Linux
Refer to LTK, and to Linux OS background here.
Contents
General interest
Booting
Regular booting: firmware, boot loader, init
- Debian boot process
- Execution of the UEFI (legacy: BIOS) code
- Execution of the boot loader code (GRUB, legacy: lilo), the Debian default is to have the first stage GRUB boot loader code into the Master Boot Record (MBR)
- Execution of /init program under the Linux kernel with the expanded initramfs image in memory as the temporary root file system, /init is a shell script program which initializes the kernel in the user space and hands control over to /sbin/init on the hard disk while switching to the root file system
- Execution of /sbin/init under the Linux kernel while switching the root file system to the hard disk, the desired runlevel is now activated
Firmware: UEFI
DebbyBuster has the InsydeH2O BIOS, the Insyde Software (Taiwan) implementation of the Intel Platform Innovation Framework for UEFI/EFI.
GRUB
GRUB (GRand Unified Bootloader) can be used to boot most operating system on the intel platforms. There are two versions: Grub Legacy (Grub 1) and Grub 2.
What do I have?
- If I enter 'sudo grub-mkconfig --version'
- I get 'grub-mkconfig (GRUB) 2.02+dfsg1-20+deb10u4'
- 'info grub-mkconfig' gives description
- See /boot/grub/grub.cfg file - imports from /etc/grub.d/...
Secure booting
UEFI Secure Boot and Shim
The UEFI 2.3.1 Errata C specification (or higher) defines a protocol known as Secure Boot, which can secure the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an acceptable digital signature. Supported by Debian since Debian 10.
Shim is a boot loader to chain-load signed boot loaders under Secure Boot. Shim becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.
Windows 10 allows OEMs to decide whether or not Secure Boot can be managed by users of their x86 systems.
The Machine Owner Key (MOK) allows you to add signed files.
Finding out your status:
- 'sudo mokutil --sb-state'
- >SecureBoot disabled
- >Platform is in Setup Mode
Installed shim files:
- shim-helpers-amd64-signed/stable,now 1+15.4+5~deb10u1 amd64 [installed,automatic]
- shim-signed-common/stable-updates,now 1.36~1+deb10u2+15.4-5~deb10u1 all [installed,automatic]
- shim-signed/stable-updates,now 1.36~1+deb10u2+15.4-5~deb10u1 amd64 [installed]
- shim-unsigned/stable,now 15.4-5~deb10u1 amd64 [installed,automatic]
Debian and TPM
See also local files:
Debian TPM tools:
- tpm2-abrmd/stable,now 2.1.0-1 amd64 [installed,automatic]
- tpm2-tools/stable,now 3.1.3-2 amd64 [installed,automatic]
Do a 'dpkg -L tpm2-tools' to see the files.
Debian's tpm2-tools are based on TrouSerS, a Trusted Computing Software Stack (TSS).
Installed:
- libtss2-esys0/stable,now 2.1.0-4 amd64 [installed,automatic]
- libtss2-udev/stable,now 2.1.0-4 all [installed,automatic]
Linux kernel
Linux distinguishes between:
- User mode (user applications, system components (daemons, window managers, graphics, ...), standard C libraries)
- Kernel mode (System Call Interface (SCI, around 380 system calls (open, close, exit, ...), subsystems (process scheduling, IPC, memory management, virtual files, network), other components (ALSA, LVM, netfilter, ...) and Linux Security Modules (access control, SELinux, Apparmor, ...))
- Hardware
Four interfaces:
- In-kernel API
- In-kernel ABI
- Kernel-to-userspace API
- Kernel-to-userspace ABI
And then there's the TEE...
Use 'ps aux' to see what processes are running. Any kworker processes are kernel processes doing "work" (processing system calls). You can have several of them in your process list: kworker/0:1 is the one on your first CPU core, kworker/1:1 the one on your second etc..
Perf analyses what kernel tasks are hogging your CPU:
- Install perf: sudo apt-get install linux-tools-common linux-tools-3.11.0-15-generic
- The second package must match your kernel version. You can first install just linux-tools-common and call perf to let it tell you which package it needs.)
