22 Nov 2019

feedLXer Linux News

How to Mount Your iPhone as an External Drive in Ubuntu

Using an iPhone as an external Ubuntu drive used to be tricky, but that situation has changed. Here's how you can mount your iPhone on Ubuntu.

22 Nov 2019 5:25pm GMT

Sharing Fedora

After being a Fedora user for a while, you may have come to enjoy it. And in fact you might want to encourage others to try Fedora. You don't need any special privileges or to become a Fedora Ambassador to do that. As it turns out, anyone can help others get started with Fedora just […]

22 Nov 2019 4:10pm GMT

Yocto-based Torizon distro adds OTA updater

Toradex has released an experimental version of an OTA updater for its new Torizon embedded Linux distribution. Torizon OTA offers fault-tolerant features and supports web-based remote management including grouping of devices into fleets. In May, Toradex announced an industrial grade Torizon Linux distribution aimed mostly at Windows developers looking for an easy entry into embedded […]

22 Nov 2019 2:56pm GMT

How to Install Go on CentOS 8

This tutorial explains how to download and install Go on CentOS 8.

22 Nov 2019 1:42pm GMT

Bash cheat sheet: Key combos and special syntax

The Bourne Again Shell (Bash) is a text interface to POSIX computers. A shell, Bash or otherwise, provides a way for you to talk directly to your computer without roundabout interfaces: you type the precise command you want your computer to execute. It's the most efficient and lightweight interface available, which is why it still endures after 40 years.read more

22 Nov 2019 12:27pm GMT

How to List Containers in Docker

Docker is a containerization platform that allows you to quickly build, test, and deploy applications as portable, self-sufficient containers that can virtually run everywhere.

22 Nov 2019 11:13am GMT

How to Generate a SSL/TLS Certificate Signing Request (CSR) on Debian 10

In this article, we will explain how to generate a CSR on a Linux server or desktop using the command line. We will use Debian 10 OS for describing the procedure.

22 Nov 2019 10:12am GMT

Rugged Kaby Lake vehicle PC does it all on the road or rail

Vecow's Linux-friendly "IVH-9024MX ICY" in-vehicle PC runs on a 7th or 6th Gen Core or Xeon CPUs and offers triple displays, 6x SATA bays, 4x PoE+ ports, 2x mini-PCIe, and EN50155: 2017 and EN45545-2 railway compliance. Vecow unveiled the rugged IVH-9024MX ICY back in June as an all-purpose in-vehicle and rolling-stock computer and this week […]

22 Nov 2019 9:10am GMT

Review/Howto of Logitech C922x Webcam on Peppermint OS Linux with green screen on OBS!

A howto and review of a new Logitech C922x Webcam on Peppermint OS Linux 10, doing green screen (chroma key) on OBS Studio.

22 Nov 2019 8:09am GMT

Python and shell tools

I'm not a pythonista, and what little I know about Python for data work amounts to a few published recipes. Out of curiosity, I sometimes compare those recipes with the GNU/Linux tools I use every day. Here are three such comparisons.

22 Nov 2019 7:07am GMT

How to Obtain Free Wildcard SSL Certificates from Let’s Encrypt

Let's Encrypt generally only allows you to get certificates for specific domain names. Here's how to obtain a wildcard certificate from Let's Encrypt.

22 Nov 2019 6:05am GMT

Energy drinks, Teen Titans GO!, Bad Superheroes, Open Source Licenses Revisited, Fallen FOSS heroes, and Don Cherry

Caffeine, what the options are when you really need that kick, open source licenses, politics, good superheroes, bad superheroes, fallen FOSS heroes, not talking about politics, whether pepperoni makes a good cough suppressant, and, $DEITY help us, Don Cherry.

22 Nov 2019 5:04am GMT

Security-Oriented Container Linux Gets Patched Against Latest Intel CPU Flaws

The security-oriented Container Linux by CoreOS GNU/Linux distribution has been updated this week with all the necessary patches to mitigate the latest Intel CPU microarchitecture vulnerabilities.

22 Nov 2019 4:02am GMT

How To Find Ubuntu Support Duration From Commandline

There is a command named "ubuntu-support-status" which tells us the actual support period of a Ubuntu distribution. You don't need to go to Ubuntu site or any other sites.

22 Nov 2019 3:01am GMT

How to Install Debian 10

This article shows you step-by-step how to install Debian 10 on your server or desktop.

22 Nov 2019 1:59am GMT

How to Use Wget to Download Websites to Your PC

Ever wonder if there was a way to download a website without a web browser? You're in luck, as you can use wget to easily download websites to your PC.

22 Nov 2019 12:58am GMT

21 Nov 2019

feedKernel Planet

Kees Cook: experimenting with Clang CFI on upstream Linux

While much of the work on kernel Control Flow Integrity (CFI) is focused on arm64 (since kernel CFI is available on Android), a significant portion is in the core kernel itself (and especially the build system). Recently I got a sane build and boot on x86 with everything enabled, and I've been picking through some of the remaining pieces. I figured now would be a good time to document everything I do to get a build working in case other people want to play with it and find stuff that needs fixing.

