Solved Linux security issues

[James888]

It is evolutionary. Each group may have their own specialized terminology.

That's called obfuscation and because it reduces transparency, it is bad for security.

additional posts appeared and provided links to descriptions of what "firmware" means in the Linux community

The issue isn't what the definition of firmware is, the issue is exactly what firmware are they modifying/updating?

James knows that his NSA and military security training should be applied appropriately in the context of the perceived threats, risks, etc. NSA-level security is not appropriate to protect the secrets in a 2nd grader's diary, for example.

I can tell that you have obviously never had a security clearance or training for it, and this thread is not about a 2nd grader's diary.

 

[z7vl7abxc]

By the way, could the updates have come through Debian or AntiX rather than MX Linux? I still have more to learn in this area.

i have a fairly new (just a month or so) mx 21 xfce install that had both mx and debian repos enabled by default. i never changed any of that. i can't recall ever seeing any from antiX on an mx system.

i checked
apt show linux-image-5.10.0-23-amd64 for my kernel and it came from debian whereas the same command for firmware-linux shows an mx repo as the source.

 

[f33dm3bits]

So what is firmware-linux and what does it actually do?

Are all the binary blobs that are needed to operate the hardware, usually located under /usr/lib/firmware. As the drivers in the kernel are opensource but there are a lot of binary blobs that are not. So those binary blobs are packaged into one package called linux-firmware, since drivers still need binary blobs. For example my wifi's firmware is loaded here.

[ 28.767688] iwlwifi 0000:00:14.3: loaded firmware version 46.ff18e32a.0 9000-pu-b0-jf-b0-46.ucode op_mode iwlmvm
[ 29.015948] Bluetooth: hci0: Found device firmware: intel/ibt-17-16-1.sfi

modinfo iwlwifi
filename: /lib/modules/6.3.8-200.fc38.x86_64/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko.xz
license: GPL
description: Intel(R) Wireless WiFi driver for Linux

If you then locate where that firmware is located your will see that it is located under that path I mentioned before.

locate 9000-pu-b0-jf-b0-46.ucode
/usr/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-46.ucode.xz

locate ibt-17-16-1.sfi  
/usr/lib/firmware/intel/ibt-17-16-1.sfi.xz

So when you get an update for this package it will not flash your motherboard with a new firmware version, you will still need to do that manually by downloading it from your motherboard's vendor website and then copying it to a usb flash drive and then then finally flash it from the bios/uefi in flash-mode.

There is also the firmware for the actual hardware components(such as ssd, cpu, etc) which can be done through the command-line using fwupdmgr if it is installed. However not all hardware is supported and not all vendors are supported.

LVFS: Device List

fwupd.org

LVFS: Vendor Status

fwupd.org

To get back to linux-firmware, if you check the information about that package.

ame            : linux-firmware
Epoch           : 0
Version         : 20230515
Release         : 150.fc38
Architecture    : noarch
Installed size  : 88.9 MiB
Source          : linux-firmware-20230515-150.fc38.src.rpm
From repository : updates
Summary         : Firmware files used by the Linux kernel

You see in the summary that those are firmware files used by the kernel, that's probably why the package is called linux-firmware. There are other packages with the name something-firmware, those are placed under that same location. I actually have no idea why those aren't part of the linux-firmware package but there is probably a reason behind it, my guess would be that they aren't actually part of the linux kernel so they put them in seperate packages or something like that. Maybe someone else here knows since I don't spend much of my time dealing with hardware? That's probably the reason

 

[James888]

So when you get an update for this package it will not flash your motherboard with a new firmware version, you will still need to do that manually by downloading it from your motherboard's vendor website and then copying it to a usb flash drive and then then finally flash it from the bios/uefi in flash-mode.

Thank you very much for that reply. It was enough info so that I could more easily find additional info. This is what I have found out so far...

From https://landley.net/code/firmware/old/

Firmware Linux is a bootable single file linux system, based on busybox and uClibc ... You can upgrade your entire OS (and any applications in the root filesystem) atomically, by downloading a new file and pointing your bootloader at it.

From https://lwn.net/Articles/748586/

Both the free-software and security communities have recently been focusing on the elements of our computers that run below the operating system. These proprietary firmware components are usually difficult or impossible to extend and it has long been suspected (and proven in several cases) that there are significant security concerns with them. The LinuxBoot Project is working to replace this complex, proprietary, and largely unknown firmware with a Linux kernel. That has the added benefit of replacing the existing drivers in the firmware with well-tested drivers from Linux.

