The openSUSE Tumbleweed kernel is lockded-down since v6.4.3 when secure boot is enabled. It means that the behavior of Tumbleweed kernel will align with SLE and openSUSE Leap when secure boot is enabled.
The presentation deals with the set of tools and features that can be used by Linux kernel developers for kernel debugging. Also, static analysis of kernel patches was addressed during speech. Special attention was given to access tools, tracing tools, and interactive debugging tools, namely: DebugFS, ftrace, and GDB.
This presentation by Aleksandr Bulyshchenko (Software Engineer, Consultant, GlobalLogic Kharkiv) was delivered at GlobalLogic Kharkiv Embedded TechTalk #1 on March 13, 2018.
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
HKG15-409: ARM Hibernation enablement on SoCs - a case study
---------------------------------------------------
Speaker: Grygorii Strashko
Date: February 12, 2015
---------------------------------------------------
★ Session Summary ★
Hibernation on ARM devices is a long-wanted feature, with multiple ways of achieving it - in-kernel, fully userspace, or a combination. This presentation will give brief overview of these methods, and will discuss the effort required in enabling in-kernel ARM hibernation to the TI platform. We will also share the pre-requisites for enabling this on other SoCs.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250837
Video: https://www.youtube.com/watch?v=dJqCbTfKrMk
Etherpad: http://pad.linaro.org/p/hkg15-409
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
This presentation is about the main tasks which Linux kernel platform engineers take care of. The talk includes real-life cases which help understand the role of respective specialists and might be helpful to those who consider such change in their careers.
The talk was delivered by Sam Protsenko (Software Engineer, Consultant, GlobalLogic) at GlobalLogic Embedded Career Day #2 on February 10, 2018.
More about GlobalLogic Embedded Career Day #2: https://www.globallogic.com/ua/events/globallogic-kyiv-embedded-career-day-2-materials
The presentation deals with the set of tools and features that can be used by Linux kernel developers for kernel debugging. Also, static analysis of kernel patches was addressed during speech. Special attention was given to access tools, tracing tools, and interactive debugging tools, namely: DebugFS, ftrace, and GDB.
This presentation by Aleksandr Bulyshchenko (Software Engineer, Consultant, GlobalLogic Kharkiv) was delivered at GlobalLogic Kharkiv Embedded TechTalk #1 on March 13, 2018.
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
HKG15-409: ARM Hibernation enablement on SoCs - a case study
---------------------------------------------------
Speaker: Grygorii Strashko
Date: February 12, 2015
---------------------------------------------------
★ Session Summary ★
Hibernation on ARM devices is a long-wanted feature, with multiple ways of achieving it - in-kernel, fully userspace, or a combination. This presentation will give brief overview of these methods, and will discuss the effort required in enabling in-kernel ARM hibernation to the TI platform. We will also share the pre-requisites for enabling this on other SoCs.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250837
Video: https://www.youtube.com/watch?v=dJqCbTfKrMk
Etherpad: http://pad.linaro.org/p/hkg15-409
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
This presentation is about the main tasks which Linux kernel platform engineers take care of. The talk includes real-life cases which help understand the role of respective specialists and might be helpful to those who consider such change in their careers.
The talk was delivered by Sam Protsenko (Software Engineer, Consultant, GlobalLogic) at GlobalLogic Embedded Career Day #2 on February 10, 2018.
More about GlobalLogic Embedded Career Day #2: https://www.globallogic.com/ua/events/globallogic-kyiv-embedded-career-day-2-materials
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
https://coscup.org/2021/en/session/39M73K
https://www.youtube.com/watch?v=L_Gyvdl_d_k
Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility.
Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk.
