Announcement

Collapse
No announcement yet.

Linux To Try Again To Disable All RNDIS Protocol Drivers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux To Try Again To Disable All RNDIS Protocol Drivers

    Phoronix: Linux To Try Again To Disable All RNDIS Protocol Drivers

    Several months back was work to disable all Microsoft Remote Network Driver Interface Specification (RNDIS) drivers in the Linux kernel on the basis of being insecure and other factors. That plan of disabling the RNDIS drivers was faced by opposition around concerns of potentially disrupting USB tethering support and the like. It's been months since hearing anything about updated plans for disabling or dropping the RNDIS drivers but the Git branch was updated today for disabling this class of drivers...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Originally posted by Greg
    Android has had this disabled for many years so there should not be any real systems that still need this
    I am not sure where did he get this information from but I just tested USB-tethering on my phone and `rndis_host` module gets loaded on my laptop. And my phone ain't old, it is Ulefone Power 5 which was first released at 2018 and I personally bought it around 2020.

    So yeah, modern phones still require this support 🤷‍♂️

    Comment


    • #3
      Originally posted by Hi-Angel View Post

      I am not sure where did he get this information from but I just tested USB-tethering on my phone and `rndis_host` module gets loaded on my laptop. And my phone ain't old, it is Ulefone Power 5 which was first released at 2018 and I personally bought it around 2020.

      So yeah, modern phones still require this support 🤷‍♂️
      I would heavily suggest you put this on the making list, then.

      Comment


      • #4
        Originally posted by Snaipersky View Post

        I would heavily suggest you put this on the making list, then.
        GKH doesn't care. Last time it came up on the mailing list any objections to this disabling hardware were either ignored or contended that there is no solution to the problem so it should be disabled anyway. Quoting my post from the last time this came up on Phoronix:

        Originally posted by Namelesswonder View Post
        This is going to prevent the use of many USB modems and tethering from the overwhelmingly vast majority of Android phones.

        As it stands, currently the only phones that don't use RNDIS and instead use CDC NCM are the Pixel 6 and 7 lines of phones.
        Android hasn't "had this disabled for many years", there are "real systems" that rely on RNDIS: it's over 99% of Android devices.
        It's still the protocol chosen by vendors as it's the lowest common denominator. The Android developers haven't made any moves to remove or revise supported configurations so devices that are launching with Android 14 can still only implement RNDIS.

        My question is still the same as when the patch first hit the mailing list, what vulnerability is there that is so catastrophic the only solution is to slowly remove support for it while the ones still implementing it are left in the dark.
        Is it not possible to add the ability to not initialize the driver and USB interface if the device has not been trusted for that session? If it's going to be drummed on about untrusted devices being a vulnerability then why does the USB subsystem automatically trust them.

        And there still has been no response to the issues or questions brought up by the sole person that NACKed the patch, the Google network developer. If it's going to be forced through anyway then why were the incorrect statements not removed or revised.

        In the end distributions are still going to be building kernels with it, as plenty of users rely on it as the sole method of internet connection.
        ​The Google network engineer correctly asserted that many Android devices still only use the RNDIS gadget and thus require the RNDIS driver on the host in order for USB tethering to function, and that Android hasn't had this disabled and it's entirely on what the SoC vendor supports. GKH continues to ignore this and assumes Android has ceased using it, which is not true.

        I don't know the currently supported protocols on recent phones like the Galaxy S23, but new Android phones are still a small drop in the bucket of billions of older Android devices.

        As I said last time we're probably going to see distributions continue to use RNDIS and just revert the patch if it does make it in, as it would be a very breaking change for users relying on RNDIS to update and then have no internet and no recourse.
        ​

        Comment


        • #5
          For Android, the kernel version is frozen years before the device even hits shelves, they practically never get new kernel updates, only backported fixes for vulnerabilties (when we're lucky)

          This will not impact existing devices at all

          For future devices, Google can either patch the kernel, or manufacturers can patch the kernel, or (unfortunately) consumers can be forced to throw away insecure/affordable networking adapters and buy new ones

          Comment


          • #6
            Originally posted by Namelesswonder View Post

            GKH doesn't care. Last time it came up on the mailing list any objections to this disabling hardware were either ignored or contended that there is no solution to the problem so it should be disabled anyway. Quoting my post from the last time this came up on Phoronix:



            ​The Google network engineer correctly asserted that many Android devices still only use the RNDIS gadget and thus require the RNDIS driver on the host in order for USB tethering to function, and that Android hasn't had this disabled and it's entirely on what the SoC vendor supports. GKH continues to ignore this and assumes Android has ceased using it, which is not true.

            I don't know the currently supported protocols on recent phones like the Galaxy S23, but new Android phones are still a small drop in the bucket of billions of older Android devices.

            As I said last time we're probably going to see distributions continue to use RNDIS and just revert the patch if it does make it in, as it would be a very breaking change for users relying on RNDIS to update and then have no internet and no recourse.
            ​
            So removed at the kernel level but available via module for distros (or users) to install when needed?

            Seems like a compromise

            Comment


            • #7
              What's insecure about this? If I own both devices and plug them together, am I vulnerable to something? Or is the thread that 'some foreign device can be plugged into your trusted one and your device will trust the foreign device and accept it as a network interface'? Because the latter is simply "you're holding it worng". Are getting rid of USB/HID? I can plug a hostile device into your trusted one and you'll trust my device if it claims to be HID.

              Comment


              • #8
                Originally posted by phoronix View Post
                ..... disable all Microsoft Remote Network Driver Interface Specification (RNDIS) drivers.......
                Have any Microsoft Linux kernel developers been spotted which are addressing this?

                Comment


                • #9
                  This smells disaster!

                  Michael please write about it. It needs to be known.

                  Comment


                  • #10
                    WTF?
                    Don't tell me that Android USB tethering will stop working because of this?
                    How the fuck are we going to install newer Linux kernels and Realtek firmware on recent laptops with no ethernet port that have an 802.11AX Wifi adapter, which doesn't work unless you first upgrade the Linux kernel to at least 6.2 and install newer Realtek firmware?
                    This already happened with a friend's laptop and the only way to have an internet connection to fix the Wifi adapter was to use Android's USB tethering.

                    Comment

                    Working...
                    X