Selection of reports on the Linux kernel with the Open Source Summit Europe 2018
Last week, the European Open Source Summit 2018 was held in Edinburgh (Scotland) . I present to you a selection of interesting reports on the Linux kernel, which I was able to attend.
1. From the keynote speeches (keynotes) I would like to highlight “The Kernel Report” by Jonathan Corbet. He outlined the main trends in the development of the Linux kernel lately. Separately, he focused on the elimination of Specter and Meltdown's high-profile vulnerabilities. I found his thoughts on how eBPF is blurring the boundaries between user and nuclear space interesting.
2. Specialists from OTH Regensburg and Siemens have developed the topic Specter and Meltdown with reference to real-time tasks (real-time). They talked about how the removal of these vulnerabilities affected the performance of the Linux kernel with the Preempt-RT patch and the performance of the Jailhouse hypervisor.
3. Christoph Lameter gave an excellent introduction to the Linux kernel memory management. He told about the organization of physical and virtual memory of the process, about how to track their status from user space in detail. In short, perfectly arranged everything on the shelves. How else can a nuclear maintainer maintain a nuclear allocator? Slides: 4. Let me also tell you about my talk about the lessons of participation in the Kernel Self Protection Project. The goal of the report was to involve more enthusiasts in the safety of the Linux kernel and share my experience in developing kernel protection tools. I talked about the alignment of forces in the security community and the core self-defense map
. Then, on double locking in the Linux kernel and on PAX_MEMORY_STACKLEAK implementation in the vanilla kernel. After the report, useful communication and exchange of ideas followed. Slides: 5. Darren Hart spoke about bringing order to Kconfig of the Linux kernel using configuration snippets. The kernel has more than 10,000 different options, they depend on each other in a complex way, so it is very inconvenient to track changes to the kernel configuration using a version control system. In order to facilitate the configuration management task, a script merge_config.sh was introduced from the Yocto project to the vanilla kernel, which allows you to work with configuration fragments. Darren told how to use it.
6. Will Deacon gave an excellent and complex report on the Linux kernel primitives establishing the order of I / O and DMA operations. He began by describing the formal memory model of the kernel, made an overview of the usual memory barriers, and then moved on to the semantics of I / O barriers. His excellent style of performance kept the audience focused until the very end.
7. Lukas Bulwahn from BMW spoke great about the SIL2LinuxMP research project , in which I also took part this year. This project explores the possibility of using Linux in systems with increased safety requirements (safety-critical systems). First of all, Lucas explained the concept of reliability from an engineering point of view, then spoke about the technical and organizational aspects of the SIL2LinuxMP project, which involves a number of large manufacturing companies, people from academia and independent experts.
8. Matthew Garrett (Matthew Garrett), who recently works at Google, spoke about a series of patches called Kernel Lockdown . The idea is very good - you need to be able to protect the kernel from the superuser, for example, so that it cannot install a rootkit. So has long been the core of Windows. It turns out that all major Linux distributions are already shipped with Kernel Lockdown. However, this series of patches is still not in the vanilla core, and Matthew also explained the political background of this fact.
9. At the KVM forum, I attended a great presentation on the QEMU security model. Stefan Hajnoczi described the virtualization architecture based on QEMU / KVM, the perimeter of the attack for its components and how to reduce it. Slides
10. Greg Kroah-Hartman (Greg Kroah-Hartman) made a perky talk about how the Linux kernel community eliminated Meltdown and Specter of various options, how Intel behaved, what lessons were learned from the whole story, and what to expect in the future. For some reason, there are no slides or videos in public access, but I just have to mention his presentation.
11. I also want to talk about the report of Knut Omang (Knut Omang) about the system of unit tests for the Linux kernel. I really liked his performance and the work itself. The speaker works in Oracle and, unfortunately, he got the task of supporting some Linux kernel driver of 20,000 lines. This driver is of very poor quality and is not suitable for the vanilla kernel. However, Oracle supplies it, and you need to maintain this code. But Knut did not despair, he decided to systematically correct the situation with the help of test-driven development and unit-tests. The speaker spoke about the Kernel Test Framework system that he is developing for this.
12. Finally, I’ll tell you about the Kees Cook annual report on the status of the Kernel Self-Protection Project (KSPP). The idea of the project is that the security of the operating system is more than just fixing errors in the code and sharing access to resources. The operating system should work safely in the event of an error or attempted attack. Therefore, KSPP aims to eliminate entire classes of vulnerabilities and methods for their exploitation in the vanilla Linux kernel. Case Cook is the leader of this project and also the maintainer of a number of nuclear subsystems. In his speech, he gave an overview of the KSPP results from kernel versions 4.14 to 4.20. Slides: Enjoy!