- Record some 10 seconds of backtraces on all your CPUs: sudo perf record -g -a sleep 10
- Analyse your recording: sudo perf report
Disks, partitions, logical volumes
- Debian LVM - physical disk, volume groups, logical volumes
- Linux dd command https://en.wikipedia.org/wiki/Dd_(Unix)
- 'dd if=/dev/sdb2 of=partition.image bs=64M conv=noerror' - creates an image of the partition sdb2, using a 64 MiB block size
- 'dd if=/dev/sda2 of=/dev/sdb2 bs=64M conv=noerror' - clones one partition to another
- 'dd if=system.img of=/dev/sdc bs=64M conv=noerror' - restores a hard disk drive (or an SD card, for example) from a previously created image
Networking and network security
Within the Linux kernel
- ipfwadm in Linux kernel 2.0.x (based on BSD ipfw)
- ipchains in Linux kernel 2.2.x
- netfilter/iptables in Linux kernel 2.4
- iptables - Wikipedia a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules
- The term iptables is also commonly used to inclusively refer to the kernel-level components (sic)
- Netfilter - Wikipedia a kernel framework that allows networking-related operations to be implemented as customized handlers (packet filtering, network address translation, port translation)
- Netfilter.org
- nft/nftables in Linux kernel 3.13
- nft is the user-space utility (legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables)
- nftables - Wikipedia
- is a subsystem of the Linux kernel
- the nftables kernel engine adds a simple virtual machine into the Linux kernel, which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic
- replaces the legacy iptables portions of Netfilter
Separate firewall software
Shells and bash
Basics
- Bash - Wikipedia
- keywords, syntax, dynamically scoped variables and other basic features of the language are all copied from sh
- other features, e.g., history, are copied from csh and ksh
- Bash is a POSIX-compliant shell, but with a number of extensions
- Bash - Debian
- Bash mapage for Debian
Execution and shebang
- When we try to run an executable file, the execve program is called to replace the current process (bash shell if we are using terminal) with a new one and decide how exactly that should be done.
- If we try to run a text file, execve expects the first two characters of the file to be “#!” (read “shebang” or “hashbang”) followed by a path to the interpreter that will be used to interpret the rest of the script.
The most common need for shebang is when writing shell scripts. Script that greets the user:
#!/bin/sh
echo "Hello, ${USER}"
'/bin/sh' is the symlink to an sh-compatible implementation of sh (Shell Command Language). In most cases, it’ll be bash (Bourne-Again SHell), but to secure portability, one should use the symlink.
The script must be executable to work, which can be done using the chmod command: chmod +x name_of_the_file.
To use non-standard program locations the env program can be used, passing the name of the target interpreter as its argument. Then env will look up the interpreter in the user’s PATH variable.
Illustration: another “Hello world” script, using Node:
#!/usr/bin/env node
console.log('Hello world!');
Brace expansion
Brace expansion ('alternation') generates a set of alternative combinations, e.g.
- $ echo a{p,c,d,b}e
- ape ace ade abe
Braces combined with wildcards:
- ls *.{jpg,jpeg,png} # expands to *.jpg *.jpeg *.png - after which the wildcards are processed
Bash execution
When Bash starts, it executes the commands in a variety of dot files. Unlike Bash shell scripts, dot files do not typically have execute permission enabled nor an interpreter directive like #!/bin/bash.
This includes the skeleton ~/.bash_profile.
This may include a short-circuit evaluation such as '[ -r filename ] && cmd' that tests if filename exists and is readable, skipping the part after the && if it is not.
Bash conditional command execution separators
Bash supplies "conditional execution" command separators that make execution of a command contingent on the exit code set by a precedent command. For example:
- cd "$SOMEWHERE" && ./do_something || echo "An error occurred" >&2
Where ./do_something is only executed if the cd command was "successful" (returned an exit status of zero) and the echo command would only be executed if either the cd or the ./do_something command return an "error" (non-zero exit status).
Bash also supports if ...;then ...;else ...;fi and case $VARIABLE in $pattern)...;;$other_pattern)...;; esac forms of conditional command evaluation.
Bash debugging
Bash doesn’t provide any built-in debugger. However, there are commands and constructs that are helpful, including the set and trap commands.
Refer also to Baeldung on bash debugging.
-v for verbose
Minimalistic approach: bash -v invokes verbosity during execution.
-n for noexec (but validation)
To validate the script syntactically prior to its execution one can use the noexec mode using the -n option. As a result, Bash will read the commands but not execute them.
-x for execution trace
To trace the state of variables and commands during execution one can execute the script in xtrace (execution trace) mode using the -x option. This mode prints the trace of commands for each line after they are expanded but before they are executed.
