As part of the continuing work to replace 1-element arrays in the Linux kernel, it’s very handy to show that a source change has had no executable code difference. For example, if you started with this:| codeblog
Previously: v5.9| codeblog
Previously: v5.8| codeblog
Previously: v5.7| codeblog
I frequently see a pattern in image build/refresh scripts where a set of packages is installed, and then all packages are updated:| codeblog
Previously: v5.6| codeblog
Previously: v5.5.| codeblog
Previously: v5.4.| codeblog
Previously: v5.3.| codeblog
While much of the work on kernel Control Flow Integrity (CFI) is focused on arm64 (since kernel CFI is available on Android), a significant portion is in the core kernel itself (and especially the build system). Recently I got a sane build and boot on x86 with everything enabled, and I’ve been picking through some of the remaining pieces. I figured now would be a good time to document everything I do to get a build working in case other people want to play with it and find stuff that needs ...| codeblog
Previously: v5.2.| codeblog
Previously: v5.1.| codeblog
Forever ago I set up tooling to generate graphs representing the adoption of various hardening features in Ubuntu packaging. These were very interesting in 2006 when stack protector was making its way into the package archive. Similarly in 2008 and 2009 as FORTIFY_SOURCE and read-only relocations made their way through the archive. It took a while to really catch hold, but finally PIE-by-default started to take off in 2016 through 2018:| codeblog
Previously: v5.0.| codeblog
Previously: v4.20.| codeblog
Previously: v4.19.| codeblog
Previously: v4.18.| codeblog
Previously: v4.17.| codeblog
Previously: v4.16.| codeblog
I spent some time yesterday building out a UEFI server that didn’t have on-board hardware RAID for its system drives. In these situations, I always use Linux’s md RAID1 for the root filesystem (and/or /boot). This worked well for BIOS booting since BIOS just transfers control blindly to the MBR of whatever disk it sees (modulo finding a “bootable partition” flag, etc, etc). This means that BIOS doesn’t really care what’s on the drive, it’ll hand over control to the GRUB code in ...| codeblog
Previously: v4.15.| codeblog
Previously: v4.14.| codeblog
An nice additional benefit of the recent Kernel Page Table Isolation (CONFIG_PAGE_TABLE_ISOLATION) patches (to defend against CVE-2017-5754, the speculative execution “rogue data cache load” or “Meltdown” flaw) is that the userspace page tables visible while running in kernel mode lack the executable bit. As a result, systems without the SMEP CPU feature (before Ivy-Bridge) get it emulated for “free”.| codeblog
Previously: v4.13.| codeblog
Previously: v4.12.| codeblog
I got myself stuck yesterday with GRUB running from an ext4 /boot/grub, but with /boot inside my LUKS LVM root partition, which meant GRUB couldn’t load the initramfs and kernel.| codeblog
Previously: v4.11.| codeblog
Previously: v4.10.| codeblog
The Pixel 8 hardware (Tensor G3) supports the ARM Memory Tagging Extension (MTE), and software support is available both in Android userspace and the Linux kernel. This feature is a powerful defense against linear buffer overflows and many types of use-after-free flaws. I’m extremely happy to see this hardware finally available in the real world.| codeblog