First, everything is based on Sami Tolvanen's upstream port of Clang's forward-edge CFI, which includes his Link Time Optimization (LTO) work, which CFI requires. This tree also includes his backward-edge CFI work on arm64 with Clang's Shadow Call Stack (SCS).

On top of that, I've git a few x86-specific patches that get me far enough to boot a kernel without warnings pouring across the console. Along with that are general linker script cleanups, CFI cast fixes, and x86 crypto fixes, all in various states of getting upstreamed. The resulting tree is here.

On the compiler side, you need a very recent Clang and LLD (i.e. "Clang 10", or what I do is build from the latest git). For example, here's how to get started. First, checkout, configure, and build Clang (and include a RISC-V target just for fun):

# Check out latest LLVM
mkdir -p $HOME/src
cd $HOME/src
git clone https://github.com/llvm/llvm-project.git
mkdir llvm-build
cd llvm-build
# Configure
cmake -DCMAKE_BUILD_TYPE=Release \
      -DLLVM_ENABLE_PROJECTS='clang;lld' \
      -DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD="RISCV" \
      ../llvm-project/llvm
# Build!
make -j$(getconf _NPROCESSORS_ONLN)
# Install cfi blacklist template (why is this missing from "make" above?)
mkdir -p $(echo lib/clang/*)/share
cp ../llvm-project/compiler-rt/lib/cfi/cfi_blacklist.txt lib/clang/*/share/cfi_blacklist.txt

Then checkout, configure, and build the CFI tree. (This assumes you've already got a checkout of Linus's tree.)

# Check out my branch
cd ../linux
git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
git fetch kees
git checkout kees/kspp/cfi/x86 -b test/cfi
# Configure (this uses "defconfig" but you could use "menuconfig"), but you must
# include CC and LD in the make args or your .config won't know about Clang.
make defconfig \
     CC=$HOME/src/llvm-build/bin/clang LD=$HOME/src/llvm-build/bin/ld.lld
# Enable LTO and CFI.
scripts/config \
     -e CONFIG_LTO \
     -e CONFIG_THINLTO \
     -d CONFIG_LTO_NONE \
     -e CONFIG_LTO_CLANG \
     -e CONFIG_CFI_CLANG \
     -e CONFIG_CFI_PERMISSIVE \
     -e CONFIG_CFI_CLANG_SHADOW
# Enable LKDTM if you want runtime fault testing:
scripts/config -e CONFIG_LKDTM
# Build!
make -j$(getconf _NPROCESSORS_ONLN) \
     CC=$HOME/src/llvm-build/bin/clang LD=$HOME/src/llvm-build/bin/ld.lld

Do not be alarmed by various warnings, such as:

ld.lld: warning: cannot find entry symbol _start; defaulting to 0x1000
llvm-ar: error: unable to load 'arch/x86/kernel/head_64.o': file too small to be an archive
llvm-ar: error: unable to load 'arch/x86/kernel/head64.o': file too small to be an archive
llvm-ar: error: unable to load 'arch/x86/kernel/ebda.o': file too small to be an archive
llvm-ar: error: unable to load 'arch/x86/kernel/platform-quirks.o': file too small to be an archive
WARNING: EXPORT symbol "page_offset_base" [vmlinux] version generation failed, symbol will not be versioned.
WARNING: EXPORT symbol "vmalloc_base" [vmlinux] version generation failed, symbol will not be versioned.
WARNING: EXPORT symbol "vmemmap_base" [vmlinux] version generation failed, symbol will not be versioned.
WARNING: "__memcat_p" [vmlinux] is a static (unknown)
no symbols

Adjust your .config as you want (but, again, make sure the CC and LD args are pointed at Clang and LLD respectively). This should(!) result in a happy bootable x86 CFI-enabled kernel. If you want to see what a CFI failure looks like, you can poke LKDTM:

# Log into the booted system as root, then:
cat <(echo CFI_FORWARD_PROTO) >/sys/kernel/debug/provoke-crash/DIRECT
dmesg

Here's the CFI splat I see on the console:

[   16.288372] lkdtm: Performing direct entry CFI_FORWARD_PROTO
[   16.290563] lkdtm: Calling matched prototype ...
[   16.292367] lkdtm: Calling mismatched prototype ...
[   16.293696] ------------[ cut here ]------------
[   16.294581] CFI failure (target: lkdtm_increment_int$53641d38e2dc4a151b75cbe816cbb86b.cfi_jt+0x0/0x10):
[   16.296288] WARNING: CPU: 3 PID: 2612 at kernel/cfi.c:29 __cfi_check_fail+0x38/0x40
...
[   16.346873] ---[ end trace 386b3874d294d2f7 ]---
[   16.347669] lkdtm: Fail: survived mismatched prototype function call!

The claim of "Fail: survived …" is due to CONFIG_CFI_PERMISSIVE=y. This allows the kernel to warn but continue with the bad call anyway. This is handy for debugging. In a production kernel that would be removed and the offending kernel thread would be killed. If you run this again with the config disabled, there will be no continuation from LKDTM. :)

Enjoy! And if you can figure out before me why there is still CFI instrumentation in the KPTI entry handler, please let me know and help us fix it. ;)

© 2019, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

21 Nov 2019 5:09am GMT

19 Nov 2019

feedKernel Planet

Michael Kerrisk (manpages): man-pages-5.04 is released

I've released man-pages-5.04. The release tarball is available on kernel.org. The browsable online pages can be found on man7.org. The Git repository for man-pages is available on kernel.org.

