Linus nor Greg are Theos.
Only Theo de Raadt had the balls to say NO to intel's incompetence in creating a secure product. He didn't bother cleaning up someone else's shit, he decided to disable those features, e.g. HyperThreading(tm).
If Linus had the balls to yell at intel, or even flip the middle finger, like he did with novidia, he would've blocked all those patches that not only messed up with the kernel's internals, but caused regressions and the fucking patch that intel sent, disabled features for AMD's CPUs too... which AMD later fixed with another patch.
Intel's influence on the kernel and Linus' damage control with Intel was something that he should have heard a word or two.
It's not a coincidence that Theo in Greek means God, which is short for Theodore, God's Gift.
I'd submit that, if OpenBSD had any market presence, Theo de Raadt and the core OpenBSD kernel team would have handled this differently. Since their market share is so very small with so few commercial customers, it seems unworth their effort to attempt to integrate a subtle kernel patch written by a vendor to fix a kernel optimization feature not critical to their niche marketplace.
For NVidia cards, I cannot find anyone who uses OpenBSD for high performance graphics. This is especially since almost no games and almost no high end graphics or CAD software runs on it. Do you know of anyone who uses OpenBSD for graphics applications?
it seems unworth their effort to attempt to integrate a subtle kernel patch written by a vendor to fix a kernel optimization feature not critical to their niche marketplace.
servers are a niche marketplace? Since when?
Also, I don't think that Theo checked the size of his slice in the operating system usage pie chart, in order to form his opinion. As a matter of fact, his stance not only caused trouble in the small community that uses openbsd in their servers, but avoided new users installing it on their machines.
My mention about nvidia is only as a reference to the middle finger and has nothing to do with nvidia running on openbsd.
Saul Goodman?
This is one of the most stupid posts on /.
And this is coming from a Windows user.
Oh, my "out of production" Windows Phone still gets updates every month. Dumbshits.
Well, you'd know.
Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be a big deal for a cellphone because you're not virtualising anything (AFAIK).
1) Sandboxing
2) Javascript
3) Malware doesn't get caught by the app store screening processes
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
but avoided new users installing it on their machines
Gotta keep out the riff-raff somehow when your product is free. The talent-less majority sure feel entitled to the talented minority's labor while ostracizing and shaming them for not being like everyone else.
"for those who want to build a career in kernel space, security is a good place to get started..."
Should read "for those who want a very short career", linux developoment has had a habit of ostracising all non-corporate sponsored submissions, especially when it goes against their monetised weak theatrics.
RHEL 7.x with a 3.1x kernel isn't keeping up.
I can understand not wanting to deal with the aggro from naming people who DIDN'T do what they should, but surely the one brand that did the work should have been identified in order to reward them at least?
My mention about nvidia is only as a reference to the middle finger and has nothing to do with nvidia running on openbsd.
It's not like that middle finger from Linus influenced nvidia that much. They still use completely proprietary binary blobs in their drivers, they still have driver based firmware blobs that are a pain in the ass for alot of users and distributions, Their optimus hybrid support on linux is still pretty shitty (iirc that's the question that prompted the middle finger) and they still aren't contributing significantly to nouveau.
Phone vendors can not and do not want to support their phones software long term. That is fair deal. But the users should not suffer from that. We need a separation of hardware and software. Like on a PC, where I can update kernel, change repositories, install a new graphics driver, dual boot etc. Not like on phones now, where whole system has to be flashed just to get newer kernel with current security added. And this is a rock in Googles garden. They should make this change in Androids concepts. Require published interoperability documentation for components, standardisation of APIs. And make the first repository to be used regardless of phone model. Then other phone manufacturers could just add own repos with some specific drivers etc. Independent repos with fixes would pop up immediately. No need to reinwent the wheel.
As someone who has lived through the 1.2, 2.0, 2.2, 2.4, 2.6, 3.x, and 4.x kernel minors, I can tell you that there can be a lot of API/ABI flux even in patchlevel updates. 2.6.9-2.6.10 and 2.6.31 to 2.6.32 I believe were the most heinous. 2.2 and 2.4 also had similar issues where newer versions required everything from different compilers to different glibcs to work together properly.
Maybe these particular patchlevels didn't, but it merits scrutiny.
Servers are not a niche market. OenBSD hosts of any kind are a niche market. Reasonably honest audits, such as those at https://idatalabs.com/tech/ope..., report its deployed percentage as roughly 1/10 of 1 percent of operating systems. If their market were larger, there would be more customers to complain about losing a few percent of performance by disabling the threading behavior.
What labor? The OpenBSD kernel is only slightly modified from the NetBSD kernel when Theo forked from it in a huffy at losing his write access to the NetBSD repository for being an asshole.
The original thread, that Theo feels justified his behavior and has been trifmmed by Theo himself, is at https://www.theos.com/deraadt/... .I knew a few of the NetBSD authors, and chatted with them about the situation at Mary Chung's restaurant at the Royal East restaurant in Cambridge, MA, back in..... 1993? Just before they yanked his write access to the CVS repository. I'm afraid that "git" was not available at that time, or he could have fordked the code much more cracefully.