-u for identifying unset variables
To identify unset variables, the -u option treats unset variables and parameters as an error when performing parameter expansion.
trap command, conditional debugging, ...
See https://www.baeldung.com/linux/debug-bash-script
Bash execution exit
For all commands the exit status is stored in the special variable $?.
User space
- systemd.io - project homepage
- systemd - Wikipedia
- Debian systemd
- a software suite that provides to unify service configuration and behavior across distributions
- systemd's primary component is a "system and service manager" — an init system used to bootstrap user space and manage user processes
- also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging
- systemd is the first daemon to start during booting and the last daemon to terminate during shutdown. The systemd daemon serves as the root of the user space's process tree
- components:
- systemd is a system and service manager
- Terminology
- A systemd unit is any system resource systemd can manage, including, but not limited to service, socket, device and target.
- A unit file is a configuration file that encodes information about the unit required for systemd to manage that resource. E.g. to configure a service, the unit file to operate on is the .service file.
- A systemd target is the concept systemd introduces to handle boot ordering and event synchronization. Where SysV used runlevels, systemd has the more flexible targets that roughly describe various states and events. systemd provides a number of predefined such targets that are useful when working with service type units.
- A service in systemd is a unit that takes care of running and maintaining a process or a group of processes. A service unit file is a highly standardized and structured configuration file in contrast to SysV init scripts that are (shell-)scripts with some standard headers bolted on top. In addition to starting and stopping services, systemd can also be asked to take action if a service fails.
- There are multiple ways to configure systemd
- Configuration data resides in /etc/systemd, files and subdirectories
- Using an override: the override directory is (for Debian, Ubuntu and CentOS/RHEL) located at /etc/systemd/system. In order to configure only a limited change to the package-supplied unit-file, create the directory /etc/systemd/system/varnish.service.d, and then create a file /etc/systemd/system/varnish.service.d/override.conf with the required changes
- systemctl is a command to introspect and control the state of the systemd system and service manager. Not to be confused with sysctl
- systemctl without arguments displays a list of all loaded systemd units (units: any resource that the system knows how to operate on and manage, configured in unit files)
- systemctl status displays the overall status (states: )
- systemctl list-units --type=service displays a list of all loaded services (services: ...)
- systemctl list-units --type=service --state=active displays a list of all loaded and active services, this includes running and exited services
- systemctl list-units --type=service --state=running displays a list of all services that are loaded, active and running
- Using systemctl to enable/disable a service when the server boots (enabling does NOT start the service):
- systemctl enable sshd
- systemctl disable sshd
- Using systemctl to start or stop a service:
- systemctl status sshd
- systemctl restart sshd
- systemctl start sshd
- systemctl stop sshd
- systemctl kill sshd
- systemd-analyze determines system boot-up performance statistics and retrieves other state and tracing information
- plus a wide range of ancillary components such as journald, logind, resolved, networkd, ...
Observation: there are other ways to automatically start services. E.g. autostart: Microsoft Teams is started via /home/marc/.config/autostart/teams.
Linux security
Linux kernel security
Linux kernel TEE support
Intro
OP-TEE
AMD TEE
Gramine (Graphene) - Intel SGX
Gramine (ex-Graphene) is a lightweight guest OS, designed to run a single Linux application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine – including guest customisation, ease of porting to different host OSes, and process migration.
It supports running Linux applications using Intel SGX (Graphene-SGX) where applications are secured in hardware-encrypted memory regions (called SGX enclaves). SGX protects code and data in the enclave against privileged software attacks and against physical attacks on the hardware off the CPU package (e.g., cold-boot attacks on RAM). It is able to run unmodified applications inside SGX enclaves, without the toll of manually porting the application to the SGX environment.
Linux security/subsystem level
- Netfilter.org project subsystem, packet filtering framework inside the Linux 2.4.x and later kernel series
- Enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling
- Software commonly associated with netfilter.org is iptables, successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems
- netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
- iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
- netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.
Linux kernel security/LSM
- Linux Security Modules (LSM)
- is narrowly scoped to solve the problem of access control
- is a framework allowing the kernel to support without bias a variety of computer security models
- is a standard part of the kernel since Linux 2.6.
- AppArmor, SELinux, Smack, and TOMOYO Linux are approved security modules in the official kernel
SELinux
- US - NSA's Security Enhanced Linux
- SELinux is a Mandatory Access Control (MAC) mechanism built into a number of Linux distributions. It started as the Flux Advanced Security Kernel (FLASK) development by the Utah university Flux team and the US Department of Defence. The development was enhanced by the NSA and released as open source software.