This release resulted from patches, bug reports, reviews, and comments from 15 contributors. The release includes approximately 80 commits that change just under 30 pages.

The most notable of the changes in man-pages-5.04 are the following:

Another small but important changes is the addition of documentation of the P_PIDFD idtype in the waitid(2) manual page. This feature, added in Linux 5.4, allows a parent process to wait on a child process that is referred to by a PID file descriptor, and constitutes the final cornerstone in the pidfd API.

19 Nov 2019 9:04pm GMT

Linux Plumbers Conference: Linux Plumbers Conference 2019 videos are now available

Following up on our previous post, and as many of you have already noticed, the LPC 2019 videos have now been uploaded to our YouTube channel.

Over the coming days the LPC committee will be updating the 2019 site to incorporate links to the videos. At the same time, we will be getting ready to launch the 2020 site as well.

For now, you can access the videos in the following playlists:

You can access and promote the Linux Plumbers Conference YouTube channel here.

The videos have been uploaded to YouTube under the Creative Commons Attribution license (CC-BY).

19 Nov 2019 5:52am GMT

18 Nov 2019

feedKernel Planet

Linux Plumbers Conference: Summaries of Some Microconferences Released

We know everyone is still waiting for the videos. Unfortunately, we're
having a small production glitch, so until we can release them, several
MC leads have now sent us written summaries of their MCs which you can
see here:

If you'd like to see a summary of another MC, please bug the MC lead to
send us one (or send us your writeup).

18 Nov 2019 3:27pm GMT

Matthew Garrett: Extending proprietary PC embedded controller firmware

I'm still playing with my X210, a device that just keeps coming up with new ways to teach me things. I'm now running Coreboot full time, so the majority of the runtime platform firmware is free software. Unfortunately, the firmware that's running on the embedded controller (a separate chip that's awake even when the rest of the system is asleep and which handles stuff like fan control, battery charging, transitioning into different power states and so on) is proprietary and the manufacturer of the chip won't release data sheets for it. This was disappointing, because the stock EC firmware is kind of annoying (there's no hysteresis on the fan control, so it hits a threshold, speeds up, drops below the threshold, turns off, and repeats every few seconds - also, a bunch of the Thinkpad hotkeys don't do anything) and it would be nice to be able to improve it.

A few months ago someone posted a bunch of fixes, a Ghidra project and a kernel patch that lets you overwrite the EC's code at runtime for purposes of experimentation. This seemed promising. Some amount of playing later and I'd produced a patch that generated keyboard scancodes for all the missing hotkeys, and I could then use udev to map those scancodes to the keycodes that the thinkpad_acpi driver would generate. I finally had a hotkey to tell me how much battery I had left.

But something else included in that post was a list of the GPIO mappings on the EC. A whole bunch of hardware on the board is connected to the EC in ways that allow it to control them, including things like disabling the backlight or switching the wifi card to airplane mode. Unfortunately the ACPI spec doesn't cover how to control GPIO lines attached to the embedded controller - the only real way we have to communicate is via a set of registers that the EC firmware interprets and does stuff with.

One of those registers in the vendor firmware for the X210 looked promising, with individual bits that looked like radio control. Unfortunately writing to them does nothing - the EC firmware simply stashes that write in an address and returns it on read without parsing the bits in any way. Doing anything more with them was going to involve modifying the embedded controller code.

Thankfully the EC has 64K of firmware and is only using about 40K of that, so there's plenty of room to add new code. The problem was generating the code in the first place and then getting it called. The EC is based on the CR16C architecture, which binutils supported until 10 days ago. To be fair it didn't appear to actually work, and binutils still has support for the more generic version of the CR16 family, so I built a cross assembler, wrote some assembly and came up with something that Ghidra was willing to parse except for one thing.

As mentioned previously, the existing firmware code responded to writes to this register by saving it to its RAM. My plan was to stick my new code in unused space at the end of the firmware, including code that duplicated the firmware's existing functionality. I could then replace the existing code that stored the register value with code that branched to my code, did whatever I wanted and then branched back to the original code. I hacked together some assembly that did the right thing in the most brute force way possible, but while Ghidra was happy with most of the code it wasn't happy with the instruction that branched from the original code to the new code, or the instruction at the end that returned to the original code. The branch instruction differs from a jump instruction in that it gives a relative offset rather than an absolute address, which means that branching to nearby code can be encoded in fewer bytes than going further. I was specifying the longest jump encoding possible in my assembly (that's what the :l means), but the linker was rewriting that to a shorter one. Ghidra was interpreting the shorter branch as a negative offset, and it wasn't clear to me whether this was a binutils bug or a Ghidra bug. I ended up just hacking that code out of binutils so it generated code that Ghidra was happy with and got on with life.

Writing values directly to that EC register showed that it worked, which meant I could add an ACPI device that exposed the functionality to the OS. My goal here is to produce a standard Coreboot radio control device that other Coreboot platforms can implement, and then just write a single driver that exposes it. I wrote one for Linux that seems to work.

