Linux Archive
It’s a bit of a Linux news day today – it happens – but this one is good news we can all be happy about. After earning a bad reputation for mishandling its Linux graphics drivers for years, almost decades, NVIDIA has been turning the ship around these past two years, and today they made a major announcement: from here on out, the open source NVIDIA kernel modules will be the default for all recent NVIDIA cards. We’re now at a point where transitioning fully to the open-source GPU kernel modules is the right move, and we’re making that change in the upcoming R560 driver release. ↫ Rob Armstrong, Kevin Mittman and Fred Oh There are some caveats regarding which generations, exactly, should be using the open source modules for optimal performance. For NVIDIA’s most cutting edge generations, Grace Hopper and Blackwell, you actually must use the open source modules, since the proprietary ones are not even supported. For GPUs from the Turing, Ampere, Ada Lovelace, or Hopper architectures, NVIDIA recommends the open source modules, but the proprietary ones are compatible as well. Anything older than that is restricted to the proprietary modules, as they’re not supported by the open source modules. This is a huge milestone, and NVIDIA becoming a better team player in the Linux world is a big deal for those of us with NVIDIA GPUs – it’s already paying dividend in vastly improved Wayland support, which up until very recently was a huge problem. Do note, though, that this only covers the kernel module; the userspace parts of the NVIDIA driver are still closed-source, and there’s no indication that’s going to change.
Not too long ago it seemed like Linux support for the new ARM laptops running the Snapdragon X Pro and Elite processors was going to be pretty good – Qualcomm seemed to really be stepping up its game, and detailed in a blog post exactly what they were doing to make Linux a first-tier operating system on their new, fancy laptop chips. Now that the devices are in people’s hand, though, it seems all is not so rosy in this new Qualcomm garden. A recent Linux kernel DeviceTree patch outright disables the GPU on the Snapdragon X Elite, and the issue is, as usual, vendor nonsense, as it needs something called a ZAP shader to be useful. The ZAP shader is needed as by default the GPU will power on in a specialized “secure” mode and needs to be zapped out of it. With OEM key signing of the GPU ZAP shader it sounds like the Snapdragon X laptop GPU support will be even messier than typically encountered for laptop graphics. ↫ Michael Larabel This is exactly the kind of nonsense you don’t want to be dealing with, whether you’re a user, developer, or OEM, so I hope this gets sorted out sooner rather than later. Qualcomm’s commitments and blog posts about ensuring Linux is a first-tier platform are meaningless if the company can’t even get the GPU to work properly. These enablement problems should’ve been handled well before the devices entered circulation, so this is very disheartening to see. So, for now, hold off on X Elite laptops if you’re a Linux user.
UKIs can run on UEFI systems and simplify the distribution of small kernel images. For example, they simplify network booting with iPXE. UKIs make rootfs and kernels composable, making it possible to derive a rootfs for multiple kernel versions with one file for each pair. A Unified Kernel Image (UKI) is a combination of a UEFI boot stub program, a Linux kernel image, an initramfs, and further resources in a single UEFI PE file (device tree, cpu µcode, splash screen, secure boot sig/key, …). This file can either be directly invoked by the UEFI firmware or through a boot loader. ↫ Hugues If you’re still a bit unfamiliar with unified kernel images, this post contains a ton of detailed practical information. Unified kernel images might become a staple for forward-looking Linux distributions, and I know for a fact that my distribution of choice, Fedora, has been working on it for a while now. The goal is to eventually simplify the boot process as a whole, and make better, more optimal use of the advanced capabilities UEFI gives us over the old, limited, 1980s BIOS model. Like I said a few posts ago, I really don’t want to be using traditional bootloaders anymore. UEFI is explicitly designed to just boot operating systems on its own, and modern PCs just don’t need bootloaders anymore. They’re points of failure users shouldn’t be dealing with anymore in 2024, and I’m glad to see the Linux world is seriously moving towards negating the need for their existence.
