Tag: Linux kernel

Librem 5 general development report — September 6th, 2018

Conferences

Some of the Purism team members attended Akademy 2018 in Vienna. This conference facilitated further discussions with KDE developers and it was nice to meet everyone in person!

There were also some team members that attended FrOSCon. Coming up, we have Todd presenting at AllThingsOpen, and Capitole du Libre where François and Adrien will be manning a booth (so be sure to stop by and say bonjour if you’re there).

Design

More improvements have been made to the shell mock-ups and those should be complete soon! Also some exciting new icons are on the horizon and we will use them early in our development builds and on the apps shipping with the phone; GNOME’s new icons are slated for inclusion in the 3.32 release in 2019.

Software Work

Images

Now the qcow2 images are archived as well as the raw image file. This makes the x86_64 VM image more accessible to those “can’t wait” to try things out today, or who haven’t ordered a development board. You can find the most recent builds and build artifacts here. See below for a demo of rotation in the qcow2 image. Also, a couple of packages have been added to the images to enable the resizing of the rootfs to fill the partitioned space.

We are now transforming Plasma Mobile’s Debian packaging into git repositories suitable for our build jobs and building them. These packages will eventually be included in a Plasma Mobile Librem 5 image. There is ongoing work with upstream Plasma developers to resolve the remaining build issues.

Phosh

Many fixes and tweaks have occurred in phosh in the last few weeks. Size calculations have been fixed (and therefore menu positions) on scaled displays with custom modes. The German translation has been updated. Now a login shell is used when we launch gnome-session, which ensures XDG_* is set up correctly so icons of flatpak applications are correctly recognized by phosh. To make phosh more robust, more compile warnings were enabled and the resulting errors were addressed.

gnome-settings-daemon

To lay the ground work for configuring your modem, an upstream discussion has been started to discuss how gnome-settings-daemon should behave regarding modems.

Wlroots

Wlroots was known to crash when phosh reconnects and that has been fixed. We also continue to keep wlroots up to date with new upstream snapshots.

GTK+ 4 and libhandy

Since the compositor and GTK+ need to work well together, an issue was fixed to make the xdg-shell’s app_id match GApplication’s application-id property. This makes it simpler for compositors to match applications to desktop files in Wayland.

Among the many fixes in libhandy recently, it has been made more robust during builds to now fail on warnings. There are three GTK+ bugs that currently affect the ability to create adaptive UIs that have been brought up with the upstream developers: a non-rounded corner issue, an off-screen popover issue, and an issue that causes the separator to sometimes be transparent. For the separator issue, a solution has been proposed as well. There is ongoing work upstream on the separator to add a selection mode variant and make adding a separator less complicated that is quite necessary to have cleanly defined panels in HdyLeaflet. Furthermore, the libhandy flatpak runtime (org.gnome.Platform) has been updated from 3.26 to master so we can be on the bleeding edge.

Keyboard

On the OSK front, the text-input-v3 patch-set has been included in wayland-protocols and gtk-3.24. The preliminary support of text-input-v3 has also been added to wlroots. Additionally, the virtual-keyboard protocol patch has been updated and is in review. There has even been an input-method-v2 protocol RFC posted. So get ready to type on your virtual keyboard!

Calls and messaging

Since the decision to implement a ModemManager back-end to the Calls application, some changes were needed to Calls. To give ModemManager more privileges, some policy kit files were created. To improve the UI of Calls, some of the Calls display code was cleaned up and made the Calls UI closer to the final design.

New and exciting things are on the horizon for the Messaging app. A new SMS libpurple-plugin has begun development and testing is ongoing with the Pidgin-Debug window to check if the ModemManager interface works. Work is advancing to glue the Chatty GTK+ objects to libpurple UiOps structs and signals for conversation handling. A blog post on Chatty—complete with a demo video—has just been published so go read it if you haven’t already!

Kernel

A significant effort has been put in to make the 4.18 kernel work with the devkit SoM. In order to help debug kernel hangs, some work was done on openocd like adding a board configuration for the particular board that will be used on the dev kits and warn when the CPU is not halted by invoking phys2virt. The openOCD folks were a great help on this effort!