In summary: closed-source code is more annoying to improve, but that doesn't mean it's impossible. Also, strange Russians on forums make everything easier.

comment count unavailable comments

18 Nov 2019 8:44am GMT

15 Nov 2019

feedKernel Planet

Kees Cook: security things in Linux v5.3

Previously: v5.2.

Linux kernel v5.3 was released! I let this blog post get away from me, but it's up now! :) Here are some security-related things I found interesting:

heap variable initialization
In the continuing work to remove "uninitialized" variables from the kernel, Alexander Potapenko added new "init_on_alloc" and "init_on_free" boot parameters (with associated Kconfig defaults) to perform zeroing of heap memory either at allocation time (i.e. all kmalloc()s effectively become kzalloc()s), at free time (i.e. all kfree()s effectively become kzfree()s), or both. The performance impact of the former under most workloads appears to be under 1%, if it's measurable at all. The "init_on_free" option, however, is more costly but adds the benefit of reducing the lifetime of heap contents after they have been freed (which might be useful for some use-after-free attacks or side-channel attacks). Everyone should enable CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 (or boot with "init_on_alloc=1"), and the more paranoid system builders should add CONFIG_INIT_ON_FREE_DEFAULT_ON=1 (or "init_on_free=1" at boot). As workloads are found that cause performance concerns, tweaks to the initialization coverage can be added.

pidfd_open() added
Christian Brauner has continued his pidfd work by creating the next needed syscall: pidfd_open(), which takes a pid and returns a pidfd. This is useful for cases where process creation isn't yet using CLONE_PIDFD, and where /proc may not be mounted.

-Wimplicit-fallthrough enabled globally
Gustavo A.R. Silva landed the last handful of implicit fallthrough fixes left in the kernel, which allows for -Wimplicit-fallthrough to be globally enabled for all kernel builds. This will keep any new instances of this bad code pattern from entering the kernel again. With several hundred implicit fallthroughs identified and fixed, something like 1 in 10 were missing breaks, which is way higher than I was expecting, making this work even more well justified.

x86 CR4 & CR0 pinning
In recent exploits, one of the steps for making the attacker's life easier is to disable CPU protections like Supervisor Mode Access (and Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU control registers to disable these features. For example, CR4 controls SMAP and SMEP, where disabling those would let an attacker access and execute userspace memory from kernel code again, opening up the attack to much greater flexibility. CR0 controls Write Protect (WP), which when disabled would allow an attacker to write to read-only memory like the kernel code itself. Attacks have been using the kernel's CR4 and CR0 writing functions to make these changes (since it's easier to gain that level of execute control), but now the kernel will attempt to "pin" sensitive bits in CR4 and CR0 to avoid them getting disabled. This forces attacks to do more work to enact such register changes going forward. (I'd like to see KVM enforce this too, which would actually protect guest kernels from all attempts to change protected register bits.)

additional kfree() sanity checking
In order to avoid corrupted pointers doing crazy things when they're freed (as seen in recent exploits), I added additional sanity checks to verify kmem cache membership and to make sure that objects actually belong to the kernel slab heap. As a reminder, everyone should be building with CONFIG_SLAB_FREELIST_HARDENED=1.

KASLR enabled by default on arm64
Just as Kernel Address Space Layout Randomization (KASLR) was enabled by default on x86, now KASLR has been enabled by default on arm64 too. It's worth noting, though, that in order to benefit from this setting, the bootloader used for such arm64 systems needs to either support the UEFI RNG function or provide entropy via the "/chosen/kaslr-seed" Device Tree property.

hardware security embargo documentation
As there continues to be a long tail of hardware flaws that need to be reported to the Linux kernel community under embargo, a well-defined process has been documented. This will let vendors unfamiliar with how to handle things follow the established best practices for interacting with the Linux kernel community in a way that lets mitigations get developed before embargoes are lifted. The latest (and HTML rendered) version of this process should always be available here.

Those are the things I had on my radar. Please let me know if there are other things I should add! Linux v5.4 is almost here…

© 2019, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

15 Nov 2019 1:36am GMT

01 Nov 2019

feedKernel Planet

Pete Zaitcev: Linode Object Storage

Linode made their Object Storage product generally available. They dropped the Swift API that they offered in the beta, and only rolled with S3.

They are careful not to mention what implementation underpins it, but I suspect it's Ceph RGW. They already provide Ceph block storage as public service. Although, I don't know for sure.

01 Nov 2019 3:20pm GMT

29 Oct 2019

feedKernel Planet

Pete Zaitcev: Samsung shutting down CPU development in Austin

An acquaintance of mine was laid off from Samsung. He was a rank-and-file ASIC designer and worked on FPU unit for Samsung's new CPU. Another acquaintance, a project manager in the silicon field, relayed that supposedly ARM developed a new CPUs that are so great, that all competitors gave up and folded their CPU development, resulting in the layoffs. The online sources have details.

In the same time they gave up on in-house cores, Samsung announced Exynos 990, a standalone version of the 980, based on the successors of the Cortex family, developed by ARM, of course.

As someone said on Glassdoor, "great place to work until you're laid off".