Most people are familiar with GRUB, a powerful, flexible, fully-featured bootloader that is used on multiple architectures (x86_64, aarch64, ppc64le OpenFirmware). Although GRUB is quite versatile and capable, its features create complexity that is difficult to maintain, and that both duplicate and lag behind the Linux kernel while also creating numerous security holes. On the other hand, the Linux kernel, which has a large developer base, benefits from fast feature development, quick responses to vulnerabilities and greater overall scrutiny. We (Red Hat boot loader engineering) will present our solution to this problem, which is to use the Linux kernel as its own bootloader. Loaded by the EFI stub on UEFI, and packed into a unified kernel image (UKI), the kernel, initramfs, and kernel command line, contain everything they need to reach the final boot target. All necessary drivers, filesystem support, and networking are already built in and code duplication is avoided. ↫ Marta Lewandowska I’m not a fan of GRUB. It’s too much of a single point of failure, and since I’m not going to be dual-booting anything anyway I’d much rather use something that isn’t as complex as GRUB. Systemd-boot is an option, but switching over from GRUB to systemd-boot, while possible on my distribution of choice, Fedora, is not officially supported and there’s no guarantee it will keep working from one release to the next. The proposed solution here seems like another option, and it may even be a better option – I’ll leave that to the experts to discuss. It seems like to me that the ideal we should be striving for is to have booting the operating system become the sole responsibility of the EUFI firmware, which usually already contains the ability to load any operating system that supports UEFI without explicitly installing a bootloader. It’d be great if you could set your UEFI firmware to just always load its boot menu, instead of hiding it behind a function key or whatever. We made UEFI more capable to address the various problems and limitations inherent in BIOS. Why are we still forcing UEFI to pretend it still has the same limitations?
On the brink of insanity, my tattered mind unable to comprehend the twisted interplay of millennia of arcane programmer-time and the ragged screech of madness, I reached into the Mass and steeled myself to the ground lest I be pulled in, and found my magnum opus. Booting Linux off of a Google Drive root. ↫ Ersei That’s not… You shouldn’t… Why would…
The openSUSE project recently announced the second release candidate (RC2) of its Aeon Desktop, formerly known as MicroOS Desktop GNOME. Aside from the new coat of naming paint, Aeon breaks ground in a few other ways by dabbling with technologies not found in other openSUSE releases. The goal for Aeon is to provide automated system updates using snapshots that can be applied atomically, removing the burden of system maintenance for “lazy developers” who want to focus on their work rather than desktop administration. System-tinkerers need not apply. The idea behind Aeon, as with other immutable (or image-based) Linux distributions, is to provide the core of the distribution as a read-only image or filesystem that is updated atomically and can be rolled back if needed. Google’s ChromeOS was the first popular Linux-based desktop operating system to follow this model. Since the release of ChromeOS a number of interesting immutable implementations have cropped up, such as Fedora Silverblue, Project Bluefin (covered here in December 2023), openSUSE’s MicroOS (covered here in March 2023), and Ubuntu Core. ↫ Joe Brockmeier at LWN With the amount of attention immutable Linux desktops are getting, and how much work and experimentation that’s going into them, I’m getting the feeling that sooner or later all of the major, popular desktop Linux distributions will be going this route. Depending on implementation details, I actually like the concept of a defined base system that’s just an image that can be replaced easily using btrfs snapshots or something like that, while all the user’s files and customisations are kept elsewhere. It makes intuitive sense. Where the current crop of immutable Linux desktops fall flat for me is their reliance on (usually) Flatpak. You know how there’s people who hate systemd and/or Wayland just a little too much, to the point it gets a little weird and worrying? That’s me whenever I have to deal with Flatpaks. Every experience I have with Flatpaks is riddled with trouble for me. Even though I’m a KDE user, I’m currently testing out the latest GNOME release on my workstation (the one that I used to conclude Windows is simply not ready for the desktop), using Fedora of course, and on GNOME I use the