Linux kernel security/encryption
Linux kernel crypto API
The kernel crypto API serves the following entity types:
- consumers requesting cryptographic services
- data transformation implementations (typically ciphers) that can be called by consumers using the kernel crypto API
Documentation
DMCrypt
Device-mapper is infrastructure in the Linux kernel that provides a generic way to create virtual layers of block devices.
Device-mapper crypt (dm-crypt) provides transparent encryption of block devices using the kernel crypto API.
The user can basically specify a symmetric ciphers, an encryption mode, a key, an iv generation mode and then the user can create a new block device in /dev.
Writes to this device will be encrypted and reads decrypted.
One can mount the filesystem on it as usual or stack dm-crypt device with another device like RAID or LVM volume.
- Cryptsetup is a utility to set up disk encryption based on the DMCrypt kernel module
- DMCrypt wiki
- Linux Unified Key Setup (LUKS) - project
- Linux Unified Key Setup (LUKS) - Wikipedia
- LUKS is a disk encryption specification
- Volumes that can be encrypted include:
- plain dm-crypt volumes
- LUKS volumes
- loop-AES
- TrueCrypt (including VeraCrypt extension)
- BitLocker
- LUKS does not encrypt the MasterSecretKey with a password but with a key, generated with a PBKDF.
- LUKS uses eight key slots that are eight different encryptions of the same MasterSecretKey under eight different passwords.
PBD/NBDE
Policy-Based Decryption (PBD) is a collection of technologies that enable unlocking encrypted root and secondary volumes of hard drives on physical and virtual machines. PBD uses a variety of unlocking methods, such as user passwords, a Trusted Platform Module (TPM) device, a PKCS #11 device connected to a system, for example, a smart card, or a special network server.
Network Bound Disc Encryption (NBDE) is a subcategory of PBD that allows binding encrypted volumes to a special network server.
Redhat's PBD is based on the Clevis framework, which offers support for tang (network based decryption) and TPM2.
Tang is a DH-inspired approach, created by McCallum and Relyea (both Redhat).
Linux kernel security checking
Refer also to cybersecurity.
Integrity checking
IMA and AIDE.
- Integrity Measurement Architecture (IMA)
- is a Linux kernel integrity subsystem which aims to detect if files have been altered
- has been included in the kernel since 2.6.30. IMA is an open source trusted computing component. IMA maintains a runtime measurement listand, if anchored in hardware (e.g. TPM), maintains an aggregate integrity value over this list.
- AIDE (successor to TripWire) - Wikipedia
- install, create config file
- create a database against which future checks are performed
- 'aide --check' reads the database and compares it to the files found on disk - then check outcome and trim config file
- 'aide --update' does the same as check but also creates a new database which should be placed on read-only media along with the new config file
- the 'check, trim, update' cycle should be repeated as long as necessary
- the configuration and/or database can be signed, when a database is signed, and it is changed manually, AIDE will refuse to use it
- if a configuration is signed, AIDE will not use it until the embedded hash is updated as well
- AIDE homepage - started in 1999
- AIDE doc (on web.archive.org) - see also man and info pages (e.g. man aide.conf)
Benchmarking
CVE
Linux security/other
Linux Distributions
Debian
MX Linux and AV Linux
Other distributions
D-bus middleware
D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed.
D-Bus supplies both a system daemon (for events such as "new hardware device added" or "printer queue changed") and a per-user-login-session daemon (for general IPC needs among user applications). Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). Currently the communicating applications are on one computer, or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.
Desktops
Display servers
Starting from GNOME 3, CUPS printing has been handled in the Settings application. The GUI can add CUPS printers and manage CUPS printers and queues. Before GNOME 3, the GNOME Print Settings (formerly called CUPS Manager) were used to fulfil these tasks.
- CUPS - Wikipedia - the Common Unix Printing System
- Driverless printing was introduced to CUPS and cups-browsed in Debian 9 (stretch).
- Support for driverless printing with CUPS and cups-browsed is considerably extended in Debian 10 (buster) and Debian 11 (bullseye).
- IPP - Wikipedia - the Internet Printing Protocol
- Various versions, with IPP Everywhere (2013) which provides a baseline for printers to support so-called "driverless" printing from client devices. It builds on IPP and specifies additional rules for interoperability, such as a list of document formats printers need to support.