開發 user space 軟體時,工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發,除了 printk 外,還可以有哪些工具可以使用呢?從 Linux kernel document 可以看到 KGDB 相關的資訊,提供了在 kernel 除錯時的另一個可能性。
本次將分享,從建立最簡單環境的虛擬機機開始,到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebulaOpenNebula Project
In this 90-minute hands-on workshop, some of the key contributors to OpenNebula will walk attendees through the configuration and integration aspects of the storage subsystem in OpenNebula. The session will also include lightning talks by community members describing aspects related to Storage with OpenNebula:
Deployment scenarios
Integration
Tuning & debugging
Best practices
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
"Docker supports ""Rootless mode"", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode, will explain how users can get started with Rootless mode. He will also explain the recent updates including support for Cgroup V2 and FUSE-OverlayFS."
https://docker.events.cube365.net/docker/dockercon/content/Videos/wHjxizoWgFgCYu6aF
Summary of linux kernel security protectionsShubham Dubey
Linux kernel goes through very rapid changes each release. Over each release new protections and mitigations are added to make it more secure against different category of attacks. Unlike other platform, Linux security features are not advertise enough and most of the time limit to a mail thread. Since Linux is getting popular day by day in different sectors of industries, it is important for a researcher or an administrator to be aware about what protection it provide against sophisticated attacks targeting Linux kernel. In this session, I will take you through the different security features that Linux kernel has introduced over years and their limitations or bypasses. We will go though few demos to verify the working and bypasses of these protections. In the end I will discuss what is missing on Linux kernel that can be improved in future. This talk will help security researcher in identify the current Linux security protection and gaps presents in Linux kernel. With this knowledge they can tweak their product, for example an AV vendor working on Linux security need to be aware what protection is already present before working on something new. A developer dealing with Linux kernel development can also utilize this session to identify the security issues their code may hold and things they need to take care and ignore to make their modules or components secure
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
SUSE Labs Conference 2023
Shim is a first-stage UEFI bootloader. SLE/openSUSE uses it to enable secure boot and MOK, loading/verify grub2.
This talk will share current status of SUSE shim. And it will also introduce information about shim development. e.g. maintenance process,
features, upstream review, process... so on.
A multi-signed kernel module can be loaded on kernels be trusted by different keys. Which means that one KMP can be deployed on different trust system.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
https://coscup.org/2021/en/session/39M73K
https://www.youtube.com/watch?v=L_Gyvdl_d_k
Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility.
Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk.
開發 user space 軟體時,工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發,除了 printk 外,還可以有哪些工具可以使用呢?從 Linux kernel document 可以看到 KGDB 相關的資訊,提供了在 kernel 除錯時的另一個可能性。
本次將分享,從建立最簡單環境的虛擬機機開始,到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebulaOpenNebula Project
In this 90-minute hands-on workshop, some of the key contributors to OpenNebula will walk attendees through the configuration and integration aspects of the storage subsystem in OpenNebula. The session will also include lightning talks by community members describing aspects related to Storage with OpenNebula:
Deployment scenarios
Integration
Tuning & debugging
Best practices
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
"Docker supports ""Rootless mode"", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode, will explain how users can get started with Rootless mode. He will also explain the recent updates including support for Cgroup V2 and FUSE-OverlayFS."
https://docker.events.cube365.net/docker/dockercon/content/Videos/wHjxizoWgFgCYu6aF
Summary of linux kernel security protectionsShubham Dubey
Linux kernel goes through very rapid changes each release. Over each release new protections and mitigations are added to make it more secure against different category of attacks. Unlike other platform, Linux security features are not advertise enough and most of the time limit to a mail thread. Since Linux is getting popular day by day in different sectors of industries, it is important for a researcher or an administrator to be aware about what protection it provide against sophisticated attacks targeting Linux kernel. In this session, I will take you through the different security features that Linux kernel has introduced over years and their limitations or bypasses. We will go though few demos to verify the working and bypasses of these protections. In the end I will discuss what is missing on Linux kernel that can be improved in future. This talk will help security researcher in identify the current Linux security protection and gaps presents in Linux kernel. With this knowledge they can tweak their product, for example an AV vendor working on Linux security need to be aware what protection is already present before working on something new. A developer dealing with Linux kernel development can also utilize this session to identify the security issues their code may hold and things they need to take care and ignore to make their modules or components secure
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
SUSE Labs Conference 2023
Shim is a first-stage UEFI bootloader. SLE/openSUSE uses it to enable secure boot and MOK, loading/verify grub2.
