Greg Kroah-Hartman: Outside Phone Vendors Aren't Updating Their Linux Kernels

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."

Re:

[Anonymous Coward]

It seems the default line from vendors is - well, if you want the latest Android, buy a new phone. Samsung and others need to get off their collective bums. Either roll us the updates, or drop phone prices radically. Complete BS dropping a few hundred (times number of people in your household) every 2-3 years when the old phones are still perfectly fine. We've only replaced when phones have been severely damaged in drops (rare).

Re:if you want the latest Android, buy a new phone

[wolfheart111]

therefor no incentive to update.

Re:

[smi.james.th]

I wouldn't judge too harshly on that. My Nokia 8 tells me there are security updates about every month or two and I find it slightly annoying. I think more people would find it annoying if it were more frequent, and there would be more incentive to turn it off (bad idea).

The other factor to consider of course is, are the Intel (and ARM I guess...) security problems really that big a deal? Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be

Re:Androids are targeted at poor people

[drinkypoo]

Red Hat and SUSE would need to patch them but speculative execution things while in theory possible shouldn't really be a big deal for a cellphone because you're not virtualising anything (AFAIK).

1) Sandboxing
2) Javascript
3) Malware doesn't get caught by the app store screening processes

Re:Androids are targeted at Cheap people

[Ol Olsoc]

You mean cheap people.

I work on HP superdomes

[Anonymous Coward]

RHEL 7.x with a 3.1x kernel isn't keeping up.

Re:

[Zontar The Mindless]

And my brother is named for both our grandmothers. (Their maiden family names are his given names.) What of it?

Re:

[Anonymous Coward]

Found the n00b. AIDS was an MS-DOS virus which exploited the fact that .COM would be executed before .EXE if both files had the same name and existed within the same directory.

Go back to sucking on mommy's tit, child. Adults are talking.

Re:

[mcswell]

Same here (Lumia 950). I sure wish Microsoft hadn't given up on phones, but even so I have to credit them with the security updates.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tsolias]

red flag linux is communist's distro.
natsoc's distro is hitlerlinux

Re:

[Tsolias]

the one that came out of the closet?

Binary Blobs is the problem with Linux kernels.

[BrookHarty]

Its always been the same issue, over and over and over. If you need sources for 3rd party closed drivers, you cant update the kernel without them.

This needs to be fixed. This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.

Re:Binary Blobs is the problem with Linux kernels.

[Alwin Henseler]

This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.

No it won't. Basic premise for Android is:

• Issue gets fixed in upstream kernel (Linux)
• Fix 'trickles down' into some open source Android release
• Carrier or phone vendor produces updated build that end users can install

That last bit simply isn't happening. As much as they can get away with, carriers or phone vendors just do a few updates (say over a year, 2 years if you're lucky), and that's it.

The way around that requires a couple of things:

• Open source drivers for the hardware in the phone (as you stated)
• Some community project that takes those drivers & produces updated builds for phone models X, Y or Z. In practice, there aren't many of those community projects (active), and # of supported models is limited.
• Some way to upload that build to your phone. Read: an unlocked bootloader. Which is the exception rather than the rule for Android phones (eg. my phone doesn't come with an unlocked bootloader afaik).

Bottom line: in most cases end users are still stuck, even if open source drivers are available. Android's update model is simply broken to begin with.

Re:

[arglebargle_xiv]

The way around that requires a couple of things:

Just one actually: Governments legislate that phone vendors have to provide updates for at least three years after first sale.

There are already plenty of laws around requiring manufacturers to support their product, this one is a simple follow-on from those. Nothing else will do it, there just aren't enough OSS enthusiasts around to keep playing catchup with what phone vendors are doing.

Re:

[Anne Thwacks]

Governments legislate that phone vendors have to provide updates for at least seven years after first sale.

FTFY

Re:

[Cardcaptor_RLH85]

The battery won't last seven years. Until we have better energy storage technology, three makes much more sense.

Re:

[mcswell]

Replaceable batteries. My Microsoft Lumia 950 has one of those. I think the only reason not to have one is to make sure you buy a new phone after a few years. (I've heard that the replaceable battery makes the phone thicker. I don't care.)

