codeblog » Ubuntu

As part of the continuing work to replace 1-element arrays in the Linux kernel, it’s very handy to show that a source change has had no executable code difference. For example, if you started w...

https://outflux.net/blog/archives/2022/06/24/finding-binary-differences/

Previously: v5.9 Linux v5.10 was released in December, 2020. Here’s my summary of various security things that I found interesting: AMD SEV-ES While guest VM memory encryption with AMD SEV has ...

https://outflux.net/blog/archives/2022/04/04/security-things-in-linux-v5-10/

Previously: v5.8 Linux v5.9 was released in October, 2020. Here’s my summary of various security things that I found interesting: seccomp user_notif file descriptor injection Sargun Dhillon add...

https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/

Previously: v5.7 Linux v5.8 was released in August, 2020. Here’s my summary of various security things that caught my attention: arm64 Branch Target Identification Dave Martin added support for...

https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/

I frequently see a pattern in image build/refresh scripts where a set of packages is installed, and then all packages are updated: apt update apt install -y pkg1 pkg2 pkg2 apt dist-upgrade -y Whi...

https://outflux.net/blog/archives/2020/10/30/combining-apt-install-and-get-dist-upgrade/

Previously: v5.6 Linux v5.7 was released at the end of May. Here’s my summary of various security things that caught my attention: arm64 kernel pointer authentication While the ARMv8.3 CPU “P...

https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/

Previously: v5.5. Linux v5.6 was released back in March. Here’s my quick summary of various features that caught my attention: WireGuard The widely used WireGuard VPN has been out-of-tree for a...

https://outflux.net/blog/archives/2020/09/02/security-things-in-linux-v5-6/

Previously: v5.4. I got a bit behind on this blog post series! Let’s get caught up. Here are a bunch of security things I found interesting in the Linux kernel v5.5 release: restrict perf_event...

https://outflux.net/blog/archives/2020/05/27/security-things-in-linux-v5-5/

Previously: v5.3. Linux kernel v5.4 was released in late November. The holidays got the best of me, but better late than never! ;) Here are some security-related things I found interesting: waiti...

https://outflux.net/blog/archives/2020/02/18/security-things-in-linux-v5-4/

While much of the work on kernel Control Flow Integrity (CFI) is focused on arm64 (since kernel CFI is available on Android), a significant portion is in the core kernel itself (and especially th...

https://outflux.net/blog/archives/2019/11/20/experimenting-with-clang-cfi-on-upstream-linux/

Previously: v5.2. Linux kernel v5.3 was released! I let this blog post get away from me, but it’s up now! :) Here are some security-related things I found interesting: heap variable initializat...

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/

Previously: v5.1. Linux kernel v5.2 was released last week! Here are some security-related things I found interesting: page allocator freelist randomization While the SLUB and SLAB allocator free...

https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/

Forever ago I set up tooling to generate graphs representing the adoption of various hardening features in Ubuntu packaging. These were very interesting in 2006 when stack protector was making it...

https://outflux.net/blog/archives/2019/06/27/package-hardening-asymptote/

Previously: v5.0. Linux kernel v5.1 has been released! Here are some security-related things that stood out to me: introduction of pidfd Christian Brauner landed the first portion of his work to ...

https://outflux.net/blog/archives/2019/05/27/security-things-in-linux-v5-1/

Previously: v4.20. Linux kernel v5.0 was released last week! Looking through the changes, here are some security-related things I found interesting: read-only linear mapping, arm64 While x86 has ...

https://outflux.net/blog/archives/2019/03/12/security-things-in-linux-v5-0/

Previously: v4.19. Linux kernel v4.20 has been released today! Looking through the changes, here are some security-related things I found interesting: stackleak plugin Alexander Popov’s work to...

https://outflux.net/blog/archives/2018/12/24/security-things-in-linux-v4-20/

Previously: v4.18. Linux kernel v4.19 was released today. Here are some security-related things I found interesting: L1 Terminal Fault (L1TF) While it seems like ages ago, the fixes for L1TF actu...

https://outflux.net/blog/archives/2018/10/22/security-things-in-linux-v4-19/

Previously: v4.17. Linux kernel v4.18 was released last week. Here are details on some of the security things I found interesting: allocation overflow detection helpers One of the many ways C can...

https://outflux.net/blog/archives/2018/08/20/security-things-in-linux-v4-18/

Previously: v4.16. Linux kernel v4.17 was released last week, and here are some of the security things I think are interesting: Jailhouse hypervisor Jan Kiszka landed Jailhouse hypervisor support...

https://outflux.net/blog/archives/2018/06/14/security-things-in-linux-v4-17/

I spent some time yesterday building out a UEFI server that didn’t have on-board hardware RAID for its system drives. In these situations, I always use Linux’s md RAID1 for the root filesyste...

https://outflux.net/blog/archives/2018/04/19/uefi-booting-and-raid1/

Previously: v4.15.  Linux kernel v4.16 was released last week. I really should write these posts in advance, otherwise I get distracted by the merge window. Regardless, here are some of the se...

https://outflux.net/blog/archives/2018/04/12/security-things-in-linux-v4-16/

Previously: v4.14. Linux kernel v4.15 was released last week, and there’s a bunch of security things I think are interesting: Kernel Page Table Isolation PTI has already gotten plenty of report...

https://outflux.net/blog/archives/2018/02/05/security-things-in-linux-v4-15/

An nice additional benefit of the recent Kernel Page Table Isolation (CONFIG_PAGE_TABLE_ISOLATION) patches (to defend against CVE-2017-5754, the speculative execution “rogue data cache load” ...

https://outflux.net/blog/archives/2018/01/04/smep-emulation-in-pti/

Previously: v4.13. Linux kernel v4.14 was released this last Sunday, and there’s a bunch of security things I think are interesting: vmapped kernel stack on arm64 Similar to the same feature on...

https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/

Previously: v4.12. Here’s a short summary of some of interesting security things in Sunday’s v4.13 release of the Linux kernel: security documentation ReSTification The kernel has been switch...

https://outflux.net/blog/archives/2017/09/05/security-things-in-linux-v4-13/

I got myself stuck yesterday with GRUB running from an ext4 /boot/grub, but with /boot inside my LUKS LVM root partition, which meant GRUB couldn’t load the initramfs and kernel. Luckily, it tu...

https://outflux.net/blog/archives/2017/08/30/grub-and-luks/

Previously: v4.11. Here’s a quick summary of some of the interesting security things in last week’s v4.12 release of the Linux kernel: x86 read-only and fixed-location GDT With kernel memory ...

https://outflux.net/blog/archives/2017/07/10/security-things-in-linux-v4-12/

Previously: v4.10. Here’s a quick summary of some of the interesting security things in this week’s v4.11 release of the Linux kernel: refcount_t infrastructure Building on the efforts of Ele...

https://outflux.net/blog/archives/2017/05/02/security-things-in-linux-v4-11/

Previously: v4.9. Here’s a quick summary of some of the interesting security things in last week’s v4.10 release of the Linux kernel: PAN emulation on arm64 Catalin Marinas introduced ARM64_S...

https://outflux.net/blog/archives/2017/02/27/security-things-in-linux-v4-10/

Previously: v4.8. Here are a bunch of security things I’m excited about in the newly released Linux v4.9: Latent Entropy GCC plugin Building on her earlier work to bring GCC plugin support to t...

https://outflux.net/blog/archives/2016/12/12/security-things-in-linux-v4-9/