This talk will share current status of SUSE shim. And it will also introduce information about shim development. e.g. maintenance process,
features, upstream review, process... so on.
A multi-signed kernel module can be loaded on kernels be trusted by different keys. Which means that one KMP can be deployed on different trust system.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
4. Kernel lockdown mode (cont.)
●
This patchset introduces an optional kernel
lockdown feature, intended to strengthen the
boundary between UID 0 and the kernel. When
enabled, various pieces of kernel functionality are
restricted. [1]
●
In dmesg:
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see
man kernel_lockdown.7
[ 25.299313] Lockdown: numlockbios: /dev/mem,kmem,port is
restricted; see man kernel_lockdown.7
5. Why Lockdown Tumbleweed
kernel?
●
Improve kernel security.
●
Sync with big distros. Especially sync with SLE
and openSUSE Leap.
– Applications developed on Tumbleweed (non-
lockdown) may not work on SLE/openSUSE Leap
(lockdown).
●
The opensuse-cert-prompt patch does not pass
shim-review. (bsc#1198101)[4]
6. States of lockdown
●
None
●
Integrity
– kernel features that allow userland to modify
the running kernel are disabled.
●
Confidentiality
– kernel features that allow userland to extract
confidential information from the kernel are
also disabled.
7. States of lockdown (cont.)
●
The state of lockdown can only be
upgraded, not downgraded:
– None → Integrity → Confidentiality
The inverse is not
# cat /sys/kernel/security/lockdown
none [integrity] confidentiality
# echo none > /sys/kernel/security/lockdown
-bash: echo: write error: Operation not permitted
8. SUSE setting of lockdown state
●
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
●
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
(x86_64, arm64)
– Link lockdown mode (integrity state) with UEFI
secure boot.
9. SUSE setting of lockdown state
(cont.)
●
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
(x86_64, arm64)
– Link lockdown mode (integrity state) with UEFI
secure boot.
– Applied downstream patches:
0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch
0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
– Some kernel upstream experts think that lockdown
should not relates to a firmware option. [2]
10. Which functions are locked-down
(Integrity state)
●
LOCKDOWN_MODULE_SIGNATURE: unsigned module loading
●
LOCKDOWN_DEV_MEM: /dev/mem,kmem,port
●
LOCKDOWN_EFI_TEST: /dev/efi_test access
●
LOCKDOWN_KEXEC: kexec of unsigned images
●
LOCKDOWN_HIBERNATION: hibernation
●
LOCKDOWN_PCI_ACCESS: direct PCI access
●
LOCKDOWN_IOPORT: raw io port access
●
LOCKDOWN_MSR: raw MSR access
●
LOCKDOWN_ACPI_TABLES: modifying ACPI tables Kernel v6.6-rc3
11. Which functions are locked-down
(integrity state)(cont.)
●
LOCKDOWN_DEVICE_TREE: modifying device tree contents
●
LOCKDOWN_PCMCIA_CIS: direct PCMCIA CIS storage
●
LOCKDOWN_TIOCSSERIAL: reconfiguration of serial port IO
●
LOCKDOWN_MODULE_PARAMETERS: unsafe module parameters
●
LOCKDOWN_MMIOTRACE: unsafe mmio
●
LOCKDOWN_DEBUGFS: debugfs access
●
LOCKDOWN_XMON_WR: xmon write access
●
LOCKDOWN_BPF_WRITE_USER: use of bpf to write user RAM Kernel v6.6-rc3
12. Which functions are locked-down
(integrity state)(cont.)