Re: Binary Blobs is the problem with Linux kernels

[Anonymous Coward]

A phone with an unlocked bootloader is an extreme problem in terms of security. I relock my bootloader every time i finish installing a custom firmware.

With an unlocked bootloader (or even custom recovery), you left a gaping security hole that anyone can modify the boot sequence \ software. They can, for example, shim your touch interface driver and capture all input. Modify the OS...

Please, for the love of security, don't speak and don't do unless you understand the risks involved.

Re: Binary Blobs is the problem with Linux kernels

[Anonymous Coward]

There's a HUGE difference between an unlocked bootloader and an unlockable bootloader.

Most phones save a few have an unlockable bootloader. Precisely 0 factory devices have an unlocked bootloader

Re:Binary Blobs is the problem with Linux kernels.

[Tough Love]

As the mountains of orphaned but still perfectly functional phones continue to pile up, interest in and support for community supported custom ROMs continues to increase, LineageOS being the leading project. Because vendors aren't releasing the necessary technical details, a lot of this is reverse engineering and binary hacks to use the phone's original hardware drivers, while updating the kernel and all the libraries using open source Android. There is just an endless supply of hardware to play with, which is all basically free. I myself have a perfectly functional Nexus 4 sitting here, useless because Google refused to provide an update to fix the notorious navigation button touchscreen bug. So that makes it a toy to play with custom roms, nothing to lose, and a functional phone to gain.

By the way, the Nexus was replace by a Moto. I'm never buying hardware from Google again because they got arrogant and don't stand behind it, never mind the Apple envy pricing.

Re:

[kurkosdr]

Nope, most people won't do a procedure not endorsed by the manufacturer such as flashing an unofficial ROM, a procedure that is user unfriendly to begin with. They 'll just keep using their unpatched devices. A look at Google's own distribution chart is enough to prove this point. Any pre-Nougat devices shown there are guaranteed to be unpatched and hence potentially vulnerable to a "golden" exploit.

Re:

[Tough Love]

Nope, most people won't do a procedure not endorsed by the manufacturer such as flashing an unofficial ROM

Most people don't need to do the procedure. One nerd or one screwdriver shop can do hundreds of these. The thing is, these phones are basically free because without a ROM update they are useless. By my count, orphaned smartphones already outnumber in service ones. Everybody has a couple stashed away in a drawer.

Re:

[kurkosdr]

Most people won't go to a nerd with a screwdriver to fix a phone that works. For example, an Android 5.1.1 phone appears to the owner to work "just fine", despite missing several security patches. Again, Google's own dashboard is pretty telling on the state of the Android ecosystem when it comes to security patching. Every pre-Nougat device you see there is running unpatched (but appears to be running just fine to the owner).

Re:

[Tough Love]

They'll ebay it for next to nothing. It will keep changing hands for less and less money until it ends up in the hands of somebody who know how to reflash it. Especially if reflashing is easy, and it is. Then it goes from being junk to being a fun toy again. This is going to happen to some fraction of used phones, the only question is, how many. You can be sure it will increase over time as more rescue candidates heap up at the bottom.

Re:

[kurkosdr]

But until they eBay it for next to nothing, they will be running an unpatched phone, as Google Dashboard stats show.

Re:

[Tough Love]

I'm talking about phones that are already out of service because the owner owns a newer one. As I see it, a lot of these become toys for playing with custom roms. I've got two of those now, how about you? Some of those will actually go back into service because of running the latest, fully patched Android release. Something you can hand your kids without getting to worked up if it gets lost, broken or stolen.

Re:

[kurkosdr]

Yes, I am sure this happens. But again, the official figures from Google show that there are KitKat, Lollipop and Marshmallow phones (with their factory unpatched ROM) in service in far greater numbers than you think. And that's a security problem. The Google dashboard doesn't measure activated devices but active devices.

Re:

[Tough Love]

My Kitkat phone is useless because many important apps won't install on it. Over time, that factor alone will create enough pressure to create the "rescue" segment.

