tinyclub/tinylab.org

泰晓资讯 12月 / 第 2 期 / 2019 —— 资讯收集

Closed this issue · 7 comments

LWN.net Weekly Edition for November 21, 2019

LSM stacking and the future
https://lwn.net/Articles/804906/

The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking.

引入堆叠(Stacking)或称之为串联(Chaining)Linux 安全模块(Linux security modules,简称 LSM)的想法至少可以往前追溯到 15 年前。 LSM 机制用于为现有内核扩展安全策略限制。但早期的内核在挂载(注册)LSM 时,相关 LSM Hook Function 被保存在内核内存的一个全局数组 (security_ops) 中,这导致默认情况下,每个LSM 挂载点最多只能注册一个回调函数,也就是说 LSM 的挂载是 “排他性” 的。在这个问题上社区已经取得了一定的进展,尤其是在过去的十年左右的时间里。 一段时间以来,现在已经可以支持将一些 “小的、次要的” LSM 与一个 “大的、主要的” LSM(例如SELinux,Smack 或 AppArmor)堆叠在一起,但是在同一系统中不能同时使用譬如 SELinux 和 AppArmor 这样的大 LSM。 过去依赖,同时启用这些大 LSM 似乎并不是个很急迫的需求,但随着 “容器” 技术的愈发普及,对这个需求变得愈加明显起来。 譬如:数据中心使用的 Ubuntu(带有AppArmor)中,有用户可能需要在其之上运行一个 Android 容器(而 Android 需要使用 SELinux)。Casey Schaufler 长期致力于 LSM 堆叠功能支持(他本人也是 Smack 模块的维护者) ,他在 2019 年欧洲 Linux 安全峰会上作了相关演讲,报告了 LSM 堆叠支持的现状和未来的发展计划,看上去 5.5 版本很有可能去掉对 AppArmor 排他性的限制,而对所有其他模块(譬如 Smack 和 SELinux)的去除排他性的支持估计要到 5.8 甚至更后了。

Enhancing KVM for guest protection and security
https://lwn.net/Articles/805114/

A key tenet in KVM is to reuse as much Linux infrastructure as possible and focus specifically on processor virtualization. Back in 2007, this meant a smaller code base and less friction with the other kernel subsystems, especially when compared with other virtualization technologies such as Xen. This led to KVM being merged into the mainline with relative ease. But now, in the era of microarchitectural vulnerabilities, the priorities have shifted, and the KVM's reliance on other kernel subsystems can be a liability. For one thing, the host kernel widens the TCB (Trusted Computing Base) and makes for a larger attack surface. In addition, kernel data structures such as the direct memory map give Linux access to guest memory even when it is not strictly necessary and make it impossible to fully enforce the principle of least privilege. In his talk "Enhancing KVM for Guest Protection and Security" (slides [PDF]) presented at KVM Forum 2019, long-time KVM contributor Jun Nakajima explained this risk and suggested some strategies to mitigate it.

KVM 所秉持的一个主要原则,就是希望能尽量重用 Linux 的基础子系统,这样自己可以着重关注处理器的虚拟化。在 KVM 提出的那个年代(2007 年左右),这个原则意味着代码改动更小,也不会过于分散在内核的各个子系统里面,这一点上相比于 Xen 这样的其他虚拟化技术是个明显优势。正是因为这个原因,KVM 相对比较轻松地就被合入了内核主线。但时间进入 2019 年,现在大家更加关注的是微架构漏洞(microarchitectural vulnerabilities)问题,这意味着 KVM 对其他内核子系统的依赖变成了一个缺点。比如说,host 的内核扩展了 TCB(Trusted Computing Base),这会导致其受攻击面增大。再比如内核的一些数据结构设计,像 direct memory map 会允许Linux 能访问到 guest 系统里面的memory,而这其实根本没有必要,并且也违反了最小化权限的原则。在KVM Forum 2019会议上,长期致力于 KVM 开发的程序员 Jun Nakajima 在自己的主题演讲 “改善 KVM 对 guest 系统的保护和安全” 中解释了这方面的风险,并提出了一些改进策略。

LWN: arm64架构上最新的安全机制!
https://lwn.net/Articles/804982/

The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.

arm64 架构是目前市面上绝大多数移动设备中采用的处理器架构,这也意味着 arm64 设备会成为全球范围内攻击者关注的首要目标。因此,大家越来越关注于一些对 arm64 系统进行加固(harden)的技术。目前已经有几种技术可以实现了,都是基于软硬件结合的方式,可供 arm64 kernel 合入了。譬如 E0PD、Return-address signing、Shadow call stacks 和 Branch target identification,感兴趣的同学可以阅读原文了解一下。

LWN: 如何更好地支持在内存中存放秘密信息?
https://lwn.net/Articles/804658/

One of the many responsibilities of the operating system is to help processes keep secrets from each other. Operating systems often fail in this regard, sometimes due to factors — such as hardware bugs and user-space vulnerabilities — that are beyond their direct control. It is thus unsurprising that there is an increasing level of interest in ways to improve the ability to keep data secret, perhaps even from the operating system itself. The MAP_EXCLUSIVE patch set from Mike Rapoport is one example of the work that is being done in this area; it also shows that the development community has not yet really begun to figure out how this type of feature should work.