Also there is this from https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git

Repository of firmware blobs for use with the Linux kernel

I'm not 100% clear on all of this (probably mostly because I'm a Linux noobie) but with your response and the above references, I have enough info to alleviate my security concerns (note1) with the updates I recently received from Mx Linux.

Again, thank you very much for that reply.

NOTE1. Most of those updates I received have nothing to do with my computer, which is a very new computer only about three months old. I specifically bought this computer for Linux use only (my only real requirement is that it had to have an NVIDIA graphics card). It came with Win11 (of course!) but I deleted it by overwriting it with an Ext4 partition. All my computers will be Linux computers from now on.

 

[sphen]

(1) That's called obfuscation and because it reduces transparency, it is bad for security.

(2) The issue isn't what the definition of firmware is, the issue is exactly what firmware are they modifying/updating?

(3) I can tell that you have obviously never had a security clearance or training for it, and this thread is not about a 2nd grader's diary.

(Note: Index numbers were added by Sphen.)

Responding to this post only because I was addressed directly:

(1) Ask yourself whether Hanlon's razor explains the terminology issues. I believe that it is more likely a historical artifact than a deliberate attempt to obfuscate the meaning. My feeling is that someone made a poor choice of words early on and unfortunately it stuck, or perhaps the terms hung on too long while the technology continued to evolve. Every discipline has its specialized terms, and they do not always match the common definition of those terms. That's human nature, not obfuscation.

(2) But you brought up terminology, so I addressed it. I understand that your primary concern is the "firmware" itself and not having sufficient information to assess it or understand what it does. That is a very reasonable and valid concern. In my previous post, I suggested that it may be worth your time to investigate the chain of trust for those updates, which is what you are doing here, sort-a. I still think it is a good idea.

(3) Catch 22. If I had one, I would not discuss it. My other point was simply that you apply mitigations that are appropriate to the threat. You do not require Fort Knox to secure a 2nd grader's diary, although it can do the job. A small lock is sufficient.

Related:
I am interested in the chain of trust for those updates. I hope you will post details if you learn more about their origins and how they get to your MX Linux system in a trusted manner from end to end (origin to your MX Linux). It is related to your unknown / untrusted content issue.

 

[James888]

(1) Ask yourself whether Hanlon's razor explains the terminology issues. I believe that it is more likely a historical artifact than a deliberate attempt to obfuscate the meaning.

Beliefs are not facts.

(2) But you brought up terminology, so I addressed it.

The problem with the terminology is that 75% of what they are updating isn't firmware, but drivers -- and they are not the same thing.

(3) Catch 22. If I had one, I would not discuss it. My other point was simply that you apply mitigations that are appropriate to the threat. You do not require Fort Knox to secure a 2nd grader's diary, although it can do the job. A small lock is sufficient.

Only if you know what the threat is, and you can't know what the threat is if the information about it is obfuscated or not documented clearly.

And again, Linux updates is not the equivalent of a 2nd grader's diary -- not even close.

Related:
I am interested in the chain of trust for those updates. I hope you will post details if you learn more about their origins and how they get to your MX Linux system in a trusted manner from end to end (origin to your MX Linux). It is related to your unknown / untrusted content issue.

If a person with a top secret clearance came up to me, and asked for the password to access a certain piece of secret-classified military hardware, I would tell them "No way!" because they have no proof or evidence of a "need to know". It has nothing to do with trust but with protocol.

 

[f33dm3bits]

What does the binary blob in the linux kernel do?

The Linux kernel contains binary blob (link). Linux Foundation and Linux kernel developers issued a statement about that (link, notably the kernel developers statement was not signed by Torvalds). ...

opensource.stackexchange.com

Binary Blobs? [LWN.net]

lwn.net

 

[camtaf]

Hmm, the OP seems to be paranoid, if he is so concerned, go write your own secure operating system...

I'm normally very tolerant, but this is a free to use, free to alter, operating system developed by hundreds of thousands of dedicated volunteer programmers - it has served me personally without any security issues - me, just a regular user, since 1999.

 

[wizardfromoz]

James, I have said it before and I will say it again - dial it back. That means get off your high horse and try not to antagonise the people who are trying to help you.