- IPP is implemented using the Hypertext Transfer Protocol (HTTP) and inherits all of the HTTP streaming and security features.
- Clients send IPP request messages with MIME media type "application/ipp" in HTTP POST requests to an IPP printer.
- cups.org
- CUPS is the standards-based, open source printing system developed by for macOS/UNIX-like operating systems.
- CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers.
- Print-data goes to a scheduler,
- which sends jobs to a filter system that converts the print job into a format the printer will understand.
- The filter system then passes the data on to a backend that sends print data to a device or network connection.
AirPrint
AirPrint was devised by Apple to enable an iPhone, an iPad, ..., referred to as iOS clients to print without having to install drivers on the client device. More and more new printers come with firmware to support AirPrint. In fact, it would be unusual nowadays for a network-aware printer not to provide AirPrint support. There are two technologies central to the AirPrint facility on a printer:
- The printer must be advertised with Bonjour broadcasting.
- The printer must communicate with the client using IPP.
The broadcast mDNS packets contain information about the capabilities of the printer, its identity and its location on the network. They also utilise some extensions (not necessarily fully explained in existing literature) to the existing Bonjour specification to allow iOS clients to search specifically for AirPrint-capable printers and display them in a print dialogue.
IPP (version 2.0) is needed for print management. The client uses IPP to send the print job with information about what printer language it is in, whether it is to be duplexed, the number of copies, the resolution to be used for printing, the media output location on the printer etc.
On Debian, avahi-daemon is essential to detect the Bonjour broadcasts from a printer.
Linux mobile and embedded
Linux audio architecture
+-------------------------+
SOFTWARE | Applications |
+-----------+-------------+
|
|
+----------+------------+
| PipeWire | JACK |
SYSTEM SOFTWARE +-----------------------+ SOUND SERVERS
| PulseAudio |
+----------+------------+
|
+----------+------------+
| Advanced Linux |
KERNEL, DRIVERS | Sound Architecture |
| (ALSA) |
+----------+------------+
|
|
+-----------+-------------+
| Equalizer | Sound board |
HARDWARE +-----------+-------------+
| Mixer | Sound card |
+-----------+-------------+
| ... |
+-------------------------+
Audio HARDWARE
Device specific.
Kernels, drivers and ALSA
ALSA is an integral part of the Linux kernel with a number of features:
- automatically configure sound cards
- include and set up device drivers
- hardware mixing of channels
- full-duplex
- application programming interface (API) for raw audio operations
It is a software framework and part of the Linux kernel that provides an application programming interface (API) for sound card device drivers.
On Linux, sound servers, like sndio, PulseAudio, JACK (low-latency professional-grade audio editing and mixing) and PipeWire, and higher-level APIs (e.g OpenAL, SDL audio, etc.) work on top of ALSA and its sound card device drivers. ALSA succeeded the older Linux port of the Open Sound System (OSS).
ALSA includes:
- alsactl: main control utility for [init]ialize, store, and restore card configurations, manage the main ALSA daemon, and monitor the framework
- amixer, alsamixer: pure command-line and terminal user interface (TUI) mixers to control audio values for ALSA-driver devices
- arecord, aplay: aliases for ALSA sound recorder and player
To get the complete toolset, we can install alsa-utils via apt: $ apt install alsa-utils
Of course, we need to have kernel support for ALSA and compatibility with our sound device.