操作系统的众多职责之一,就是隔离进程。不过有时候操作系统在这方面做的并不好,原因有很多,譬如硬件上的 bug,或者是 user-space 引入的漏洞等,这些都不是操作系统自身能够直接把控的。因此,越来越多的人都在想办法改善数据的安全性,甚至有时候希望对于某些数据连内核本身都不能越权访问。Mike Rapoport 提出的 MAP_EXCLUSIVE patch set 就是一个例子,他为 mmap() 系统调用新增了一个 flag:MAP_EXCLUSIVE,一旦启用该选项,则映射出来的内存区域只允许调用者进程访问,绝不允许其他任何人访问,连内核也不行。这个 patch 是目前内核对内存管理子系统进行地址空间隔离改造工作的一部分。社区对这个补丁展开了充分的讨论,但到目前为止,讨论只达成了一个真正有效的结论,即:确实有需求让系统中的某块内存具有更高的保密性,不过社区还不清楚究竟应该如何实现这个需求,以及怎样让用户来使用。这也意味着该补丁不会很快被纳入内核主线。接口的设计需要谨慎,这事急不得,关键是要确保事情的正确性。

Microsoft Teams for Linux 正式发布
https://techcommunity.microsoft.com/t5/Microsoft-Teams-Blog/Microsoft-Teams-is-now-available-on-Linux/ba-p/1056267

Starting today, Microsoft Teams is available for Linux users in public preview, enabling high quality collaboration experiences for the open source community at work and in educational institutions. Users can download the native Linux packages in .deb and .rpm formats here. We are constantly improving based on community feedback, so please download and submit feedback based on your experience.
The Microsoft Teams client is the first Microsoft 365 app that is coming to Linux desktops, and will support all of Teams’ core capabilities. Teams is the hub for teamwork that brings together chat, video meetings, calling, and collaboration on Office 365 documents and business processes within a single, integrated experience.

从双十二开始,Microsoft Teams 已经可供 Linux 用户公开预览,从而为开源社区的工作和教育机构提供高质量的协作体验。 用户可以下载 .deb 和 .rpm 格式的本地 Linux 软件包进行安装。Microsoft Teams 客户端是 Linux 桌面上第一个 Microsoft 365 应用程序,它将支持 Teams 的所有核心功能。 Teams 是团队合作的枢纽,可将 Office 365 文档和业务流程中的聊天,视频会议,呼叫和协作汇集在一起,并提供统一的集成体验。

https://www.qt.io/blog/qt-for-mcus-1.0

Qt for MCUs 1.0正式发布

Qt for MCUs enables creation of fluid graphical user interfaces (GUI) with a low memory footprint on displays powered by microcontrollers (MCU). It is a complete graphics toolkit with everything needed to design, develop, and deploy GUIs on MCUs. It enables a unified technology approach for an entire product line to create a consistent and branded end user experience. Watch the Qt for MCUs video showcasing different use cases.

适用于MCU 的 Qt 可在由微控制器(MCU)供电的显示器上创建具有低内存占用量的图形用户界面(GUI)。它是一个完整的图形工具包,其中包含在 MCU上设计,开发和部署 GUI 所需的一切。它为整个产品线提供了统一的技术方法,以创建一致的品牌最终用户体验。
来自日本,欧洲和美国的一些主要客户已经采用该产品开始开发其下一代产品。此版本已在 NXP,瑞萨电子和意法半导体的微控制器上进行了测试。该软件版本默认支持NXP i.MX RT1050 和 STM32F769i平台。也可将其他几个 NXP 和 STM32 微控制器以及 瑞萨 RH850 微控制器的平台以独立的平台软件包方式提供。

适用于 MCU 的 Qt 带有新的 QML 渲染引擎 Qt Quick Ultralite(QUL),该引擎可通过即将推出的 Qt 5.14 极大地提高工程部署能力。QUL 允许应用程序在裸机或实时操作系统上以及 MCU 的内部存储器中运行。

https://cntechpost.com/2019/12/10/github-eyes-to-open-branch-in-china/

GitHub, the world's largest software development platform, plans to open a branch in China, according to Financial Times.
GitHub, hosting and managing software development for private companies, was acquired by Microsoft for $7.5 billion last year. It is the world's largest open source software project, and anyone can participate.
Erica Brescia, GitHub ’s chief operating officer said that the company plans to enter China in stages, first considering setting up a wholly foreign-owned subsidiary in China and recruiting employees from the general manager level.
After that, the company may explore the possibility of joint ventures and hosting GitHub content in China, Erica said.

据英国《金融时报》报道,全球最大的软件开发平台 GitHub 计划在**开设分支机构。为个人和公司代理代码托管和管理的 GitHub 于去年被微软以 75 亿美元的价格收购。 它是世界上最大的开源软件项目,任何人都可以参与。GitHub 的首席运营官 Erica Brescia 表示,该公司计划分阶段进入**,首先考虑在**设立一家外资独资子公司,并从总经理级别招聘员工。此后,Erica表示,该公司可能会探讨在**合资和托管 GitHub 内容的可能性。