If you can't say something nice, do not post.

If you are not prepared to entertain different ideas and input, do not post.

And, on

Linux is not hardware, it is an OS,...

... it is not. GNU/Linux is an OS. Linux is the name of the kernel.

Chris Turner
wizardfromoz

 

[f33dm3bits]

The problem with the terminology is that 75% of what they are updating isn't firmware, but drivers -- and they are not the same thing.

What is "firmware" in Linux terminology?

I'm being confused by the use of firmware in the context of Linux. My understanding of firmware & driver is that firmware is the code that runs on the bare metal of a device such as a Bluetoot...

unix.stackexchange.com

In the Linux kernel context, firmware is software which runs on another processor in the system, e.g. a wireless controller, a GPU, a SCSI controller... This software used to be stored in ROM (of various types) attached to the relevant controller, but to reduce costs and make upgrades simpler, controllers now tend to rely on the host operating system to load their firmware for them.
So firmware files aren’t used by the kernel, they’re loaded by the kernel onto other pieces of hardware. This is also what makes it vaguely acceptable to have software without source code in FLOSS systems: the argument goes that it’s not running on the main CPU but on another device.

Firmware and drivers in Linux

As per my understanding, the firmware is what controls the hardware, and drivers interacts with the firmware to control the hardware. Is that correct? In Linux, what are the APIs or functions which

stackoverflow.com

In General: A driver is a kernel module that talks to hardware; firmware is software that runs on the hardware that talks to the driver.

 

[James888]

In General: A driver is a kernel module that talks to hardware; firmware is software that runs on the hardware that talks to the driver.

Firmware is an electronic industry designation, not an OS one because firmware is hardware which software is downloaded to. It's yet another misnomer, like Linux. Firmware is an IC chip and firmware is the software that gets downloaded to a firmware IC chip. Mx Linux is not Mx Linux-the-kernel, it is Mx Linux-the-OS distribution. I just mentioned terminology in passing so it doesn't matter.

 

[f33dm3bits]

Firmware is an electronic industry designation, not an OS one because firmware is hardware which software is downloaded to.

If you read above that someone explains how firmware fits in the context of the Linux kernel.

In the Linux kernel context, firmware is software which runs on another processor in the system.

It's yet another misnomer, like Linux.

Are you talking about that everyone refers to the Linux as the OS and that Linux is actually only the kernel and that it's GNU/Linux(and other tools) that makes an OS or do you mean something else? Everyone has gotten so used to saying Linux that now days when someone talks about Linux it's assumed that they are talking about a GNU/Linux distribution and there are other arguments used as well. I don't really care what someone calls it(and most other people don't either) but it's still good to know that in fact Linux is a kernel and that adding GNU tools (and other tools)to Linux is what makes the OS aka GNU/Linux distribution. I would argue that it's comparable to that everyone calls "Windows" "Windows" and not Microsoft Windows because "Windows" is such a general term since I have "Windows" in my house so I can look outside. Here's a video where the issue about Linux vs GNU/Linux is discussed.

 

[James888]

If you read above that someone explains how firmware fits in the context of the Linux kernel.

But is it official or an opinion? Different people in different groups explain things differently, so whom do I trust? I like to see official references (even though not all official references are valid because official references can spread myths too).

Are you talking about that everyone refers to the Linux as the OS and that Linux is actually only the kernel and that it's GNU/Linux(and other tools) that makes an OS or do you mean something else?

If you want people to understand you, you have to use the same terminology that they use, but what does Linux mean to everyone? It depends on who you talk to, doesn't it? And the definitions are usually not interchangeable or predefined before a conversation, so you have to wing it.

Everyone has gotten so used to saying Linux that now days when someone talks about Linux it's assumed that they are talking about a GNU/Linux distribution and there are other arguments used as well. I don't really care what someone calls it(and most other people don't either) but it's still good to know that in fact Linux is a kernel and that adding GNU tools (and other tools)to Linux is what makes the OS aka GNU/Linux distribution. I would argue that it's comparable to that everyone calls "Windows" "Windows" and not Microsoft Windows because "Windows" is such a general term since I have "Windows" in my house so I can look outside. Here's a video where the issue about Linux vs GNU/Linux is discussed.

Let me put all that in a different perspective...