●
LOCKDOWN_DBG_WRITE_KERNEL: use of kgdb/kdb to write kernel RAM
●
LOCKDOWN_RTAS_ERROR_INJECTION: RTAS error injection
Kernel v6.6-rc3
13. Which functions are locked-down
(confidentiality state)
●
LOCKDOWN_KCORE: /proc/kcore access
●
LOCKDOWN_KPROBES: use of kprobes
●
LOCKDOWN_BPF_READ_KERNEL: use of bpf to read kernel RAM
●
LOCKDOWN_DBG_READ_KERNEL: use of kgdb/kdb to read kernel RAM
●
LOCKDOWN_PERF: unsafe use of perf
●
LOCKDOWN_TRACEFS: use of tracefs
●
LOCKDOWN_XMON_RW: xmon read and write access
●
LOCKDOWN_XFRM_SECRET: xfrm SA secret Kernel v6.6-rc3
14. LOCKDOWN_MODULE_SIGNATURE
●
Commit id: 49fcf732bd
lockdown: Enforce module signatures if the kernel is
locked down
●
It equals CONFIG_MODULE_SIG_FORCE
●
Reject unsigned modules or signed modules for
which we don't have a key. Without this, such
modules will simply taint the kernel.
15. LOCKDOWN_DEV_MEM
●
Commit id: 9b9d8dda1e
lockdown: Restrict /dev/{mem,kmem,port} when the
kernel is locked down
●
Allowing users to read and write to core kernel memory
makes it possible for the kernel to be subverted,
avoiding module loading restrictions, and also to steal
cryptographic information.
16. LOCKDOWN_DEV_MEM (cont.)
●
Disallow /dev/mem and /dev/kmem from being opened
this when the kernel has been locked down to prevent
this.
●
Disallow /dev/port from being opened to prevent raw
ioport access and thus DMA from being used to
accomplish the same thing.
18. LOCKDOWN_KEXEC
●
Commit id: 7d31f4602f
kexec_load: Disable at runtime if the kernel is locked
down
●
The kexec_load() syscall permits the loading and
execution of arbitrary code in ring 0, which is something
that lock-down is meant to prevent. It makes sense to
disable kexec_load() in this situation.
●
This does not affect kexec_file_load() syscall which can
check for a signature on the image to be booted.
19. LOCKDOWN_HIBERNATION
●
Commit id: 38bd94b8a1
hibernate: Disable when the kernel is locked down
●
There is currently no way to verify the resume image
when returning from hibernate. This might compromise
the signed modules trust model, so until we can work
with signed hibernate images we disable it when the
kernel is locked down.
# cat /sys/power/state
freeze mem
20. LOCKDOWN_HIBERNATION (cont.)
●
Evan Green: [PATCH v5 00/11] Encrypted Hibernation
https://lkml.org/lkml/2022/11/11/1229
●
Bug 1208766 - Kernel 6.2.1 does not suspend/hibernate
anymore for AMD Ryzen 7 Pro
21. LOCKDOWN_PCI_ACCESS
●
Commit id: eb627e1772
PCI: Lock down BAR access when the kernel is locked
down
●
Any hardware that can potentially generate DMA has to
be locked down in order to avoid it being possible for an
attacker to modify kernel code, allowing them to
circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax
this for sufficiently IOMMU-isolated devices.
23. LOCKDOWN_IOPORT
●
Commit id: 96c4f67293
x86: Lock down IO port access when the kernel is locked
down
●
IO port access would permit users to gain access to PCI
configuration registers, which in turn (on a lot of
hardware) give access to MMIO register space. This
would potentially permit root to trigger arbitrary DMA,
so lock it down by default.
●
Ioperm() - set port input/output permissions
24. LOCKDOWN_MSR
●
Commit id: 95f5e95f41
x86/msr: Restrict MSR access when the kernel is locked
down
●
Writing to MSRs should not be allowed if the kernel is
locked down, since it could lead to execution of arbitrary
code in kernel mode.