29 Oct 2019 7:58pm GMT

Paul E. Mc Kenney: The Old Man and His Smartphone

I recently started using my very first smartphone, and it was suggested that I blog about the resulting experiences. So here you go!

29 Oct 2019 1:57pm GMT

Paul E. Mc Kenney: The Old Man and His Smartphone, Episode VII

The previous episode speculated about the past, so this episode will make some wild guesses about the future.

There has been much hue and cry about the ill effects of people being glued to their smartphones. I have tended to discount this viewpoint due to having seen a great many people's heads buried in newspapers, magazines, books, and television screens back in the day. And yes, there was much hue and cry about that as well, so I guess some things never change.

However, a few years back, the usual insanely improbable sequence of events resulted in me eating dinner with the Chief of Police of a mid-sized but prominent city, both of which will go nameless. He called out increased smartphone use as having required him to revamp his training programs. You see, back in the day, typical recruits could reasonably be expected to have the social skills required to defuse a tense situation, using what he termed "verbal jiujitsu". However, present-day recruits need to take actual classes in order to master this lost art.

I hope that we can all agree that it is far better for officers of the law to maintain order through use of vocal means, perhaps augmented with force of personality, especially given that the alternative seems to the use of violence. So perhaps the smartphone is responsible for some significant social change after all. Me, I will leave actual judgment on this topic to psychologists, social scientists, and of course historians. Not that any of them are likely to reach a conclusion that I would trust. Based on past experience, far from it! The benefit of leaving such judgments to them is instead that it avoids me wasting any further time on such judgments. Or so I hope.

It is of course all too easy to be extremely gloomy about the overall social impact of smartphones. One could easily argue that people freely choose spreading misinformation over accessing vast stores of information, bad behavior over sweetness and light, and so on and so forth.

But it really is up to each and every one of us. After all, if life were easy, I just might do a better job of living mine. So maybe we all need to brush up on our social skills. And to do a better job of choosing what to post, to say nothing of what posts to pass on. Perhaps including the blog posts in this series!

Cue vigorous arguments on the appropriateness of these goals, or, failing that, the best ways to accomplish them. ;-)

29 Oct 2019 1:50pm GMT

27 Oct 2019

feedKernel Planet

Pete Zaitcev: ?fbclid

As some of you might have noticed, Facebook started adding a tracking token to all URLs as a query string "?fbclid=XXXXXXXXX". I don't know how it works, exactly. Perhaps it rattles to FB when people re-inject these links into FB after they cycle through other social media. Either way, today I found a website that innocently fails to work when shared on FB: Whomp. If one tries to share a comic strip, such as "It's Training Men", FB appends its token, and makes the URL invalid.

27 Oct 2019 3:30am GMT

25 Oct 2019

feedKernel Planet

Paul E. Mc Kenney: The Old Man and His Smartphone, Episode VI

A common science-fiction conceit is some advanced technology finding its way into a primitive culture, so why not consider what might happen if my smartphone were transported a few centuries back in time?

Of course, my most strongly anticipated smartphone use, location services, would have been completely useless as recently as 30 years ago, let alone during the 1700s. You see, these services require at least 24 GPS satellites in near earth orbit, which didn't happen until 1993.

My smartphone's plain old telephony functionality would also have been useless surprisingly recently, courtesy of its need for large numbers of cell towers, to say nothing of the extensive communications network interconnecting them. And I am not convinced that my smartphone would have been able to use the old analog cell towers that were starting to appear in the 1980s, but even if it could, for a significant portion of life, my smartphone would have completely useless as a telephone.

Of course, the impressive social-media capabilities of my smartphone absolutely require the huge networking and server infrastructure that has been in place only within the past couple of decades.

And even though my smartphone's battery lifetime is longer than I expected, extended operation relies on the power grid, which did not exist at all until the late 1800s. So any wonderment generated by my transported-back-in-time smartphone would be of quite limited duration. But let's avoid this problem through use of a solar-array charger.

My smartphone probably does not much like water, large changes in temperature, or corrosive environments. Its dislike of adverse environmental conditions would have quickly rendered it useless in a couple of my childhood houses, to say nothing of almost all buildings in existence a couple of centuries ago. This means that long-term use would require confining my smartphone to something like a high-end library located some distance from bodies of salt water and from any uses of high-sulfur coal. This disqualifies most 1700s Western Hemisphere environments, as well as many of the larger Eastern Hemisphere cities, perhaps most famously London with its pea-soup "fogs". Environmental considerations also pose interesting questions regarding exactly how to deploy the solar array, especially during times of inclement weather.

So what could my smartphone do back in the 1700s?

I leave off any number of uses that involve ferrying information from 2019 back to the 1700s. Even an accurate seacoast map could be quite useful and illuminating, but this topic has been examined quite closely by several generations of science-fiction writers, so I would not expect to be able to add anything new. However, it might be both useful and entertaining to review some of this genre. Everyone will have their favorites, but I will just list the three that came to mind most quickly: Heinlein's "The Door into Summer", Zemeckis's and Gale's "Back to the Future" movies, and Rowling's "Harry Potter and the Cursed Child. So let us proceed, leaving back-in-time transportation of information to today's legion of science-fiction writers.