Re:

[kurkosdr]

But your phone went through a stage where it got apps but no security updates. This is the stage Lollipop phones are now. And there lies the security risk: These phones are perfectly functional and can run most play store apps but are unpatched, and the Google dashboard stats confirm that these phones are indeed active and used. Can't say it in simpler terms. Cheers.

Re:

[Tough Love]

The vast majority of people don't want to play with old hardware or play with custom roms to try and achieve a functional phone.

The phone is worth zero to them so they can just give it away to somebody who does like to play with roms. And feel good about it because that's one less piece of electronics in a landfill.

Re:

[MtHuurne]

A lack of driver source code could be a problem upgrading the kernel from for example 4.4 to 4.9, since internal kernel interfaces may have changed. However, upgrading the kernel from 4.4.7 to 4.4.123 will only include bug fixes with no interface changes and the vast majority of consumer electronics manufacturers aren't doing those upgrades either.

Are you *SURE* about that?

[Anonymous Coward]

As someone who has lived through the 1.2, 2.0, 2.2, 2.4, 2.6, 3.x, and 4.x kernel minors, I can tell you that there can be a lot of API/ABI flux even in patchlevel updates. 2.6.9-2.6.10 and 2.6.31 to 2.6.32 I believe were the most heinous. 2.2 and 2.4 also had similar issues where newer versions required everything from different compilers to different glibcs to work together properly.

Maybe these particular patchlevels didn't, but it merits scrutiny.

Re:

[MtHuurne]

The third digit since 3.0 is comparable to the fourth digit before 3.0.

Re:

[MtHuurne]

Sorry, number, not digit. In any case, the patch level is the last number in the series and since 3.0 the version number was shortened from 4 numbers to 3 numbers.

Re:

[mcswell]

"They just want you to buy a new and *more expensive* phone" FTFY

Re:

[jonwil]

The biggest problems with updating kernels are vendors who don't comply with the GPL (not releasing kernel source at all, releasing incomplete kernel source, releasing kernel source that doesn't match the shipping binaries, taking forever to release kernel source after a new update to the device, stuff like that) and vendors who lock down the devices so that replacing the kernel isn't possible.

Re:

[kurkosdr]

Always wondered how binary blobs are even legal with the GPLv2

Re:

[exomondo]

Always wondered how binary blobs are even legal with the GPLv2

Because the kernel isn't GPLv2, it's often lauded as the biggest success story of the GPL but in fact it has a very specific exception [github.com] which would otherwise put any software with an incompatible license making syscalls to the kernel in violation of the GPL.

This is one of the things that has led to the Linux kernel being so successful.

Re:

[exomondo]

Its always been the same issue, over and over and over. If you need sources for 3rd party closed drivers, you cant update the kernel without them.

This needs to be fixed. This will fix everything, older android can be updated, linux systems like phones and tablets can be updated, forever.

You don't need the sources if a kernel module to load the binary driver is provided (like how the nVidia linux drivers work) or if the kernel provides a stable ABI (like the way Windows works). It's nice to say "well every manufacturer of hardware should just release all their driver code as open source" but it's just not realistic, and anyway somebody has to then maintain that driver code and there is a cost to doing that.

Re:

[Tsolias]

neither Linus nor Greg are Theos.
Only Theo de Raadt had the balls to say NO to intel's incompetence in creating a secure product. He didn't bother cleaning up someone else's shit, he decided to disable those features, e.g. HyperThreading(tm).
If Linus had the balls to yell at intel, or even flip the middle finger, like he did with novidia, he would've blocked all those patches that not only messed up with the kernel's internals, but caused regressions and the fucking patch that intel sent, disabled features

Re:

[Antique Geekmeister]

I'd submit that, if OpenBSD had any market presence, Theo de Raadt and the core OpenBSD kernel team would have handled this differently. Since their market share is so very small with so few commercial customers, it seems unworth their effort to attempt to integrate a subtle kernel patch written by a vendor to fix a kernel optimization feature not critical to their niche marketplace.