●
/dev/cpu/0/msr
– rdmsr, wrmsr
25. LOCKDOWN_MSR (cont.)
●
Re: [PATCH] x86: Lock down MSR writing in secure boot
– Kees Cook: Yes, change the SYSENTER entry point to
where-ever you like.
http://grsecurity.net/~spender/msr32.c
SYSENTER_EIP_MSR
– _writing_ an MSR from userspace should be
considered a bug. If writing is needed, a kernel driver
should be mediating the change. [3]
26. LOCKDOWN_ACPI_TABLES
●
Commit id: f474e1486b
ACPI: Limit access to custom_method when the kernel is
locked down
●
custom_method effectively allows arbitrary access to
system memory, making it possible for an attacker to
circumvent restrictions on module loading. Disable it if
the kernel is locked down.
cat test.aml > /sys/kernel/debug/acpi/custom_method
27. LOCKDOWN_ACPI_TABLES (cont.)
●
Commit id: 75b0cea7bf
ACPI: configfs: Disallow loading ACPI tables when locked
down
●
this one here allows the root user to load ACPI tables,
which enables arbitrary physical address writes, which
in turn makes it possible to disable lockdown.
https://git.zx2c4.com/american-unsigned-language/tre
e/american-unsigned-language-2.sh
overwrite kernel_locked_down symbol
28. LOCKDOWN_ACPI_TABLES (cont.)
●
Commit id: 41fa1ee9c6
acpi: Ignore acpi_rsdp kernel param when the kernel has
been locked down
●
This option allows userspace to pass the RSDP address
to the kernel, which makes it possible for a user to
modify the workings of hardware. Reject the option
when the kernel is locked down.
– Root System Description Pointer (RSDP)
29. LOCKDOWN_ACPI_TABLES (cont.)
●
Commit id: 6ea0e815fc
acpi: Disable ACPI table override if the kernel is locked
down
– CONFIG_ACPI_TABLE_UPGRADE
– initrd_table_override.rst
●
ACPI tables contain code invoked by the kernel, so do
not allow ACPI tables to be overridden if the kernel is
locked down.
30. LOCKDOWN_ACPI_TABLES (cont.)
●
Commit id: 1957a85b00
efi: Restrict efivar_ssdt_load when the kernel is locked
down
– CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
– efivar_ssdt=<EFI_VARIABLE_NAME>
●
efivar_ssdt_load allows the kernel to import arbitrary
ACPI code from an EFI variable, which gives arbitrary
code execution in ring 0. Prevent that when the kernel is
locked down. (ssdt-overlays.rst)
31. LOCKDOWN_MODULE_PARAMETERS
●
Commit id: 20657f66ef
lockdown: Lock down module params that specify
hardware parameters (eg. ioport)
●
Provided an annotation for module parameters that
specify hardware parameters (such as io ports, iomem
addresses, irqs, dma channels, fixed dma buffers and
other types).
●
arch/x86/mm/testmmiotrace.c
module_param_hw(mmio_address, ulong, iomem, 0);
32. LOCKDOWN_DEBUGFS
●
Commit id: 5496197f9b
debugfs: Restrict debugfs when the kernel is locked
down
●
Disallow opening of debugfs files that might be used to
muck around when the kernel is locked down as various
drivers give raw access to hardware through debugfs.
33. LOCKDOWN_DEBUGFS (cont.)
●
When the kernel is locked down, only files with the
following criteria are permitted to be opened:
– The file must have mode 00444
– The file must not have ioctl methods
– The file must not have mmap
●
When the kernel is locked down, files may only be
opened for reading.
●
Normal device interaction should be done through
configfs, sysfs or a miscdev, not debugfs.
34. LOCKDOWN_BPF_WRITE_USER
●
Commit id: 51e1bb9eea
bpf: Add lockdown check for probe_write_user helper
●
commit 96ae52279594 ("bpf: Add bpf_probe_write_user
BPF helper to be called in tracers") added the
bpf_probe_write_user() helper in order to allow to
override user space memory.
Its original goal was to have a facility to "debug, divert,
and manipulate execution of semi-cooperative
processes" under CAP_SYS_ADMIN.
35. LOCKDOWN_BPF_WRITE_USER
(cont.)