Mastodon application Tuba. While I mostly write in English, I do occasionally write in Dutch, too, and would love for the spell check feature to work in my native tongue, too, instead of just in English. However, despite having all possible Dutch dictionaries installed – hunspell, aspell – and despite those dictionaries being picked up everywhere else in GNOME, Tuba only showed me a long list of variants of English. After digging around to find out why this was happening, it took me far longer than I care to publicly admit to realise that since the latest version of Tuba is only really available as a Flatpak on Fedora, my problem probably had something to do with that – and it turns out I was right: Flatpak applications do not use the system-wide installed spellcheck dictionaries like normal applications do. This eventually led me to this article by Daniel Aleksandersen, where he details what you need to do in order to add spellcheck dictionaries to Flatpak applications. You need to run the following commands: The list of languages uses two-letter codes only, and the first language listed will serve as the display language for Flatpak applications, while the rest will be fallback languages – which happens to include downloading and installing the Flatpak-specific copies of the spellcheck libraries. Sadly, this method is not particularly granular. Since it only accepts the two-letter codes, you can’t, say, only install “nl-nl”; you’ll be getting “nl-be” as well. In the case of a widely spoken language like English, this means a massive list of 18 different varieties of English. The resulting menus are… Not elegant. This is just an example, but using Flatpak, you’ll run into all kinds of issues like this, that then have to be solved by hacks or obscure terminal commands – not exactly the user-friendly image Flatpak is trying to convey to the world. This particular issue might not matter to the probably overwhelming English-speaking majority of Flatpak developers, but for anyone who has to deal with multiple languages on a daily basis – which is a massive number of people, probably well over 50% of computer users – having to mess around with obscure terminal commands hidden in blog posts just to be able to use the languages they use every day is terrible design on a multitude of levels, and will outright make Flatpak applications unusable for large numbers of people. Whenever I run into these Flatpak problems, it makes it clear to me that Flatpak is designed not by users, for users – but by developers, for developers. I can totally understand and see why Flatpak is appealing to developers, but as a user, they bring me nothing but grief, issues, and weird bugs that all seem to stem from being made to make developers’ lives easier, instead of users’. If immutable Linux distributions are really hellbent on using Flatpak as the the means of application installation – and it seams like they are – it will mean a massive regression in functionality, usability, and discoverability for users, and as long as Flatpak remains as broken and badly designed as it is, I really see no reason to recommend an immutable Linux desktop to anyone but the really curious among us.
There’s really a Linux distribution for everyone, it seems. EasyOS sounds like it’s going to be some Debian derivative with a theme or something, but it’s truly something different – in fact, it has such a unique philosophy and approach to everything I barely know where to even start. Everything in EasyOS runs in containers, in the distribution’s own custom container format, even entire desktop environments, and containers are configured entirely graphically. EasyOS runs every application in RAM, making it insanely fast, and you can save the contents of RAM to disk whenever you want. You can also choose a special boot option where the entire session is only loaded in RAM, with disk access entirely disabled, for maximum security. Now things are going to get weird. In EasyOS, you always run as root, which may seem like a stupid thing to do, and I’m sure some people will find this offputting. The idea, however, is you run every application as its own user (e.g. Firefox runs as the “firefox” user), entirely isolated from every other user, or in containers with further constraints applied. I honestly kind of like this approach. If these first few details of what EasyOS is going for tickles your fancy, I really urge you to read the rest of their detailed explanation of what, exactly, EasyOS is going for. It’s an opinionated distribution, for sure, but it’s opinionated in a way where they’re clearly putting a lot of thought into the decisions they make. I’m definitely feeling the pull to give it a try and see if it’s something for me.