For NVidia cards, I cannot find anyone who uses OpenBSD for high performance graphics. This is especially since almost no game

Re:

[Tsolias]

it seems unworth their effort to attempt to integrate a subtle kernel patch written by a vendor to fix a kernel optimization feature not critical to their niche marketplace.

servers are a niche marketplace? Since when?
Also, I don't think that Theo checked the size of his slice in the operating system usage pie chart, in order to form his opinion. As a matter of fact, his stance not only caused trouble in the small community that uses openbsd in their servers, but avoided new users installing it on their machines.

My mention about nvidia is only as a reference to the middle finger and has nothing to do with nvidia running on openbsd.

Re:

[wangmaster]

My mention about nvidia is only as a reference to the middle finger and has nothing to do with nvidia running on openbsd.

It's not like that middle finger from Linus influenced nvidia that much. They still use completely proprietary binary blobs in their drivers, they still have driver based firmware blobs that are a pain in the ass for alot of users and distributions, Their optimus hybrid support on linux is still pretty shitty (iirc that's the question that prompted the middle finger) and they still aren't contributing significantly to nouveau.

Re:

[Antique Geekmeister]

Servers are not a niche market. OenBSD hosts of any kind are a niche market. Reasonably honest audits, such as those at https://idatalabs.com/tech/ope... [idatalabs.com], report its deployed percentage as roughly 1/10 of 1 percent of operating systems. If their market were larger, there would be more customers to complain about losing a few percent of performance by disabling the threading behavior.

Outside Phone vendors?

[nospam007]

Saul Goodman?

Re:

[Zontar The Mindless]

One would think that at least one of those shows' writers would've had read Illuminatus! [wikia.com] at some point, but I guess not.

Software should be free from hardware

[Uldis Segliņš]

Phone vendors can not and do not want to support their phones software long term. That is fair deal. But the users should not suffer from that. We need a separation of hardware and software. Like on a PC, where I can update kernel, change repositories, install a new graphics driver, dual boot etc. Not like on phones now, where whole system has to be flashed just to get newer kernel with current security added. And this is a rock in Googles garden. They should make this change in Androids concepts. Require published interoperability documentation for components, standardisation of APIs. And make the first repository to be used regardless of phone model. Then other phone manufacturers could just add own repos with some specific drivers etc. Independent repos with fixes would pop up immediately. No need to reinwent the wheel.

Android as hypervisor

[swb]

Maybe that's what Android needs, a hypervisor, and what we know now as Android the operating system could just run as a VM. All the physical device drivers could be abstracted as virtual devices and supported in the OS with open source virtual device drivers.

This would at least make the OS itself easier to update. The hypervisor would probably need updating as well, but I'd wager less often than the actual OS and without the burden of physical device drivers to worry about it could happen more often.

Not all phones are vulnerable

[Vlad_the_Inhaler]

Back when the fit hit the shan with this issue, I found a reliable resource which stated which phones were vulnerable and which were not. I have a Samsung Galaxy something-or-other and its processor turns out not to be affected. The kernel is from early 2017 and I'm not particularly happy with that but this particular problem is a non-issue for a massive number of users.

Will never change, will never happen

[rainer_d]

There's no income from updating android on a phone already sold. It's actually negative income because a new one doesn't get sold.
Google may make some profit on the ads, but nothing of that reaches the vendor.

Apple has Music, iCloud, the AppStore. When they provide an update to iOS on a five year old phone, people continue to use it and buy apps, in-app purchases , iCloud storage for it (and maybe an AppleMusic subscription). That, combined with a nice profit on the hardware itself, is apparently enough for them to backport all the fixes and all the performance-improvements five years down the hardware memory-lane.

cornfused

[mcswell]

The OP (and this is quoted directly from the linked-to article, which is no more enlightening):

"...aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable...I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel..."

Color me confused. Is he saying that only Google (Pixel) updated their kernel? Or that one unnamed company (n

RHEL still at Linux kernel 3.10

[yanestra]

Maybe Fedora updates on a regular base, RHEL (Redhat Enterprise Linux) does not.