●
Write to kernel was explicitly disallowed since it would
otherwise tamper with its integrity.
●
cf9b1199de27 ("samples/bpf: Add test/example of using
bpf_probe_write_user bpf helper"
36. LOCKDOWN_EFI_TEST
●
Commit id: 359efcc2c9
efi/efi_test: Lock down /dev/efi_test and require
CAP_SYS_ADMIN
●
The driver exposes EFI runtime services to user-space
through an IOCTL interface, calling the EFI services
function pointers directly without using the efivar API.
●
Disallow access to the /dev/efi_test character device
when the kernel is locked down to prevent arbitrary
user-space to call EFI runtime services.
38. LOCKDOWN_PCMCIA_CIS
●
Commit id: 3f19cad3fa
lockdown: Prohibit PCMCIA CIS storage when the kernel
is locked down
●
Prohibit replacement of the PCMCIA Card Information
Structure when the kernel is locked down.
●
The Card Information Structure (CIS) is a data structure
accessed through Card Services that contains
identification and configuration information about PC
Cards. [5]
39. LOCKDOWN_TIOCSSERIAL
●
Commit id: 794edf30ee
lockdown: Lock down TIOCSSERIAL
●
Lock down TIOCSSERIAL as that can be used to change
the ioport and irq settings on a serial port. This only
appears to be an issue for the serial drivers that use the
core serial code. All other drivers seem to either ignore
attempts to change port/irq or give an error.
40. LOCKDOWN_MMIOTRACE
●
Commit id: 906357f77a
x86/mmiotrace: Lock down the testmmiotrace module
●
The testmmiotrace module shouldn't be permitted when
the kernel is locked down as it can be used to arbitrarily
read and write MMIO space.
41. LOCKDOWN_DEVICE_TREE
●
Commit id: 99df7a2810
powerpc/pseries: block untrusted device tree changes
when locked down
●
The /proc/powerpc/ofdt interface allows the root user to
freely alter the in-kernel device tree, enabling arbitrary
physical address writes via drivers that could bind to
malicious device nodes, thus making it possible to
disable lockdown.
●
SUSE does NOT lock down kernel on powerpc.
42. LOCKDOWN_XMON_WR
●
Commit id: 69393cb03c
powerpc/xmon: Restrict when kernel is locked down
●
Xmon should be either fully or partially disabled
depending on the kernel lockdown state.
●
SUSE does NOT lock down kernel on powerpc.
43. LOCKDOWN_RTAS_ERROR_INJECTION
●
Commit id: b8f3e48834
powerpc/rtas: block error injection when locked down
●
The error injection facility on pseries VMs allows
corruption of arbitrary guest memory, potentially
enabling a sufficiently privileged user to disable
lockdown or perform other modifications of the running
kernel via the rtas syscall.
●
SUSE does NOT lock down kernel on powerpc.
44. Summary
●
Tumbleweed locked down kernel on x86_64 and arm64
to aline with SLE/Leap.
●
Tumbleweed kernel be locked down on integity state
when EFI secure boot is enabled.
●
General interfaces be restricted. Application should
accesses safe interface from specific driver.
●
Module parameters that specify hardware parameters
are also be restricted. (io ports, iomem addresses, irqs,
dma channels, fixed dma buffers and other types).
45. Reference
●
[1] Kernel lockdown patches for v5.4
https://lore.kernel.org/lkml/alpine.LRH.2.21.1909101402230.20291@namei.org/
●
[2] Kernel lockdown locked out — for now
https://lwn.net/Articles/751061/
●
[3] Re: [PATCH] x86: Lock down MSR writing in secure boot
https://lore.kernel.org/lkml/20130208191213.GA25081@www.outflux.net/T/
●
[4][Bug 1198101] VUL-0: shim: openSUSE tumbleweed not fully locked down?
Add opensuse-cert-prompt back to openSUSE shim
●
[5] Card Information Structure (CIS)
http://blog.chinaunix.net/uid-20235103-id-1970862.html