Sometimes you come across a story that’s equally weird and delightful, and this is definitely one of them. Oleksandr Natalenko posted a link on Mastodon to a curious email sent to the Linux Kernel Mailing List, which apparently gets sent to the LKML every single year. The message is very straightforward. Is it possible to write a kernel module which, when loaded, will blow the PC speaker? ↫ R.F. Burns on the LKML Since this gets sent every year, it’s most likely some automated thing that’s more of a joke than a real request at this point. However, originally, there was a real historical reason behind the inquiry, as Schlemihl Schalmeier on Mastodon points out. They link to the original rationale behind the request, posted to the LKML after the request was first made, all the way back in 2007. At the time, the author was helping a small school system manage a number of Linux workstations, and the students there were abusing the sound cards on those workstations for shenanigans. They addressed this by only allowing users with root privileges access to the sound devices. However, kids are smart, and they started abusing the PC speaker instead, and even unloading the PC speaker kernel module didn’t help because the kids found ways to abuse the PC speaker outside of the operating system (the BIOS maybe? I have no idea). And so, the author notes, the school system wanted them to remove the PC speakers entirely, but this would be a very fiddly and time-consuming effort, since there were a lot of PCs, and of course, this would all have to be done on-site – unlike the earlier solutions which could all be done remotely. So, the idea was raised about seeing if there was a way to blow the PC speaker by loading a kernel module. If so, a mass-deployment of a kernel module overnight would take care of the PC speaker problem once and for all. ↫ R.F. Burns on the LKML So, that’s the original story behind the request. It’s honestly kind of ingenious, and it made me wonder if the author got a useful reply on the LKML, and if such a kernel module was ever created. The original thread didn’t seem particularly conclusive to me, and the later yearly instances of the request don’t seem to yield much either. It seems unlikely to me this is possible at all. Regardless, this is a very weird bit of Linux kernel lore, and I’d love to know if there’s more going on. Various parts of the original rationale seem dubious to me, such as the handwavy thing about abusing the PC speaker outside of the operating system, and what does “abusing” the PC speaker even mean in the first place? As Natalenko notes, it seems there’s more to this story, and I’d love to find out what it is.
The extensible scheduler “sched_ext” code has proven quite versatile for opening up better Linux gaming performance, more quickly prototyping new scheduler changes, Ubuntu/Canonical has been evaluating it for pursuing a more micro-kernel like design, and many other interesting approaches with it. Yet it’s remained out of tree but that is now changing with the upcoming Linux 6.11 cycle. Linus Torvalds as the benevolent dictator for life “BDFL” of the Linux kernel announced he intends to merge the sched_ext patches for Linux 6.11 even though there has been some objections by other kernel developers. Torvalds feels the sched_ext code is ready enough and provides real value to the mainline Linux kernel. It’s not worth dragging out sched_ext continuing to be out-of-tree. ↫ Michael Larabel at Phoronix I haven’t felt the need to mess around with the Linux scheduler in a long, long time – I have some vague memories of perhaps well over a decade ago where opting for a different scheduler could lead to better desktop-focused performance characteristics, but the details in my brain are so fuzzy that it may just be a fabricated or confabulated memory.
Last night, I ran through the ZFSBootMenu documentation guide for Void and followed it both on a VM and then on an external SATA HDD plugged through a USB case, taking some notes and getting a general idea of the process. The Void installer does not support ZFS out of the box, so the Void Handbook itself recommends the ZFSBootMenu documentation before its own (a manual chroot installation) when it comes to doing a ZFS-on-root install. This guide from ZFSBootMenu is what we’ll be following throughout this post. ↫ Juno Takano There’s a ton of good stuff in this lengthy, detailed, and helpful blog post. First, it covers Void Linux, which is one of the best signifiers of good taste, classy style, and generally being a good person. Void is not necessarily underappreciated – it gets a lot of mentions in the right places – but I do feel there are a lot more people for whom Void Linux would be a perfect fit but who don’t yet know about it. So, time for a very short introduction. Void Linux is distribution with its own unique and very user-friendly package manager that’s an absolute joy to use. Unlike many other custom, more obscure package formats, the Void repositories are vast, generally some of the most up-to-date, and you’ll be hard-pressed to be asking for some piece of software that isn’t packaged. Void eschews systemd in favour of runit, and while I personally have no issues with systemd, diversity is always welcome and runit is, in line with everything else Void, easy to grasp and use. Lastly, while Void also comes in a GNU libc flavour, it feels like the “real” Void Linux is the one using musl. Second is a tool I had never heard of: ZFSBootMenu. The name is rather self-explanatory, but in slightly more detail: it’s a self-contained small Linux-based bootloader that detects any Linux kernels and initramfs images on ZFS file systems, which can then be launched using kexec. It makes running Linux on ZFS quite a bit easier, especially for systems that don’t over ZFS as an option during installation, like, in this case, Void Linux. And that’s what the linked post is actually about: setting up a root-on-ZFS Void EFI installation. It’s a great companion article for anyone trying something similar.
