The Linux kernel lockdown patches were merged into the 5.4 kernel last year, which means they’re now part of multiple distributions. For me this was a 7-year journey, which means it’s easy to forget that others aren’t as invested in the code as I am. Here’s what these patches are intended to achieve, why they’re implemented in the current form and what people should take into account when deploying the feature. Root is a user – a privileged user, but nevertheless a user. Root is not identical to the kernel. Processes running as root still can’t dereference addresses that belong to the kernel, are still subject to the whims of the scheduler and so on. But historically that boundary has been very porous. Various interfaces make it straightforward for root to modify kernel code (such as loading modules or using /dev/mem), while others make it less straightforward (being able to load new ACPI tables that can cause the ACPI interpreter to overwrite the kernel, for instance). In the past that wasn’t seen as a significant issue, since there were no widely deployed mechanisms for verifying the integrity of the kernel in the first place. But once UEFI secure boot became widely deployed, this was a problem. If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can’t modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot. These patches are intended to prevent that, and this blog post goes into detail about how it all works.
You’re probably familiar with modern processors made by Advanced Micro Devices. But AMD’s processors go back to 1975, when AMD introduced the Am2901. This chip was a type of processor called a bit-slice processor: each chip processed just 4 bits, but multiple chips were combined to produce a larger word size. This approach was used in the 1970s and 1980s to create a 16-bit, 36-bit, or 64-bit processor (for example), when the whole processor couldn’t fit on a single fast chip. The Am2901 chip became very popular, used in diverse systems ranging from the Battlezone video game to the VAX-11/730 minicomputer, from the Xerox Star workstation to the F-16 fighter’s Magic 372 computer. The fastest version of this processor, the Am2901C, used a logic family called emitter-coupled logic (ECL) for high performance. In this blog post, I open up an Am2901C chip, examine its die under a microscope, and explain the ECL circuits that made its arithmetic-logic unit work. A very detailed, technical look at this processor.
Proton has done far more for Linux gaming than any porting company out there, by bringing about 6000 games to us in less than 2 years. There’s about 100 games every month that get a Platinum rating according to ProtonDB. (because of the recent changes on ProtonDB rating, this is now more accurate than it was before). Proton has become better over time: the percentage of games getting a Platinum rating is steadily increasing over time as well – it used to be about 40% of all unique games reported, and now we are closer to 50%. This is cumulative, so the range will vary month by month but the trend is very clear. Proton is one of the biggest contributions to desktop Linux in at least the past ten years. Thanks to Proton, I now play all my games on Linux, and could finally just remove Windows from my desktop altogether. All I do when I want to buy a game that doesn’t support Linux natively is check ProtonDB, and if the rating is platinum (works out of the box) or gold (might need to run a command, move a file around, or select a specific Proton version in Steam), I just buy it without further issues. If it’s rated silver, I’ll take a more detailed look and weigh the work vs. the benefit. It’s been amazing, and I pretty much forget which games in my Steam library use Proton, and which don’t. It’s so seamless and effortless that I don’t have to know – from big, triple-A titles, all the way down to small indie games.
Visopsys is a hobby OS for x86-compatible PCs, started in 1997. Version 0.9 was released this morning, and there’s a change log. The summary: This major release offers a subtly updated look, enhanced networking capabilities and associated programs, Unicode support, a software packaging/download/install/uninstall infrastructure with an online ‘store’, a user space window shell, VMware mouse integration, HTTP, XML, and HTML libraries, some C++ and POSIX threads (pthreads) support, ‘pipes’ for interprocess communication, and additional hashing algorithms. Visopsys has a long history on OSNews – the oldest mention being from 2005. It’s been in relatively steady development ever since.
Bill Gates is now the favorite target for coronavirus misinformation according to data compiled by the New York Times and Zignal Labs, a company that analyzes media sources. Conspiracy theories conflating Gates with the virus were mentioned 1.2 million times on TV and social media from February to April, 33 percent more often than the 2nd most popular conspiracy theory linking 5G with COVID-19, according to Zignal Labs, peaking at 18,000 mentions a day in April. It’s cheaper to be an idiot than to be responsible.