I perceive all Linux distributions the same exact way I perceive Win3.1 -- Win3.1 is basically MS-DOS (the kernel is actually called DOS.com) with an interchangeable GUI and drivers to interface to that GUI. I do not perceive Linux distributions like I perceive WinNT (and up, with a kernel called WinNt.dll) because WinNT is a monolithic OS, meaning there are no separate modular components like a desktop GUI, kernel, MS-DOS, and so on and so forth, like there is for Win3.1 or any Linux distribution. With MS-DOS you can change the GUI attached to it and it is still MS-DOS but no one calls it MS-DOS or Mx MS-DOS or Sparky MS-DOS, they call it Win3.1 or GEM or whatever, depending on what components it has installed.

Ditto for Linux. Linux is a generic term that instead of it referring to MS-DOS, it refers to Linux-DOS. That's why Linux has apps that will work on some Linux distributions and not on others because many distributions are not compatible, even though they have the same exact Linux-kernel.

So what does the term firmware-linux mean? Is it referring to firmware-linux-kernel or firmware-linux-DOS or firmware-linux-the-distribution or some actual firmware FLASH software that isn't linux-anything but a separate component? What is Mx Linux? Is it a Mx Linux-DOS or Mx Linux-kernel or is it a Mx Linux-the-distribution? I only wanted to clear up terminology for firmware-linux before I dissected it, and that has been done. Otherwise the terminology doesn't matter because it is so messed up and unproductive.

 

[KGIII]

Reread this:

James, I have said it before and I will say it agin - dial it back. That means get off your high horse and try not to antagonise the people who are trying to help you.

Calm down, chill out, stop trying to argue for the sake of arguing, and read things in the best light possible as these are the folks trying to help you understand because at this point it's starting to look like you're just trolling.

Please don't make me do moderator things, as I dislike the drama that comes with it.

 

[f33dm3bits]

So what does the term firmware-linux mean? Is it referring to firmware-linux-kernel or firmware-linux-DOS or firmware-linux-the-distribution or some actual firmware FLASH software that isn't linux-anything but a separate component?

kernel/git/firmware/linux-firmware.git - Repository of firmware blobs for use with the Linux kernel

git.kernel.org

This repository contains all these firmware images which have been
extracted from older drivers, as well various new firmware images which
we were never permitted to include in a GPL'd work, but which we have
been permitted to redistribute under separate cover.

Linux firmware - Gentoo wiki

wiki.gentoo.org

Linux firmware is a package distributed alongside the Linux kernel that contains firmware binary blobs necessary for partial or full functionality of certain hardware devices. These binary blobs are usually proprietary because some hardware manufacturers do not release source code necessary to build the firmware itself.

As for the Linux distributions using the same software components is true but that's because it's all about choice when it comes to using opensource software. If you don't like the choices or direction one GNU/Linux distribution makes or is going you can start your own and make different choices when it comes to defaults, philosophy, installer etc and a lot of distributions are similar but there are some that make themselves unique in some way by providing something another distribution does not provide.

If that way of doing things becomes liked enough by enough people other distributions will eventually pickup on that and add it to their distribution as well, NixOS is an example of a distribution that does things differently. There are Linux distributions that don't use the GNU tools, an example of that would be Alpine Linux.

about | Alpine Linux

Alpine Linux

www.alpinelinux.org

There are Linux distributions that focus on command-line installation and build your system how you want it as you install each component yourself, two name two well known ones: Arch Linux ang Gentoo Linux. As for why some distributions use ony Linux in their name and others GNU/Linux, it really doesn't matter.

I can't remember being able to choose from different GUI's with DOS or to be able to choose what bootloader I wanted to use?

That's why Linux has apps that will work on some Linux distributions and not on others because many distributions are not compatible, even though they have the same exact Linux-kernel.

If the applications is opensource you can always compile the source on any distribution it will work. The problem is with that different distributions use different glibc version and kernel version so if you compile a binary for a Deb based distribution that binary will not necessarily work on an Rpm based distribution since there are differences in the way configurations are setup between Deb and Rm.

apache rpm configuration location: /etc/httpd
apache deb configuration location: /etc/apache2

When it comes to being able to run graphical applications on the different distributions without having to build them for each different family some way of distributing software has been created in the recent years. Which are Snaps, AppImages and Flatpaks which are ways running graphical applications containerized and being able to use the same binaries to run on Debian, Ubuntu, Arch etc.