I’ve barely scratched the surface, but there’s enough here for me to seriously consider a switch to it as my primary Linux distro for testing and servers. I love that htop(1) and lsof(1) only shows a small list of recognisable processes, that it uses OpenRC, that package management seems straight forward, and that it’s so simple to configure. I’ve wondered what a modern, functional “Occam’s Linux” would look like. This is it. ↫ Ruben Schade Alpine is very popular among people inclined towards BSD, but who still want to run Linux as well – and it’s easy to see why when you try it out or read about it. This article is a good jumping-off point for those of you curious about Alpine.
systemd uses DBus as the mechanism to interact with it. This article introduces just enough DBus concepts and the usage of busctl to communicate with systemd. These concepts should be useful when using DBus libraries. ↫ Beartama Exactly what it says on the tin.
It’s a compelling story and on the surface makes a lot of sense. Carefully curated software patches applied to a known Linux kernel, frozen at a specific release, would obviously seem to be preferable to the random walk of an upstream open source Linux project. But is it true? Is there data to support this ? After a lot of hard work and data analysis by my CIQ kernel engineering colleagues Ronnie Sahlberg and Jonathan Maple, we finally have an answer to this question. It’s no. The data shows that “frozen” vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream “stable” Linux kernel created by Greg Kroah-Hartman. ↫ Jeremy Allison at CIQ I mean, it kind of makes sense. The full whitepaper is available, too.
With Qualcomm and Microsoft about to flood the market with devices using the new Snapdragon X Elite, those of us who don’t want to use Windows felt a bit uneasy – what’s Linux support going to look like for this new generation of ARM devices? Well, it seems Qualcomm’s been busy, and they’ve published a blog post detailing their work on Linux support for the X Elite. It’s been our priority not only to support Linux on our premium-tier SoCs, but to support it pronto. In fact, within one or two days of publicly announcing each generation of Snapdragon 8, we’ve posted the initial patchset for Linux kernel support. Snapdragon X Elite was no exception: we announced on October 23 of last year and posted the patchset the next day. That was the result of a lot of pre-announcement work to get everything up and running on Linux and Debian. ↫ Qualcomm’s developer blog In the blog post, the company details exactly which X Elite features have already been merged into mainline with Linux 6.8 and 6.9, as well as which features will be merged into mainline in Linux 6.10 and 6.11, and to be quite frank – it’s looking really solid, especially considering this is Qualcomm we’re talking about. Over the coming six months, they’re going to focus on getting end-to-end hardware video decoding working, including in Firefox and Chrome, as well as various CPU and GPU optimisations, adding the required firmware to the linux-firmware package, and providing access to easy installers. All in all, it’s looking like the X Elite will be exceptionally well supported by Linux before the year’s over. The blog post also details the boot path for Linux on the X Elite, and that, too, is looking good. It’s using a standard UEFI boot process, and supports GRUB and systemd-boot out of the box. Linux boots up using devicetrees, though, and apparently, there’s a known problem with using those that Qualcomm and the community are working on. We’re working closely with upstream communities on an open problem with the UEFI-based BIOS while booting with devicetrees. The problem is that, when you have more than one devicetree blob (DTB) packed into the firmware package flashed on the device, there is no standard way of selecting a devicetree to pass on to the kernel. OEMs commonly put multiple DTBs into the firmware package so it will support devices with slightly different SKUs, so we’re keen to solve this problem. ↫ Qualcomm’s developer blog I am pleasantly surprised by the openness and straightforwardness Qualcomm is showing the Linux community here, and I really hope this is a sign of how the company will keep supporting its laptop and possibly desktop-oriented SoCs from here on out. It seems like next year we will finally be getting competitive ARM laptops that can run Linux in a fully supported fashion.