The upshot of all this is that if my smartphone were transported back to the 1700s, it would be completely unable to provide its most commonly used 2019 functionality. However, given a solar array charger and development environment, and given a carefully controlled environment, it might nevertheless be quite impressive to our 1700s counterparts.

In fact, it would be quite impressive much more recently. Just imagine if, at the end of the Mother of all Demos, Douglas Engelbart had whipped out a ca-2019 smartphone.

But the hard cold fact is that in some ways, a 2019 smartphone would actually have been a step backwards from Engelbart's famous demo. After all, Englebart's demo allowed shared editing of a document. Lacking both wifi and a cell-phone network, and given the severe range limitations of NFC, my smartphone would be utterly incapable of shared editing of documents.

In short, although might smartphone might be recognized as a very impressive device back in the day, the hard cold fact is that it is but the tiniest tip of a huge iceberg of large-scale technology, including forests of cell towers, globe-girdling fiber-optic cables, vast warehouses stuffed with servers, and even a constellation of satellites. Thus, the old adage "No one is an island" was never more true than it is today. However, the bridges between our respective islands seem to be considerably more obscure than they were in the old days. Which sooner or later will call into question whether these bridges will be properly maintained, but that question applies all too well to a depressingly broad range of infrastructure on which we all depend.

Which leads to another old adage: "The more things change, the more they stay the same". :-)

25 Oct 2019 8:51pm GMT

Paul E. Mc Kenney: The Old Man and His Smartphone, Episode V

So after many years of bragging about my wristwatch's exemplary battery lifetime (years, I tell you, years!!!), I find myself a member of that very non-exclusive group that worries about battery lifetime. But I have been pleasantly surprised to find that my smartphone's battery lasts quite a bit longer than I would have expected, in fact, it is not unusual for the battery to last through two or three days of normal usage. And while that isn't years, it isn't at all bad.

That is, battery lifetime isn't at all bad as long as I have location services (AKA GPS) turned off.

With GPS on, the smartphone might or might not make it through the day. Which is a bit ironic given that GPS was the main reason that I knew I would eventually be getting a smartphone. And the smartphone isn't all that happy about my current policy of keeping the GPS off unless I am actively using it. The camera in particular keeps whining about how it could tag photos with their locations if only I would turn the GPS on. However, I have grown used to this sort of thing, courtesy of my television constantly begging me to connect it to Internet. Besides, if my smartphone were sincerely concerned about tagging my photos with their locations, it could always make use of the good and sufficient location data provided by the cell towers that I happen to know that it is in intimate contact with!

GPS aside, I am reasonably happy with my smartphone's current battery lifetime. Nevertheless, long experience with other battery-powered devices leads me to believe that it will undergo the usual long slow decay over time. But right now, it is much better than I would have expected, and way better than any of my laptops.

Then again, I am not (yet) in the habit of running rcutorture on my smartphone...

25 Oct 2019 12:05am GMT

23 Oct 2019

feedKernel Planet

Paul E. Mc Kenney: The Old Man and His Smartphone, Episode IV

I took my first GPS-enabled road trip today in order to meet a colleague for lunch. It was only about an hour drive each way, but that was nevertheless sufficient to highlight one big advantage of GPS as well as to sound a couple of cautionary notes.

The big advantage didn't seem particularly advantageous at first. The phone had announced that I should turn left at Center Street, but then inexplicably changed its mind, instead asking me to instead turn left on a road with a multi-syllabic vaguely Germanic name. On the return trip, I learned that I had actually missed the left turn onto Center Street courtesy of that road's name changing to Wyers Road at the crossing. So I saw a sign for Wyers Road and sensibly (or so I thought) elected not to turn left at that point. The phone seamlessly autocorrected, in fact so seamlessly that I was completely unaware that I had missed the turn.

The first cautionary note involved the phone very quickly changing its mind on which way I should go. It initially wanted me to go straight ahead for the better part of a mile, but then quickly and abruptly asked me to instead take a hard right-hand turn. In my youth, this abrupt change might have terminally annoyed me, but one does (occasionally) learn patience with advancing age.

That and the fact that following its initial advice to go straight ahead would have taken me over a ditch, through a fence, and across a pasture.

The second cautionary note was due to the Fall colors here in Upstate New York, which caused me to let the impatient people behind me pass, rather than following my usual practice of taking the presence of tailgaters as a hint to pick up the pace. I therefore took a right onto a side road, intending to turn around in one of the conveniently located driveways so that I could continue enjoying the Fall colors as I made my leisurely way up the highway. But my smartphone instead suggested driving ahead for a short way to take advantage of a loop in the road. I figured it knew more about the local geography than I did, so I naively followed its suggestion.

My first inkling of my naivete appeared when my smartphone asked me to take a right turn onto a one-lane gravel road. I was a bit skeptical, but the gravel road appeared to have been recently graveled and also appeared to be well-maintained, so why not? A few hundred yards in, the ruts became a bit deeper than my compact rental car would have preferred, but it is easy to position each pair of wheels on opposite sides of the too-deep rut and continue onwards.

But then I came to the stream crossing the road.