Today, it seems we’re on another track completely. Despite being endlessly fawned over by an army of professionals, Usability, or as it used to be called, “User Friendliness”, is steadily declining. During the last ten years or so, adhering to basic standard concepts seems to have fallen out of fashion. On comparatively new platforms, I.E. smartphones, it’s inevitable: the input mechanisms and interactions with the display are so different from desktop computers that new paradigms are warranted. Worryingly, these paradigms have begun spreading to the desktop, where keyboards for fast typing and pixel-precision mice effectively render them pointless. Coupled with the flat design trend, UI elements are increasingly growing both bigger and yet somehow harder to locate and tell apart from non-interactive decorations and content. I doubt anyone here will disagree with the premise of this article, even if you might disagree with some of the examples. These past few weeks I’ve set up virtual machines of all the old Windows releases just to remind myself of just how good the graphical user interface introduced in Windows 95 was perfected over the years, culminating in the near-perfect Classic theme in Windows XP and Server 2003. Later iterations of the Classic theme, in Vista and onward, would sadly retain some of the Aero UI elements even when setting the Classic theme, ruining the aesthetic, and of course, the Classic theme is gone altogether now – you can’t set it in Windows 10. Similarly, Platinum in Mac OS 9 is still more coherent, more usable, and more intentful than whatever macOS brought to the table over the years. We can find solace in the fact that trends tend to be cyclical, so there’s a real chance the pendulum will eventually wing back.
With the release of Sculpt version 20.02, we follow our roadmap’s mission to make Sculpt OS easier to approach. In particular, we identified the reliance on a command-line interface as a potential barrier of entry. As Sculpt OS is not a Unix-like system, it should not require any Unix know-how from the user. To relieve users from this burden, Sculpt 20.02 introduces a custom graphical file browser and editor that can be used for interactively inspecting and tweaking the state of the system. The traditional command-line interface is still present as a fallback for advanced tasks though. The updated manual goes into detail about the use of the new system. Sculpt OS is related to the Genode project – a popular mainstay at OSNews – and basically ties a number of their technologies together into a general purpose desktop operating sytsem. Sculpt is an open-source general-purpose OS. It combines Genode’s microkernel architecture, capability-based security, sandboxed device drivers, and virtual machines in a novel operating system for commodity PC hardware. Sculpt is used as day-to-day OS by the Genode developers. The download page provides a ready-to-go VirtualBox image, so if you want to play with Sculpt OS – they couldn’t have made it any easier.
Microsoft is working on a tool that will let you replace the Windows Run feature on Windows 10. The Spotlight-like launcher for Windows 10 will be released later this year, as part of the company’s effort to customize Win+R and give users numerous features but keep the handling as easy as possible at the same time. Microsoft’s Spotlight-like launcher for Windows 10 is said to be part of PowerToys upcoming update. According to Microsoft, PowerToys Run is designed to replace Win + R shortcut. I use Ulauncher on my computers, and I can’t imagine using them without it. It’s about time a similar feature came from Microsoft, but the fact it’s a separate PowerToy thing and not a default on Windows means it’ll remain a niche thing. This should be standard out of the box.
The lock screen work that we landed in 3.36 was the outcome of a long-running programme of UX work, which we first put together at the GNOME UX hackfest in London, back in 2017. There are still some outstanding pieces of the login/unlock experience that need to be filled in, and this is something that we hope to work on over the coming development cycle. However, we are also turning our attention to other aspects of the shell, which we have wanted to update for some time. In the rest of this post, I’ll describe some of the areas that we’re hoping to improve, before going on to talk about how we’re going to do it. An overview of what to expect from upcoming GNOME releases.
I am pleased to announce the KWinFT project and with it the first public release of its major open source offerings KWinFT and Wrapland, drop-in replacements for KDE’s window manager KWin and its accompanying KWayland library. The KWinFT project was founded by me at the beginning of this year with the goal to accelerate the development significantly in comparison to KWin. Classic KWin can only be moved with caution, since many people rely on it in their daily computing and there are just as many other stakeholders. In this respect, at least for some time, I anticipated to be able to push KWinFT forward in a much more dynamic way. This is a great concept, and will allow more experimentation and exciting new features in a place where this normally simply doesn’t make much sense.
We’ve just released SRU 20 for Oracle Solaris 11.4, the April 2020 CPU. It is available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. The administrator of my organisation needs to supply me with a Support Identifier before I can do something as simple as read the documentation about this new version, so I have no idea what to tell you. I guess Solaris technically isn’t dead yet?
