GNU Linux-Libre 5.7 Released - Drops Intel iGPU Security Fix Over Arrays Of Numbers
The GNU Linux-libre 5.7-gnu kernel was released following last weekend's Linux 5.7 kernel release. But the info-gnu mailing list was slow and thus just hitting the wire today for the latest version of this sanitized version of the Linux kernel. One interesting change in GNU Linux-libre 5.7-gnu is dropping the Intel Gen7 "iGPU Leak" security mitigation over not liking the sources.
Alexandre Oliva of FSF Latin America announced GNU Linux-libre 5.7-gnu as the latest version of their kernel re-based to Linux 5.7 that then strips out support for loading binary-only kernel modules, drivers that depend upon non-free firmware/microcode, and other restrictions in the name of software freedom. With Linux 5.7 some of the additional cleansing includes:
The Qualcomm cleaning isn't too surprising given all of the code that was upstreamed this cycle for benefiting their SoCs and different devices now with better upstream support, albeit less so when using the GNU Linux-libre kernel given their dependency on binary firmware.
But what is surprising is the "the introduction of binary blobs as arrays of numbers in source code for gen7 i915 gpus." That is actually the Intel Haswell / Ivybridge iGPU Leak mitigation that was worked around for addressing CVE-2019-14615, a.k.a. the Intel iGPU information leakage vulnerability from a few months ago that was corrected promptly for modern Intel Gen graphics but the Gen7/Gen7.5 mitigation took much longer due to working around huge performance penalties initially that occurred.
Those performance issues were resolved and the Intel Ivybridge/Haswell iGPU Leak mitigation was merged in Linux 5.7 to prevent those users on these older generation graphics from potentially being compromised. But GNU Linux-libre 5.7 is unprotected now over the handling of it.
The "the introduction of binary blobs as arrays of numbers" are compiled kernels for clearing EU/L3 residual contexts in addressing this vulnerability. As noted in the source code, these kernels were compiled using Intel's open-source IGT and are precompiled for Haswell and Ivy Bridge for quickly and easily emitting from their kernel driver.
Those curious about these "binary blobs" can find them via this commit.
Hopefully the next GNU Linux-libre kernel will end up changing their stance on that, but for now it actually puts their kernel at risk to this Intel iGPU Leak vulnerability. At least from the side of the university researchers that discovered this Intel graphics vulnerability, iGPU Leak can be used for website fingerprinting, AES attacks, and other exposure. Proof of concept code is available and more details via the iGPU-Leak research.
Alexandre Oliva of FSF Latin America announced GNU Linux-libre 5.7-gnu as the latest version of their kernel re-based to Linux 5.7 that then strips out support for loading binary-only kernel modules, drivers that depend upon non-free firmware/microcode, and other restrictions in the name of software freedom. With Linux 5.7 some of the additional cleansing includes:
The 5.7 upstream release removed the i1480 uwb driver, that we used to clean up, but added a crypto driver for the Marvell OcteonTX CPT, for Mediatek MT7622 WMAC, for Qualcomm IPA, for the Azoteq IQS620A/621/622/624/625 Multi-function device, for IDT 82P33xxx PTP clock, and a Modem Host Interface (MHI) bus driver, all of which required cleaning up. Actually, the MHI bus one is tentative: I couldn't quite figure out what it is that it loads, so I've conservatively blocked it in the likely case it is a piece of non-Free Software.
Some further adjustments were required on account of the introduction of the function firmware_request_platform to the firmware-loading interface, of the usual assortment of false positives all over, and blob adjustments in AMD GPU, Arm64 DTS files, Meson VDec, Realtek Bluetooth, m88ds3103 dvb frontend, Mediatek mt8173 VPU, Qualcomm Venus, Broadcom FMAC, Mediatek 7622 and 7663 wifi, silead x86 touchscreen; of the movement of the cleaned-up mscc phy driver (and new blob names in it) and wd719x documentation within the source tree; and of something very unexpected: the introduction of binary blobs as arrays of numbers in source code for gen7 i915 gpus.
I unfortunately could not find corresponding sources for the new binary blobs introduced in such an old-fashioned way, and they're big enough and not regular enough that I could just assume them to be data rather than code, so I've removed them. If you come across source code for those bits, or can explain to me how transparent and trivial they are once they're disassembled with existing Free tools, I'll be very glad to restore them.
The Qualcomm cleaning isn't too surprising given all of the code that was upstreamed this cycle for benefiting their SoCs and different devices now with better upstream support, albeit less so when using the GNU Linux-libre kernel given their dependency on binary firmware.
But what is surprising is the "the introduction of binary blobs as arrays of numbers in source code for gen7 i915 gpus." That is actually the Intel Haswell / Ivybridge iGPU Leak mitigation that was worked around for addressing CVE-2019-14615, a.k.a. the Intel iGPU information leakage vulnerability from a few months ago that was corrected promptly for modern Intel Gen graphics but the Gen7/Gen7.5 mitigation took much longer due to working around huge performance penalties initially that occurred.
Those performance issues were resolved and the Intel Ivybridge/Haswell iGPU Leak mitigation was merged in Linux 5.7 to prevent those users on these older generation graphics from potentially being compromised. But GNU Linux-libre 5.7 is unprotected now over the handling of it.
The "the introduction of binary blobs as arrays of numbers" are compiled kernels for clearing EU/L3 residual contexts in addressing this vulnerability. As noted in the source code, these kernels were compiled using Intel's open-source IGT and are precompiled for Haswell and Ivy Bridge for quickly and easily emitting from their kernel driver.
Those curious about these "binary blobs" can find them via this commit.
Hopefully the next GNU Linux-libre kernel will end up changing their stance on that, but for now it actually puts their kernel at risk to this Intel iGPU Leak vulnerability. At least from the side of the university researchers that discovered this Intel graphics vulnerability, iGPU Leak can be used for website fingerprinting, AES attacks, and other exposure. Proof of concept code is available and more details via the iGPU-Leak research.
35 Comments