The stream covered perhaps 15 or 20 feet of the road, but on the other hand, it appeared to be fairly shallow in most places, which suggested that crossing it (as my smartphone was suggesting) might be feasible. Except that there were a few potholes of indeterminate depth filled with swiftly swirling water, with no clear way to avoid them. Plus the water had eroded the road surface a foot or two below its level elsewhere, which suggested that attempting to drive into the stream might leave my rental car high-centered on the newly crafted bank, leaving my poor car stuck with its nose down in the water and its rear wheels spinning helplessly in the air.

Fortunately, rental cars do have a reverse gear, but unfortunately my body is less happy than it might once have been to maintain the bent-around posture required to look out the rear window while driving backwards several hundred yards down a windy gravel road. Fortunately, like many late-model cars, this one has a rear-view camera that automatically activates when the car is put into the reverse gear, but unfortunately I was unable to convince myself that driving several hundred yards backwards down a narrow and windy gravel road running through a forest was a particularly good beginner's use of this new-age driving technique. (So maybe I should take the hint and practice driving backwards using the video in a parking lot? Or maybe not...)

Which led to the next option, that of turning the car around on a rutted one-lane gravel road. Fortunately the car is a compact, so this turned out to be just barely possible, and even more fortunately there were no other cars on the road waiting for me to complete my multipoint-star turn-around manuever. (Some of my acquaintances will no doubt point out that had I been driving a large pickup, crossing the stream would have been a trivial event unworthy of any notice. This might be true, but I was in fact driving a compact.)

But all is well that ends well. After a few strident but easily ignored protests, my phone forgave my inexplicable deviation from its carefully planned and well-crafted route and deigned to guide me the rest of the way to my destination.

And, yes, it even kept me on paved roads.

23 Oct 2019 10:02pm GMT

18 Oct 2019

feedKernel Planet

Matthew Garrett: Letting Birds scooters fly free

(Note: These issues were disclosed to Bird, and they tell me that fixes have rolled out. I haven't independently verified)

Bird produce a range of rental scooters that are available in multiple markets. With the exception of the Bird Zero[1], all their scooters share a common control board described in FCC filings. The board contains three primary components - a Nordic NRF52 Bluetooth controller, an STM32 SoC and a Quectel EC21-V modem. The Bluetooth and modem are both attached to the STM32 over serial and have no direct control over the rest of the scooter. The STM32 is tied to the scooter's engine control unit and lights, and also receives input from the throttle (and, on some scooters, the brakes).

The pads labeled TP7-TP11 near the underside of the STM32 and the pads labeled TP1-TP5 near the underside of the NRF52 provide Serial Wire Debug, although confusingly the data and clock pins are the opposite way around between the STM and the NRF. Hooking this up via an STLink and using OpenOCD allows dumping of the firmware from both chips, which is where the fun begins. Running strings over the firmware from the STM32 revealed "Set mode to Free Drive Mode". Challenge accepted.

Working back from the code that printed that, it was clear that commands could be delivered to the STM from the Bluetooth controller. The Nordic NRF52 parts are an interesting design - like the STM, they have an ARM Cortex-M microcontroller core. Their firmware is split into two halves, one the low level Bluetooth code and the other application code. They provide an SDK for writing the application code, and working through Ghidra made it clear that the majority of the application firmware on this chip was just SDK code. That made it easier to find the actual functionality, which was just listening for writes to a specific BLE attribute and then hitting a switch statement depending on what was sent. Most of these commands just got passed over the wire to the STM, so it seemed simple enough to just send the "Free drive mode" command to the Bluetooth controller, have it pass that on to the STM and win. Obviously, though, things weren't so easy.

It turned out that passing most of the interesting commands on to the STM was conditional on a variable being set, and the code path that hit that variable had some impressively complicated looking code. Fortunately, I got lucky - the code referenced a bunch of data, and searching for some of the values in that data revealed that they were the AES S-box values. Enabling the full set of commands required you to send an encrypted command to the scooter, which would then decrypt it and verify that the cleartext contained a specific value. Implementing this would be straightforward as long as I knew the key.

Most AES keys are 128 bits, or 16 bytes. Digging through the code revealed 8 bytes worth of key fairly quickly, but the other 8 bytes were less obvious. I finally figured out that 4 more bytes were the value of another Bluetooth variable which could be simply read out by a client. The final 4 bytes were more confusing, because all the evidence made no sense. It looked like it came from passing the scooter serial number to atoi(), which converts an ASCII representation of a number to an integer. But this seemed wrong, because atoi() stops at the first non-numeric value and the scooter serial numbers all started with a letter[2]. It turned out that I was overthinking it and for the vast majority of scooters in the fleet, this section of the key was always "0".

At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

In summary: Secrets that are stored on hardware that attackers can run arbitrary code on probably aren't secret, not having verified boot on safety critical components isn't ideal, devices should have meaningful cryptographic identity when authenticating against a remote endpoint.

Bird responded quickly to my reports, accepted my 90 day disclosure period and didn't threaten to sue me at any point in the process, so good work Bird.