Hercules is an open source software implementation of the mainframe System/370 and ESA/390 architectures, in addition to the new 64-bit z/Architecture. Hercules runs under Linux, Windows (98, NT, 2000, and XP), Solaris, FreeBSD, and Mac OS X (10.3 and later). The installation instructions will aid you in setting Hercules up.
If an application from a Chinese company installed a kernel driver onto your system with complete access to your computer, but they pinky-promised not to abuse this access and power, would you install the application? Well, if you’re interested in Riot Games’ new hit game Valorant, that’s exactly the question you’re going to have to answer. Riot Games, the company behind one of the most popular games in the world, League of Legends, recently starting publicly beta testing their new game, Valorant. Two months ago, the company penned a rather condescending blog post detailing their future anti-cheat technology, which would include a Windows kernel driver (running in ring 0, in x86 parlance). Valorant is their first game using this kernel driver, and as it turns out, this kernel driver starts at boot, and due to its very nature has full system access, even when you’re not running Valorant. According to Riot Games, we just have to trust them on their blue eyes that their kernel driver is fully secure and won’t be exploited by malicious third parties, and that the company won’t use it to spy on people or otherwise violate their privacy. Riot states on Reddit that “multiple external security research teams” have reviewed the driver, but as far as I can tell, these reviews have not been published for public vetting. What we’re dealing with here is a rootkit, a method more and more anti-cheat systems are employing in the fight against cheating. The argument is that game developers need full, complete, and total access to your system in order to prevent you from cheating, and a kernel driver is how they do it. There’s a long history of these sorts of things going horribly, horribly wrong. We all still remember the Sony rootkit debacle, where Sony CDs installed rootkits on users’ computers that ended up being exploited left, right, and centre by malicious parties. In 2016, Capcom installed a similar rootkit meant for anti-cheat with Street Fight V, which was an absolute security train wreck. And closer to home for Riot, the game client for their very own League of Legends installed crypto miners on users’ computers in the Philippines. Despite the inherent dangers in installing closed-source security-by-obscurity rootkits, Riot is dead-set on continuing to use them, and it’s only a matter of time before their rootkit will be forced upon League of Legends players as well – which in my case means I won’t be able to play League of Legends anymore even if I wanted their rootkit on my computer, since I play on Linux through Wine/Lutris, which doesn’t support kernel drivers at all. Players of Riot’s games will have to ask themselves if they trust Riot to install a rootkit with complete and full access to their system – browsing history, chat logs, email, everything. You have to trust Riot when they say the rootkit is “secure” and won’t be exploited by malicious third parties, and that the company itself won’t use it to invade your privacy. Interesting sidenote: Riot Games is owned by the Chinese company Tencent, the company behind WeChat. Tencent is, for all intents and purposes, an arm of the Chinese government, so not only do you have to trust Riot Games, you also have to trust their owner, Tencent, as well as who Tencent literally answers to – the Chinese government. I’m not going to tell anyone what they should or should not do with their computers, and if you trust Riot, Tencent, and the Chinese government enough to let them install a rootkit on your computer, then that’s your right to do so. However, I do feel users need to be at least aware of the choice they’re making.
Colorado — like most states and territories across the country — is experiencing record unemployment numbers. But the state’s unemployment system is built on aging software running on a decades-old coding language known as COBOL. Over the years, COBOL programmers have aged out of the workforce, forcing states to scramble for fluent coders in times of national crisis. A survey by The Verge found that at least 12 states still use COBOL in some capacity in their unemployment systems. Alaska, Connecticut, California, Iowa, Kansas, and Rhode Island all run on the aging language. According to a spokesperson from the Colorado Department of Labor and Employment, the state was actually only a month or two away from “migrating into a new environment and away from COBOL,” before the COVID-19 pandemic hit. Are you one of the already 17 million people laid off in the US, losing what little health insurance you had in the process, and now you can’t even apply for unemployment assistance because some baby boomer coded the damn system in COBOL? Time to lift yourself up by the bootstraps and learn the wonders of COBOL!