Sorry, I was thinking "Mary Cung's" and then remembered it had to have been the "Royal East". Mary's is tinay and known for the Suan La Chow Show, the Royal Est is larger and better known for the General Gau chicken. The suans are better, but one of the NetBSD team had a fairly delicate palate and could not tolerate their sinus clearing spiciness.
Das racist.
It'd be sexist... not racist.
And my brother is named for both our grandmothers. (Their maiden family names are his given names.) What of it?
Il n'y a pas de Planet B.
A phone with an unlocked bootloader is an extreme problem in terms of security. I relock my bootloader every time i finish installing a custom firmware.
With an unlocked bootloader (or even custom recovery), you left a gaping security hole that anyone can modify the boot sequence \ software. They can, for example, shim your touch interface driver and capture all input. Modify the OS...
Please, for the love of security, don't speak and don't do unless you understand the risks involved.
There's a HUGE difference between an unlocked bootloader and an unlockable bootloader.
Most phones save a few have an unlockable bootloader. Precisely 0 factory devices have an unlocked bootloader
Back when the fit hit the shan with this issue, I found a reliable resource which stated which phones were vulnerable and which were not. I have a Samsung Galaxy something-or-other and its processor turns out not to be affected. The kernel is from early 2017 and I'm not particularly happy with that but this particular problem is a non-issue for a massive number of users.
Mielipiteet omiani - Opinions personal, facts suspect.
Maybe that's what Android needs, a hypervisor, and what we know now as Android the operating system could just run as a VM. All the physical device drivers could be abstracted as virtual devices and supported in the OS with open source virtual device drivers.
This would at least make the OS itself easier to update. The hypervisor would probably need updating as well, but I'd wager less often than the actual OS and without the burden of physical device drivers to worry about it could happen more often.
Bring Linus back, burn the CoC.
You mean cheap people.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I want to stick my wee in your poo hole.
There's no income from updating android on a phone already sold. It's actually negative income because a new one doesn't get sold.
Google may make some profit on the ads, but nothing of that reaches the vendor.
Apple has Music, iCloud, the AppStore. When they provide an update to iOS on a five year old phone, people continue to use it and buy apps, in-app purchases , iCloud storage for it (and maybe an AppleMusic subscription). That, combined with a nice profit on the hardware itself, is apparently enough for them to backport all the fixes and all the performance-improvements five years down the hardware memory-lane.
Windows 2000 - from the guys who brought us edlin
Problem is that the kernel doesn't need the Sarah Sharp's of the world.
Not only is she a cancer, she is a shit programmer and quality of work is the only thing that matters. You start judging on things other than quality and the project is doomed to mediocrity, at best.
numbnuts
OpenBSD is niche everywhere. It is inconsequential everywhere.
Theo can do whatever he wants and it doesn't make a lick of difference to more than 0.01% of computer users.
numbnuts
Same here (Lumia 950). I sure wish Microsoft hadn't given up on phones, but even so I have to credit them with the security updates.
The OP (and this is quoted directly from the linked-to article, which is no more enlightening):
"...aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable...I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel..."
Color me confused. Is he saying that only Google (Pixel) updated their kernel? Or that one unnamed company (not Google) updated it? If the latter, I'd guess Nokia. But I'd like to know.
intel's incompetence in creating a secure product.
armchair critic, do-nothings will always find something to whine about. by all means, prove me wrong and show me some of the perfectly secure and valuable code you've written.
Look, I want to agree with this Kroah-Hartman dude. But it is a tech-driven desire and it has not proven to be terribly actionable by, well, anyone really. We know what the issues are:
1). Customers tend to view phones as appliances. Even phones and apps that auto-update, the customers do this only grudgingly;
2). The phone carriers don't have an ongoing financial incentive to support those phones. Regardless of how much they charge for network access fees and all the rest, they get that money even if they abandon phone support. We know the result because we see it every day;
3). Kernel updates, that is a very computer driven viewpoint. How do you sell this to the customers as a concept? Security? We can see from our security exposures how well security sells (not very well at all). Consumers see announcements of security breaches daily and they are inured to it all. You rarely get a consumer to entirely reject security values but that isn't the issue. You need a positive value strong enough to change consumer behavior and security typically won't do that.
This is a classic /. preoccupation. Readers here will agree that "Linux kernel updates are crucial", therefore Something Needs To Be Done! And then nothing happens.
You know what needs to be done to fix this? Make it so that there's no way, short of wizard magic, for kernel updates not to happen. It's an inherent part of the system to update that kernel and it's just assumed. Of course kernel updates occur, why wouldn't they occur?!
And that presumes that the FOSS roots of Android, with all the carrier customization, either does not exist or isn't used to achieve customization. Customization is the enemy of long-term, inexpensive carrier support. Even if you cut the carriers out entirely, you still want your Android to be entirely generic.
Oops. Sounds like that ain't gonna happen.
Maybe Fedora updates on a regular base, RHEL (Redhat Enterprise Linux) does not.