(Hey scooter companies I will absolutely accept gifts of interesting hardware in return for a cursory security audit)

[1] And some very early M365 scooters
[2] The M365 scooters that Bird originally deployed did have numeric serial numbers, but they were 6 characters of type code followed by a / followed by the actual serial number - the number of type codes was very constrained and atoi() would terminate at the / so this was still not a large keyspace
[3] Interestingly, Lime made a different design choice here and plumb the controls directly through to the engine control unit without the application processor having any involvement
[4] Lime run their entire software stack on the modem's application processor, but because of [3] they don't have any realtime requirements so this is more straightforward

comment count unavailable comments

18 Oct 2019 11:44am GMT

14 Oct 2019

feedKernel Planet

Paul E. Mc Kenney: The Old Man and His Smartphone, Episode III

I still haven't installed many apps, but I have already come across lookalike apps that offer interesting services that are less pertinent to my current mode of existence than the apps I was actually looking for. So perhaps app spam will become as much an issue as plain old email spam.

I also took my first-ever selfie, thus learning that using the camera on the same side of the smartphone as the screen gets you a mirror-imaged photograph. I left the selfie that way on my obligatory Facebook post for purposes of historical accuracy and as a cautionary tale, but it turns out to be quite easy to flip photos (both horizonally and vertically) from the Android Gallery app. It is also possible to change brightness and contrast, add captions, add simple graphics, scrawl over the photo in various colors, adjust perspective, and so on. An application popped up and offered much much much more (QR code scanning! OCR! Other stuff I didn't bother reading!), but only if I would agree to the license. Which I might do some time in the future.

I have not yet worked out how I will carry the smartphone long term. For the moment, it rests in the classic nerd position in my shirt pocket (truth in advertising!!!).

My wife was not all that impressed with the smartphone, which is not too surprising given that grade-school students commonly have them. She did note that if someone broke into it, they could be taking pictures of her without her knowledge. I quickly overcame that potential threat by turning the smartphone the other side up, so that any unauthorized photography would be confined to the inside of my shirt pocket. :-)

14 Oct 2019 2:46pm GMT

11 Nov 2011

feedLinux Today

Tech Comics: "How to Live with Non-Geeks"

Datamation: Geeks must realize that non-geeks simply don't understand some very basics things.

11 Nov 2011 11:00pm GMT

How To Activate Screen Saver In Ubuntu 11.10

AddictiveTip: Ubuntu 11.10 does not come with a default screen saver, and even Gnome 3 provides nothing but a black screen when your system is idle.

11 Nov 2011 10:00pm GMT

XFCE: Your Lightweight, Speedy, Fully-Fledged Linux Desktop

MakeUseOf: As far as Linux goes, customization is king

11 Nov 2011 9:00pm GMT

Fedora Scholarship Recognizes Students for Their Contributions to Open Source Software

Red Hat: The Fedora Scholarship is awarded to one student each year to assist with the recipient's college or university education.

11 Nov 2011 8:00pm GMT

Digital Divide Persists Even as Broadband Adoption Grows

Datamation: New report from Dept. of Commerce shows that the 'have nots' - continue to have not when it comes to Internet.

11 Nov 2011 7:00pm GMT

Why GNOME refugees love Xfce

The Register: Thunar rather than later...

11 Nov 2011 6:00pm GMT

Everything should be open source, says WordPress founder

Between the Lines: "It's a bold statement, but it's the ethos that Mullenweg admirably stuck to, pointing out that sites like Wikipedia replaced Encyclopedia Britannica, and how far Android has gone for mobile."

11 Nov 2011 5:02pm GMT

The Computer I Need

LXer: "Before I had a cell phone I did not realize that I needed one. As of one week ago, I did not realize that I needed a tablet either but I can sense that it might be a similar experience."

11 Nov 2011 4:01pm GMT

GPL violations in Android: Same arguments, different day

IT World: "IP attorney Edward J. Naughton is repeating his arguments that Google's use of Linux kernel header files within Android may be in violation of the GNU General Public License (GPLv2), and tries to discredit Linus Torvalds' thoughts on the matter along the way."

11 Nov 2011 3:04pm GMT

No uTorrent for Linux by Year's End

Softpedia: "When asked why there's no uTorrent client version of Linux users out, BitTorrent Inc. said that the company has other priorities at the moment."

11 Nov 2011 2:01pm GMT

Keep an Eye on Your Server with phpSysInfo

Linux Magazine: "There are quite a few server monitoring solutions out there, but most of them are overkill for keeping an eye on a single personal server."

11 Nov 2011 1:03pm GMT

At long last, Mozilla Releases Lightning 1.0 Calendar

InternetNews: From the 'Date and Time' files:

11 Nov 2011 12:00pm GMT

Richard Stallman's Personal Ad

Editors' Note: You can't make this stuff up...

11 Nov 2011 10:00am GMT

Linux Top 5: Fedora 16 Aims for the Cloud

LinuxPlanet: There are many things to explore on the Linux Planet. This week, a new Fedora release provides plenty of items to examine. The new Fedora release isn't the only new open source release this week, as the Linux Planet welcomes new KDE and Firefox releases as well.

11 Nov 2011 9:00am GMT

Orion Editor Ships in Firefox 8

Planet Orion: Firefox 8 now includes the Orion code editor in its scratchpad feature.

11 Nov 2011 6:00am GMT