In short with opensource software you have choice and that shows in the Linux distributions, there are many similarities but there are differences between them in different areas whether that be philosophy, default software, installations methods, communities etc.

I perceive all Linux distributions the same exact way I perceive Win3.1 -- Win3.1 is basically MS-DOS (the kernel is actually called DOS.com) with an interchangeable GUI and drivers to interface to that GUI. I do not perceive Linux distributions like I perceive WinNT (and up, with a kernel called WinNt.dll) because WinNT is a monolithic OS, meaning there are no separate modular components like a desktop GUI, kernel, MS-DOS, and so on and so forth, like there is for Win3.1 or any Linux distribution. With MS-DOS you can change the GUI attached to it and it is still MS-DOS but no one calls it MS-DOS or Mx MS-DOS or Sparky MS-DOS, they call it Win3.1 or GEM or whatever, depending on what components it has installed.

The way you describe how you see Linux distributions all being the same is from a Windows mindset(closed source mindset), coming from a world where you don't really have much choice as in what you want to use and can use. How many different graphical interface does Windows 10/11 have available if you don't want to use the default one? Can I compile a custom kernel with different features enable and drivers enabled or disabled with Windows 10/11?

While with the different Linux distributions you have choice to use something or not use something and to switch to a different Linux distribution if you don't like something about the one you are using you can switch to a different one and see if you like it better and/or fits better with your software philosophy and even the choice to create your own Linux distribution. There are most likely things I have missed, that others may remember but hopefully you get the idea now.

 

[James888]

kernel/git/firmware/linux-firmware.git - Repository of firmware blobs for use with the Linux kernel

git.kernel.org

Linux firmware - Gentoo wiki

wiki.gentoo.org

Thanks for that info but that wasn't what I meant by "what does firmware-linux mean?". From https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git

"update DMCUB to v0.0.172.0 for various AMDGPU ASICs
fix broken cirrus firmware symlinks
Update the microcode files for Adreno a630 GPUs
Update RTL8852A BT USB firmware
DMCUB updates for various AMDGPU asics"

So "firmware-linux" is not firmware for the Linux kernel, it is firmware for misc things like the AMD GPU or the Realtek USB bluetooth, neither of which apply to my system. Firmware-linux just sits on my computer and does nothing, so in regards to security, it's harmless, which is all I really wanted to know about it.

The other issue was something I mentioned in passing about whether it was really "firmware" or not. Firmware usually requires physically programming an IC using the JTAG port or something like that. Many BIOS firmware can be flashed but it requires a special process usually outside of the control of any OS (for security reasons).

As for why some distributions use ony Linux in their name and others GNU/Linux, it really doesn't matter.

It really doesn't.

I can't remember being able to choose from different GUI's with DOS or to be able to choose what bootloader I wanted to use?

We were talking about Windows, not DOS.

The way you describe how you see Linux distributions all being the same is from a Windows mindset(closed source mindset), coming from a world where you don't really have much choice as in what you want to use and can use.

That wasn't my meaning. I was just pointing out that the infrastructure of Linux is more like the ancient infrastructure of Win3.1 than that of WinNT. Being open- or close-source is another issue entirely.

How many different graphical interface does Windows 10/11 have available if you don't want to use the default one? Can I compile a custom kernel with different features enable and drivers enabled or disabled with Windows 10/11?

We do have more choices in that regard, but those choices aren't what define the term "Linux", which still seems ambiguous to me.

While with the different Linux distributions you have choice to use something or not use something and to switch to a different Linux distribution if you don't like something about the one you are using you can switch to a different one and see if you like it better and/or fits better with your software philosophy and even the choice to create your own Linux distribution. There are most likely things I have missed, that others may remember but hopefully you get the idea now.

Choosing which Linux distribution to use was not an easy task. I just wanted something I could use for everything I wanted or needed to do on Windows. I eventually left Windows for Mx Linux after looking at many other distros. Some distros wouldn't automatically install hardware drivers, and the procedure for doing that was too convoluted for me to want to bother with it so I eliminated those as candidates. NixOS was a nice idea that I wished had worked, but it isn't user friendly and had quite a few bugs when I tested it out. I also needed something that was easy to develop apps on, and because I was familiar with IUP, the distro had to have GTK+. Anyways, I'm very happy with Mx Linux so I'm sticking with that.