Greg Kroah-Hartman: Outside Phone Vendors Aren’t Updating Their Linux Kernels

David on Saturday October 06, 2018 @03:34PM

from the downstream-developers dept.

“Linux runs the world, right? So we want to make sure that things are secure,” says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies “the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else’s layer!”

One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they’re doing — in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.

But a companion article on Linux.com notes that “Intel has changed its approach in light of these events. ‘They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,’ Kroah-Hartman said.” (And the article adds that “for those who want to build a career in kernel space, security is a good place to get started…”)

Kroah-Hartman points out in the video interview that “we’re doing more and more testing, more and more builds,” noting “This infrastructure we have is catching things at an earlier stage — because it’s there — which is awesome to see.” But security issues can persist thanks to outside vendors beyond their control. Linux.com reports:
Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That’s not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don’t include the additional hardening features, meaning all those phones are vulnerable. “People need to enable this stuff,” he said.

“I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel,” he said. “I’m working through the whole supply chain trying to solve that problem because it’s a tough problem. There are many different groups involved — the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people.”

 

“The good news,” according to Linux.com, “is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It’s effortless to update and reboot with no downtime.”

 

The trouble with being punctual is that nobody’s there to appreciate it.
— Franklin P. Jones

Working…

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

WP2Social Auto Publish Powered By : XYZScripts.com