Slashdot Mirror
Greg Kroah-Hartman: Outside Phone Vendors Aren't Updating Their Linux Kernels (linux.com)
"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!"
One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")
Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.
"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")
Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.
"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."
Is there any surprise they donâ(TM)t get updates?
Sounds like what someone says when Greg makes use of the gloryhole with some one named Hartman.
Android update policy is a total crap shoot so it is no surprise that the kernels are basically left to rot?
The makers should be hauled over the coals and shamed in public for this huge great security hole in millions and millions of devices.
If this was Apple then it would be headline news and the APPL stock would drop. But, it is not so really who cares eh?
As long as the CoC is in play in kernel development, i tend to disagree with the "for those who want to build a career in kernel space, security is a good place to get started..." comment.
For the foreseeable future, kernel development is non-male, non-white and non-heterosexual.
therefor no incentive to update.
[($)]
vendors no longer want to work with insane SystemD/Wayland/GNOME SJw's and associatid idiots and liberals.
Editors, edit.
Its always been the same issue, over and over and over. If you need sources for 3rd party closed drivers, you cant update the kernel without them.
This needs to be fixed. This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.
" What made us so mad, in a way, is we were fixing a bug in somebody else's layer!"
No duh, and they KNEW YOU'D FIX THE FUCKING PROBLEM FOR THEM.
You got played, Greg. You and the entire community got played by Intel, because they knew what you would do from the get-go.
Why the fuck did you take up that mantle to fix someone else's problem?
You're just giving an example of the massive deficiencies in elementary logic that the detractors of the new LKML CoC keep showing, and in a real boring stupid alt-right fashion to boot. Why should any male, white and heterosexual person not find the LKML a good place, just because everyone's now supposed to behave themselves in a civilized manner? It's only the small portion of that group that's either not able or not willing to who might find it not to be a good place, which is a good thing if it's good for everyone else. And no, it's not necessary to belong to that portion to be a good kernel developer, either.
Saul Goodman?
"for those who want to build a career in kernel space, security is a good place to get started..."
Should read "for those who want a very short career", linux developoment has had a habit of ostracising all non-corporate sponsored submissions, especially when it goes against their monetised weak theatrics.
RHEL 7.x with a 3.1x kernel isn't keeping up.
I can understand not wanting to deal with the aggro from naming people who DIDN'T do what they should, but surely the one brand that did the work should have been identified in order to reward them at least?
Phone vendors can not and do not want to support their phones software long term. That is fair deal. But the users should not suffer from that. We need a separation of hardware and software. Like on a PC, where I can update kernel, change repositories, install a new graphics driver, dual boot etc. Not like on phones now, where whole system has to be flashed just to get newer kernel with current security added. And this is a rock in Googles garden. They should make this change in Androids concepts. Require published interoperability documentation for components, standardisation of APIs. And make the first repository to be used regardless of phone model. Then other phone manufacturers could just add own repos with some specific drivers etc. Independent repos with fixes would pop up immediately. No need to reinwent the wheel.
As someone who has lived through the 1.2, 2.0, 2.2, 2.4, 2.6, 3.x, and 4.x kernel minors, I can tell you that there can be a lot of API/ABI flux even in patchlevel updates. 2.6.9-2.6.10 and 2.6.31 to 2.6.32 I believe were the most heinous. 2.2 and 2.4 also had similar issues where newer versions required everything from different compilers to different glibcs to work together properly.
Maybe these particular patchlevels didn't, but it merits scrutiny.
A phone with an unlocked bootloader is an extreme problem in terms of security. I relock my bootloader every time i finish installing a custom firmware.
With an unlocked bootloader (or even custom recovery), you left a gaping security hole that anyone can modify the boot sequence \ software. They can, for example, shim your touch interface driver and capture all input. Modify the OS...
Please, for the love of security, don't speak and don't do unless you understand the risks involved.
There's a HUGE difference between an unlocked bootloader and an unlockable bootloader.
Most phones save a few have an unlockable bootloader. Precisely 0 factory devices have an unlocked bootloader
Back when the fit hit the shan with this issue, I found a reliable resource which stated which phones were vulnerable and which were not. I have a Samsung Galaxy something-or-other and its processor turns out not to be affected. The kernel is from early 2017 and I'm not particularly happy with that but this particular problem is a non-issue for a massive number of users.
Mielipiteet omiani - Opinions personal, facts suspect.
Maybe that's what Android needs, a hypervisor, and what we know now as Android the operating system could just run as a VM. All the physical device drivers could be abstracted as virtual devices and supported in the OS with open source virtual device drivers.
This would at least make the OS itself easier to update. The hypervisor would probably need updating as well, but I'd wager less often than the actual OS and without the burden of physical device drivers to worry about it could happen more often.
Bring Linus back, burn the CoC.
You mean cheap people.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
There's no income from updating android on a phone already sold. It's actually negative income because a new one doesn't get sold.
Google may make some profit on the ads, but nothing of that reaches the vendor.
Apple has Music, iCloud, the AppStore. When they provide an update to iOS on a five year old phone, people continue to use it and buy apps, in-app purchases , iCloud storage for it (and maybe an AppleMusic subscription). That, combined with a nice profit on the hardware itself, is apparently enough for them to backport all the fixes and all the performance-improvements five years down the hardware memory-lane.
Windows 2000 - from the guys who brought us edlin
The OP (and this is quoted directly from the linked-to article, which is no more enlightening):
"...aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable...I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel..."
Color me confused. Is he saying that only Google (Pixel) updated their kernel? Or that one unnamed company (not Google) updated it? If the latter, I'd guess Nokia. But I'd like to know.
Look, I want to agree with this Kroah-Hartman dude. But it is a tech-driven desire and it has not proven to be terribly actionable by, well, anyone really. We know what the issues are:
1). Customers tend to view phones as appliances. Even phones and apps that auto-update, the customers do this only grudgingly;
2). The phone carriers don't have an ongoing financial incentive to support those phones. Regardless of how much they charge for network access fees and all the rest, they get that money even if they abandon phone support. We know the result because we see it every day;
3). Kernel updates, that is a very computer driven viewpoint. How do you sell this to the customers as a concept? Security? We can see from our security exposures how well security sells (not very well at all). Consumers see announcements of security breaches daily and they are inured to it all. You rarely get a consumer to entirely reject security values but that isn't the issue. You need a positive value strong enough to change consumer behavior and security typically won't do that.
This is a classic /. preoccupation. Readers here will agree that "Linux kernel updates are crucial", therefore Something Needs To Be Done! And then nothing happens.
You know what needs to be done to fix this? Make it so that there's no way, short of wizard magic, for kernel updates not to happen. It's an inherent part of the system to update that kernel and it's just assumed. Of course kernel updates occur, why wouldn't they occur?!
And that presumes that the FOSS roots of Android, with all the carrier customization, either does not exist or isn't used to achieve customization. Customization is the enemy of long-term, inexpensive carrier support. Even if you cut the carriers out entirely, you still want your Android to be entirely generic.
Oops. Sounds like that ain't gonna happen.
Maybe Fedora updates on a regular base, RHEL (Redhat Enterprise Linux) does not.