Slashdot Mirror

← Back to Stories (view on slashdot.org)

Greg Kroah-Hartman: Outside Phone Vendors Aren't Updating Their Linux Kernels (linux.com)

Posted by EditorDavid on from the downstream-developers dept.

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."

14 of 86 comments (clear)

  1. Re:Androids are targeted at poor people by Anonymous Coward · · Score: 2, Insightful

    It seems the default line from vendors is - well, if you want the latest Android, buy a new phone. Samsung and others need to get off their collective bums. Either roll us the updates, or drop phone prices radically. Complete BS dropping a few hundred (times number of people in your household) every 2-3 years when the old phones are still perfectly fine. We've only replaced when phones have been severely damaged in drops (rare).

  2. Re:Androids are targeted at poor people by smi.james.th · · Score: 2

    I wouldn't judge too harshly on that. My Nokia 8 tells me there are security updates about every month or two and I find it slightly annoying. I think more people would find it annoying if it were more frequent, and there would be more incentive to turn it off (bad idea).

    The other factor to consider of course is, are the Intel (and ARM I guess...) security problems really that big a deal? Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be a big deal for a cellphone because you're not virtualising anything (AFAIK).

    That being said there probably are other vulnerabilities that are being patched. I don't pay that close attention to kernel development

    --
    One thing I know, and that is that I am ignorant...
  3. Binary Blobs is the problem with Linux kernels. by BrookHarty · · Score: 4, Insightful

    Its always been the same issue, over and over and over. If you need sources for 3rd party closed drivers, you cant update the kernel without them.

    This needs to be fixed. This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.

    1. Re:Binary Blobs is the problem with Linux kernels. by Alwin+Henseler · · Score: 4, Informative

      This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.

      No it won't. Basic premise for Android is:

      • Issue gets fixed in upstream kernel (Linux)
      • Fix 'trickles down' into some open source Android release
      • Carrier or phone vendor produces updated build that end users can install

      That last bit simply isn't happening. As much as they can get away with, carriers or phone vendors just do a few updates (say over a year, 2 years if you're lucky), and that's it.

      The way around that requires a couple of things:

      • Open source drivers for the hardware in the phone (as you stated)
      • Some community project that takes those drivers & produces updated builds for phone models X, Y or Z. In practice, there aren't many of those community projects (active), and # of supported models is limited.
      • Some way to upload that build to your phone. Read: an unlocked bootloader. Which is the exception rather than the rule for Android phones (eg. my phone doesn't come with an unlocked bootloader afaik).

      Bottom line: in most cases end users are still stuck, even if open source drivers are available. Android's update model is simply broken to begin with.

    2. Re:Binary Blobs is the problem with Linux kernels. by Tough+Love · · Score: 3, Interesting

      As the mountains of orphaned but still perfectly functional phones continue to pile up, interest in and support for community supported custom ROMs continues to increase, LineageOS being the leading project. Because vendors aren't releasing the necessary technical details, a lot of this is reverse engineering and binary hacks to use the phone's original hardware drivers, while updating the kernel and all the libraries using open source Android. There is just an endless supply of hardware to play with, which is all basically free. I myself have a perfectly functional Nexus 4 sitting here, useless because Google refused to provide an update to fix the notorious navigation button touchscreen bug. So that makes it a toy to play with custom roms, nothing to lose, and a functional phone to gain.

      By the way, the Nexus was replace by a Moto. I'm never buying hardware from Google again because they got arrogant and don't stand behind it, never mind the Apple envy pricing.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    3. Re:Binary Blobs is the problem with Linux kernels. by Anne+Thwacks · · Score: 2
      Governments legislate that phone vendors have to provide updates for at least seven years after first sale.

      FTFY

      --
      Sent from my ASR33 using ASCII
    4. Re:Binary Blobs is the problem with Linux kernels. by Cardcaptor_RLH85 · · Score: 2

      The battery won't last seven years. Until we have better energy storage technology, three makes much more sense.

  4. Re:You got used, Greg! by Antique+Geekmeister · · Score: 2

    I'd submit that, if OpenBSD had any market presence, Theo de Raadt and the core OpenBSD kernel team would have handled this differently. Since their market share is so very small with so few commercial customers, it seems unworth their effort to attempt to integrate a subtle kernel patch written by a vendor to fix a kernel optimization feature not critical to their niche marketplace.

    For NVidia cards, I cannot find anyone who uses OpenBSD for high performance graphics. This is especially since almost no games and almost no high end graphics or CAD software runs on it. Do you know of anyone who uses OpenBSD for graphics applications?

  5. Outside Phone vendors? by nospam007 · · Score: 4, Funny

    Saul Goodman?

    1. Re:Outside Phone vendors? by Zontar+The+Mindless · · Score: 2

      One would think that at least one of those shows' writers would've had read Illuminatus! at some point, but I guess not.

      --
      Il n'y a pas de Planet B.
  6. Re:Androids are targeted at poor people by drinkypoo · · Score: 4, Informative

    Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be a big deal for a cellphone because you're not virtualising anything (AFAIK).

    1) Sandboxing
    2) Javascript
    3) Malware doesn't get caught by the app store screening processes

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Software should be free from hardware by uldics · · Score: 3

    Phone vendors can not and do not want to support their phones software long term. That is fair deal. But the users should not suffer from that. We need a separation of hardware and software. Like on a PC, where I can update kernel, change repositories, install a new graphics driver, dual boot etc. Not like on phones now, where whole system has to be flashed just to get newer kernel with current security added. And this is a rock in Googles garden. They should make this change in Androids concepts. Require published interoperability documentation for components, standardisation of APIs. And make the first repository to be used regardless of phone model. Then other phone manufacturers could just add own repos with some specific drivers etc. Independent repos with fixes would pop up immediately. No need to reinwent the wheel.

  8. Android as hypervisor by swb · · Score: 2

    Maybe that's what Android needs, a hypervisor, and what we know now as Android the operating system could just run as a VM. All the physical device drivers could be abstracted as virtual devices and supported in the OS with open source virtual device drivers.

    This would at least make the OS itself easier to update. The hypervisor would probably need updating as well, but I'd wager less often than the actual OS and without the burden of physical device drivers to worry about it could happen more often.

  9. Will never change, will never happen by rainer_d · · Score: 3

    There's no income from updating android on a phone already sold. It's actually negative income because a new one doesn't get sold.
    Google may make some profit on the ads, but nothing of that reaches the vendor.

    Apple has Music, iCloud, the AppStore. When they provide an update to iOS on a five year old phone, people continue to use it and buy apps, in-app purchases , iCloud storage for it (and maybe an AppleMusic subscription). That, combined with a nice profit on the hardware itself, is apparently enough for them to backport all the fixes and all the performance-improvements five years down the hardware memory-lane.

    --
    Windows 2000 - from the guys who brought us edlin