Efforts continue on other pieces of the kernel too. Work continues on the power supply driver for the battery charger with upstream kernel developers and should be accepted soon. USB 2 has been tested and is working. There were also some clock issues that were resolved and both SDMA and RTC are both now working as well.

Hardware Work

The Purism hardware team has sent out the manufacturing files for PCB fabrication and assembly of the prototypes. The files are currently under review.

Community Outreach

An issue template has been added to the current phosh, libhandy, calls, chatty, docs, and virtboard projects to guide the user to provide all of the necessary information when filing an issue against these projects. For more information on filing issues, see our documentation page on reporting an issue.

A big Thanks goes out to all of the external teams that have helped review and merge changes into upstream projects. Everyone’s time and contribution is much appreciated!

That’s all for now folks. Stay tuned for more exciting updates to come!

Meltdown, Spectre and the Future of Secure Hardware

Meltdown and Spectre are two different—but equally nasty—exploits in hardware. They are local, read-only exploits not known to corrupt, delete, nor modify data. For local single user laptops, such as Librem laptops, this is not as large of a threat as on shared servers—where a user on one virtual machine could access another user’s data on a separate virtual machine.

As we have stated numerous times, security is a game of depth. To exploit any given layer, you go to a lower layer and you have access to everything higher in the stack.

Meltdown and Spectre are not just hardware exploits, they are the processor and microprocessor exploits. Meltdown is an exploit against the CPU which has a patch in progress, while Spectre is an exploit against the design of microprocessors which has a “possibility to patch upon each exploit as it is identified” in a never ending game of cat-and-mouse.

Protecting from Meltdown and Spectre with PureOS

  • Purism’s PureOS, a Free Software Foundation endorsed distribution, is releasing a patch to stop the Meltdown attack, with thanks to the quick and effective actions of the upstream Linux kernel development team.
  • Like the patch for Meltdown, PureOS will continue to release patches against any Spectre exploits as they are found and fixed, which highlights the importance of keeping up-to-date on software updates.

Countermeasures in Purism Librem hardware

Purism continues to advance security in hardware through a combination of techniques, including the inclusion of TPM in Librem laptops, where we are progressing towards a turn-key TPM+Heads solution. This will allow us to provide Librem users with a strong defensive stance making future exploits less scary.

While these countermeasures are not direct solutions for Meltdown and Spectre, they help work towards a larger scope of measurement and indication of “known good” states. In this case, this would mean only running a Linux kernel version which has good patches applied for Meltdown and Spectre exploits. Flagging or stopping any modifications that could be exploits adds another layer of security to protect users’ devices and sensitive information.

The Future of Secure Hardware

Intel, AMD, and ARM seem to suffer from the same issues that proprietary software suffers from: a lack of transparency that results in an unethical design which shifts us further away from an ethical society. RISC-V is something we are closely following in the hopes that it can create a future where processor hardware can be as ethical as Free Software—meaning that the user is in control of their own hardware and software, not the developer.

Purism, as a Social Purposes Corporation, will continue to advance along the best paths possible to offer high-end hardware that is as secure as possible, in alignment with our strict philosophy of ethical computing.

PureOS now features AppArmor activated by default

Purism, the Social Purpose Corporation focused on software freedom, privacy and security, proves it is dedicated to making its products secure straight off of the factory floor. Now, new PureOS installations (including those provided with Librem devices) have AppArmor activated by default. Let us first look at what AppArmor is, and then why we chose it specifically to strengthen PureOS. Read more

Initial Touch and Web Browsing experiments on Librem 5 prototyping boards

When it comes to prototyping the Librem 5, we are working hard and making progress on several sides. As you have seen in yesterday’s testing update blog post, we are working on development hardware in order to start getting software development groundwork done. Today, I’m sharing the results of a quick experiment with web and touch on a prototype board. Read more

Neutralizing the Intel Management Engine on Librem Laptops

In my last blog post, I have spoken of the completion of the Purism coreboot port for the Librem 13 v1 and mentioned that I had some good news about the Intel Management Engine disablement efforts (to go further than our existing quarantine) and to “stay tuned” for more information. Since then I got a little side-tracked with some more work on coreboot (more below), but now it’s time to share with you the good news! Read more