In addition to Linux 6.10 expected to drop support for very old DEC Alpha processors (EV5 and earlier), it looks like the PowerPC 40x (early PowerPC 400 series) processor and platform support will be retired too. Back in 2020 was a proposal for dropping PowerPC 40x support from the Linux kernel given that the code was orphaned for a long time with no apparent users. The PowerPC 40x processors were found in thin clients, set-top boxes, and other devices during the 90’s. Finally now it looks like that the PowerPC 40x removal is set to happen. ↫ Michael Larabel Spring cleaning in the hardware support department. I wonder what has more users – Windows on ARM, or Linux on PowerPC 40x.
Lennart Poettering, main developer of systemd, has announced run0, a systemd-based replacement for the well-known sudo command that fixes many of he inherent issues with the widely used tool to gain temporary elevated privileges. There are various problems with sudo, which basically come down to that it’s a large SUID binary, meaning it consists of privileged code that unprivileged users can run from their own context. This makes sudo a fairly large attack surface, and why OpenBSD uses doas instead; while doas suffers from the same main problem, it’s much smaller and reduces the attack surface considerably. SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on. A few of these settings the kernel is nice enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that. ↫ Lennart Poettering Poettering wants to address this problem, and has come up with run0, which behaves like sudo, but works entirely differently and is not SUID. Run0 asks the services manager to create a shell or command under the target user’s ID, creating a new PTY, sending data back and forth from the originating TTY and the new PTY. Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we *do* propagate $TERM, but that’s an explicit exception, i.e. allowlist rather than denylist). One could say, “run0” is closer to behaviour of “ssh” than to “sudo”, in many ways. Except that it doesn’t bother with encryption or cryptographic authentication, key management and stuff, but instead relies on the kernel’s local identification mechanisms. run0 doesn’t implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients authenticate against priv servers. ↫ Lennart Poettering This approach addresses a whole slew of attack vectors on sudo, and it comes with fun additional features like being able to give your terminal a different background tint when using it, or displaying a little red dot in the terminal window title to further indicate you’re using elevated privileges. It will ship as part of the upcoming release of systemd 256.
In February last year I wrote about running a FreeBSD desktop, and concluded that sometimes you need to give yourself permission to tinker. Well recently I’ve started tinkering with Alpine Linux! It’s been recommended to me for years, so I’m finally getting around to checking it out. There’s a lot to like if you come from BSD, which we’ll dig into here. ↫ Ruben Schade Just a quick look at this unexpectedly popular Linux distribution that really has its own identity.
Lunatik is a framework for scripting the Linux kernel with Lua. It is composed by the Lua interpreter modified to run in the kernel; a device driver (written in Lua =)) and a command line tool to load and run scripts and manage runtime environments from the user space; a C API to load and run scripts and manage runtime environments from the kernel; and Lua APIs for binding kernel facilities to Lua scripts. ↫ Lunatik GitHub page I’m not knowledgeable enough to understand what this might be used for, but I figured y’all would be interested in this.
Linus Torvalds really doesn’t like spaces – as in, tabs vs. spaces – and got a little annoyed that a commit removed a hidden tab because it “apparently showed breakage in some third-party kernel config parsing tool”. So, Torvalds decided to add some hidden tabs to trigger breakages like this, and is threatening to add more hidden tabs if necessary. It wasn’t clear what tool it was, but let’s make sure it gets fixed. Because if you can’t parse tabs as whitespace, you should not be parsing the kernel Kconfig files. In fact, let’s make such breakage more obvious than some esoteric ftrace record size option. If you can’t parse tabs, you can’t have page sizes. ↫ Linus Torvalds I’m not a programmer so I’m not going to wade into this debate – I have a personal Mastodon account to state it’s obviously tabs – but I did note that it seems like, at least in this commit message, Torvalds uses a double space after a period. Which is objectively the worst thing, right before Fahrenheit.
GestureX enables you to control your Linux PC using hand gestures. You can assign specific commands or functionalities to different hand gestures, allowing for hands-free interaction with your computer. ↫ GestureX GitHub page I personally see no use for any of this, but I’m sure there are some interesting accessibility uses for technology like this, which in and of itself make it a worthwhile endeavour to work on. Do note, though, that this is all beta, so there’s bound to be issues.