Google has made significant progress toward developing its own processor to power future versions of its Pixel smartphone as soon as next year — and eventually Chromebooks as well, Axios has learned. The chip, code-named Whitechapel, was designed in cooperation with Samsung, whose state-of-the-art 5-nanometer technology would be used to manufacture the chips, according to a source familiar with Google’s effort. Samsung has also manufactured Apple’s iPhone chips, as well as its own Exynos processors. Apparently, Google has received the first batch in recent weeks. This development process has been one of the worst-kept secrets in the industry, since Google pretty much admitted it was developing its own mobile SoC years ago.
Google is replacing some Android apps for Chromebooks with Progressive Web Apps (PWAs). A PWA is essentially a webpage that looks and feels like a traditional app. This will certainly be good news for many Chromebook owners. In some cases, PWAs are faster and more functional than their Android counterparts. PWAs also take up less storage and require less juice to run. When PWAs are a better option than Android applications, you know you’re scraping the bottom of the barrel. I really don’t understand why Google doesn’t just turn Chrome OS into a more traditional desktop Linux distribution – they’ll get better applications, better tooling, and better performance than shoehorning Android applications into Chrome or pretending a website is an application.
Intel’s Dynamic Platform and Thermal Framework (DPTF) is a feature that’s becoming increasingly common on highly portable Intel-based devices. The adaptive policy it implements is based around the idea that thermal management of a system is becoming increasingly complicated – the appropriate set of cooling constraints to place on a system may differ based on a whole bunch of criteria (eg, if a tablet is being held vertically rather than lying on a table, it’s probably going to be able to dissipate heat more effectively, so you should impose different constraints). One way of providing these criteria to the OS is to embed them in the system firmware, allowing an OS-level agent to read that and then incorporate OS-level knowledge into a final policy decision. Unfortunately, while Intel have released some amount of support for DPTF on Linux, they haven’t included support for the adaptive policy. And even more annoyingly, many modern laptops run in a heavily conservative thermal state if the OS doesn’t support the adaptive policy, meaning that the CPU throttles down extremely quickly and the laptop runs excessively slowly. It’s been a while since I really got stuck into a laptop reverse engineering project, and I don’t have much else to do right now, so I’ve been working on this. It’s been a combination of examining what source Intel have released, reverse engineering the Windows code and staring hard at hex dumps until they made some sort of sense. Here’s where I am. Someone has to do the dirty work.
The ReactOS Team is pleased to announce the release of version 0.4.13. As with prior releases, keywords are noted representing the release itself and highlighting key improvements. In this particular case, the 0.4.13 version shows the results of significant hard work to bring improvements to the USB stack, further development on the Xbox port boot process, an Explorer File Search for the Shell module, as well as many other changes. There’s also new work on accessibility features, and the 64 bit version has seen considerable improvements, too.
The Verge reports: Apple and Google announced a system for tracking the spread of the new coronavirus, allowing users to share data through Bluetooth Low Energy (BLE) transmissions and approved apps from health organizations. The new system, which is laid out in a series of documents and white papers, would use short-range Bluetooth communications to establish a voluntary contact-tracing network, keeping extensive data on phones that have been in close proximity with each other. Official apps from public health authorities will get access to this data, and users who download them can report if they’ve been diagnosed with COVID-19. The system will also alert people who download them to whether they were in close contact with an infected person. This is a clever use of technology, but as always, what can be used for good, can also be used for evil. A technology like this certainly seems useful in our current worldwide predicament, but it’s not hard to imagine what can be done with it that might be more nefarious. That being said, it’s refreshing to see these companies working together for the good of their users for once, instead of the constant hostility towards users to create platform lock-in and shareholder value. In any event, the APIs for this new system will arrive in iOS and Android over the coming months – through a regular OS update on iOS, and through Google Play on Android.
With Android 7.0 Nougat, Google introduced a partition scheme designed to speed up software updates. In Nougat, Google added support for duplicating certain partitions so that inactive partitions can get updated in the background and then swapped to active with a quick reboot. This “A/B partition” setup allows for “seamless updates” to take place on supported Android devices, much like Google’s Chrome OS. However, Google has never mandated the use of A/B partitions, so many devices out there that don’t support seamless updates. That could change with Android 11, however, as Google is making it mandatory for newly launched devices to support virtual A/B partitions. Anything to make the update situation on Android smoother is welcome.
Submitted by