Zack's Kernel News
Total Page:16
File Type:pdf, Size:1020Kb
Community Notebook Kernel News Zack’s Kernel News Chronicler Zack Simple Flash Filesystem about endianness issues in order to avoid an- Brown reports on Dan Luedtke recently announced LanyFS – a noying, difficult debugging issues further filesystem to use with any drive you might down the road. the latest news, carry on a lanyard or keychain – essentially, Theodore Ts’o came back to the issue of small flash drives. The goal was to make the whether LanyFS was needed at all. He said, views, dilemmas, filesystem so simple that it would work easily “What I would do if I needed to transfer such and developments on any operating system. In this case, the lack a [6MB] file, and I didn’t have access to high of features was itself a feature. speed networking, would be to use ext2, and within the Linux Richard Weinberger and Marco Stornelli then either use the ext2 FUSE driver with didn’t see the point of such minimalism. To FUSE for Windows or Macintosh – or, I would kernel community. them, it just seemed like reinventing the port the userspace e2tools package to the tar- wheel, because other filesystems already ex- get OS, and use that to access the ext2 file By Zack Brown isted with a larger set of features. And, Alan system. And I’d do that because the software Cox gave a link to an interesting article at is available today, right now, without having http:// lwn.net/ Articles/ 428584/ that discussed to figure out how to port LanyFS to the oper- the ins and outs of trying to code a flash-ori- ating system.” ented filesystem. He added, “I also seriously question the Dan pointed out that the filesystem’s web- niche of people who want to use a thumb site, at http:// nonattached.net/ lanyfs/ , didn’t drive to transfer >4GB files. Try it sometime have complete explanations because the proj- and see what a painful user experience it ect was part of his Master’s thesis, and he is … .” wasn’t sure how much information he was al- Dan did get some support though. Carlos lowed to publish before submitting the work to Alberto Lopez Perez pointed out that Micro- his professors. soft was currently pushing their exFAT filesys- But, he did say that he hoped the filesys- tem as the preferred way to deal with Dan’s tem’s minimalism would work well with Ardu- use-case. But, as Carlos pointed out, “The ino projects or other small embedded systems problem is that exFAT is full of patents and that only wanted to read or play files. The Ar- they require you to purchase a license for duino platform had been a particular motiva- use.” He said LanyFS might be a great alter- tion for him when his Arduino project ran into native to exFAT, especially because movie trouble with FAT32 files that grew too big for files were getting bigger and bigger and that filesystem. Another motivation had been would eventually be too big for FAT32. How- to interoperate with as many other types of ever, Carlos supposed Microsoft would be re- filesystems as possible, without worrying too luctant to support LanyFS, as it was in com- much about ownership information and other petition with their exFAT new hotness. metadata. Raymond Jennings also liked the idea of There was much skepticism. Marco pointed having an alternative to exFAT, given the pat- out that FAT32 was really the standard for the ent entanglements that were likely to come kind of use-case Dan was trying to meet. The up if anyone even thought about writing a FAT32 file size limitation didn’t seem sufficient Linux port. Alexander Thomas also thought to justify a whole new minimalist filesystem. that LanyFS would be a fine alternative to But, some people did offer actual feedback exFAT, and he didn’t think much of FAT32 as ZACK BROWN about Dan’s code. Al Viro pointed out a signifi- a filesystem either. However, he too acknowl- The Linux kernel mailing list cant security hole. Because LanyFS allowed in- edged that it might be an uphill battle getting comprises the core of Linux finite recursion, it would be trivial for an at- major vendors to adopt LanyFS. development activities. tacker to overflow the kernel stack, he said. The debate continued. At one point, Arnd Traffic volumes are immense, Al pointed out a few other technical issues Bergmann mentioned that he had been coop- often reaching 10,000 and made an interesting comment at the end erating with a vendor to produce a flash file- messages in a week, and keeping up to date with the of his post about endianness. Apparently, system that would be very simple and opti- entire scope of development Dan’s code flipped its byte endianness in mized for most flash media. But, he didn’t is a virtually impossible task place, instead of taking the more laborious want to go into detail ahead of the vendor’s for one person. One of the route of having specific variables accept only own announcement. So, at the very least, few brave souls to take on values with specific endianness. Al recom- there is interest from various directions in a this task is Zack Brown. mended being extremely verbose and obvious LanyFS-type filesystem. 92 JANUARY 2013 ISSUE 146 LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM Community Notebook Kernel News UEFI Support Don’t Make ABI Changes… And quite frankly, for all but the secu- Or Else rity case, even then we’re often better off Matthew Garrett posted some patches to at least having a compatibility layer for try to limit the root user’s ability to mod- Linus Torvalds went on a tear over Appli- the old cases, even if it was bad and ify the kernel. The idea was to support cation Binary Interface (ABI) changes. wrong (example: the very original linux the Unified Extensible Firmware Inter- He really hates those things. In this par- ‘select()‘ timeout behavior, where Linux face (UEFI). Ideally, the UEFI would pre- ticular case, Thomas Gleixner had posted did the documented thing, but nobody vent a signed operating system from what he thought was a simple fix, getting else did. Or the various versions of being able to boot an unsigned operating rid of a null pointer issue in the itimer ‘stat()‘ we’ve had. Or the inotify/ dnotify/ system. This would give hardware and code, but because the change would be fsnotify things). software vendors the ability to control to the ABI, Linus replied, “That’s not Occasionally some compat model may and limit how their products could be how ABIs work. If it has become some- not be worth it (if the interface is too spe- used after purchase. thing people rely on, it now *is* part of cialized and there really is just one or two Alan Cox didn’t think it would be pos- the ABI, and no amount of ‘violates the system apps that use it), but that’s very sible, at the kernel level, to prevent the spec’ matters what-so-ever. ‘The spec’ is very rare to the point where it shouldn’t root user from regaining control. He paper – and worthless. What people ac- even be considered an issue. said, “an untrusted application can at tually *do* is all that matters.” Quite frankly, our most common ABI GUI level fake a system crash, reboot Michael Kerrisk put his head in the li- change is that we don’t even realize that cycle and phish any basic credentials on’s mouth suggesting that, with enough something changed. And then people such as passwords for the windows par- lead time to prepare users, an ABI change may or may not notice it. And we’ve had tition.” should be OK. He added that if a change cases where the same system call returned Matthew thought that hostile software were to be made in this particular case, it *different* things for different subsys- trying to phish credentials could be de- should be to make Linux match up with tems, and we tried to make it at least in- feated by a Secure Attention Key (SAK). A other existing systems like FreeBSD and ternally consistent. SAK is a trusted key combination that ini- NetBSD. Linus replied: But the ‘premeditated ABI change just tiates a known login process. If an un- “YOU SHOULD NOT MAKE ABI for the reason of an ABI change’? It’s trusted application tried to make the user CHANGES. bullshit. And it’s bullshit whether it think the system had rebooted, the SAK I don’t understand why this seems to shows up in feature-removal or not. (The would expose the subterfuge by invoking be so hard for people to understand. whole feature-removal file is BS, for that the kernel’s native login process, instead There are exactly *zero* reasons to matter, but that’s a different issue). of the fake one presented by the hostile change the ABI for its own sake, and this SO STOP DOING ABI CHANGES. WE software. In response, Matthew’s sugges- whole thread is a wonderful example of DON’T DO THEM. tion was simply to implement SAK sup- how F*CKING STUPID it was to even con- The absolute worst thing a kernel can port in the Linux kernel. sider it. There are real and valid reasons do is ‘change the user-level interfaces’. It Pavel Machek was dubious about that to change the ABI, but for every single has to be done occasionally (see above), idea.