Synaptics shows the following files on GrayTiger:
/usr/bin/echomixer
/usr/bin/envy24control
/usr/bin/hdajackretask
/usr/bin/hdspconf
/usr/bin/hdspmixer
/usr/bin/rmedigicontrol
/usr/share
/usr/share/applications
/usr/share/applications/echomixer.desktop
/usr/share/applications/envy24control.desktop
/usr/share/applications/hdajackretask.desktop
/usr/share/applications/hdspconf.desktop
/usr/share/applications/hdspmixer.desktop
/usr/share/applications/rmedigicontrol.desktop
/usr/share/doc
/usr/share/doc/alsa-tools-gui
/usr/share/doc/alsa-tools-gui/changelog.Debian.gz
/usr/share/doc/alsa-tools-gui/changelog.gz
/usr/share/doc/alsa-tools-gui/copyright
/usr/share/doc/alsa-tools-gui/echomixer
/usr/share/doc/alsa-tools-gui/echomixer/README
/usr/share/doc/alsa-tools-gui/envy24control
/usr/share/doc/alsa-tools-gui/envy24control/README
/usr/share/doc/alsa-tools-gui/envy24control/README.profiles.gz
/usr/share/doc/alsa-tools-gui/hdajackretask
/usr/share/doc/alsa-tools-gui/hdajackretask/NEWS.gz
/usr/share/doc/alsa-tools-gui/hdajackretask/README.gz
/usr/share/doc/alsa-tools-gui/hdspconf
/usr/share/doc/alsa-tools-gui/hdspconf/README
/usr/share/doc/alsa-tools-gui/hdspmixer
/usr/share/doc/alsa-tools-gui/hdspmixer/NEWS.gz
/usr/share/doc/alsa-tools-gui/hdspmixer/README
/usr/share/doc/alsa-tools-gui/hdspmixer/TODO
/usr/share/doc/alsa-tools-gui/rmedigicontrol
/usr/share/doc/alsa-tools-gui/rmedigicontrol/NEWS.gz
/usr/share/doc/alsa-tools-gui/rmedigicontrol/README
/usr/share/icons
/usr/share/icons/hicolor
...
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/envy24control.1.gz
/usr/share/pixmaps
/usr/share/pixmaps/alsa-tools.xpm
Audio SYSTEM SOFTWARE/SOUND SERVERS
Sound servers work between ALSA and upper-level applications. There are many such servers, including:
- PulseAudio, pulseaudio package, control via pactl: simpler and less feature-rich, better for beginners
- JACK, jackd and qjackctl packages, control via qjackctl: low-latency, professional
- PipeWire, pipewire package, control via PulseAudio: universal, experimental
The idea behind sound servers is to take control of the ALSA devices. While PulseAudio and JACK redirect all audio through themselves, PipeWire can be configured to use some of the features that ALSA provides.
PulseAudio
Installed on GrayTiger it seems.
JACK
Pipewire
- Pipewire - Wikipedia- by Bandshed, based on Debian
- A server for handling audio, video streams, and hardware on Linux, handling multimedia routing and pipeline processing
- In 2023, it was adopted as the default audio server for the GNOME desktop environment in Debian 12 Bookworm.
- Pipewire.org
- Pipewire documentation components:
- PipeWire Daemon that implements the IPC and graph processing.
- An example PipeWire Session Manager that manages objects in the PipeWire Daemon.
- A set of Programs to introspect and use the PipeWire Daemon.
- A PipeWire Library to develop PipeWire applications and plugins (tutorial).
- The SPA (Simple Plugin API) used by both the PipeWire Daemon and in the PipeWire Library.
A fully configured PipeWire setup runs various pieces, each with their configuration options and files:
- pipewire: The PipeWire main daemon that runs and coordinates the processing.
- pipewire-pulse: The PipeWire PulseAudio replacement server. It also configures the properties of the PulseAudio clients connecting to it.
- wireplumber: Most configuration of devices is performed by the session manager. It typically loads ALSA and other devices and configures the profiles, port volumes and more. The session manager also configures new clients and links them to the targets, as configured in the session manager policy.
- PipeWire clients: Each native PipeWire client also loads a configuration file. Emulated JACK client also have separate configuration.
Sound server emulation
While we can work without a sound server, some applications such as the Mozilla Firefox Web browser require it. Yet, even in these cases, we can avoid the full installation and setup by using emulation:
$ apt-get install apulse
In this case, we install the apulse package, which can be used to expose a mock upper-level PulseAudio-like API that directly links to ALSA. This way, applications that expect such an API can work with it without configuring a full-fledged sound server.
SOFTWARE APPLICATIONS
- OSMC - Open Source Media Center - founded 2014, Debian based, runs a.o. on Raspberry Pi or dedicated hardware such as Vero
- KODI - OSMC front-end
- Rythmbox - Gnome player
Audio distributions
- AV Linux - by Bandshed, based on Debian
- Multimedia content-creation AV Linux, provided since 2008, now combined with MX Linux. AV Linux MX Edition (AVL-MXe) comes with a high-performance Liquorix Kernel and the Enlightenment Desktop Environment.
- AV Linux tutorial on YouTube
MIDI
Basics
See https://www.linuxjournal.com/article/7773 et al.
The OSS/Free kernel sound API supported the MIDI capabilities of the original SoundBlaster soundcards. This offered a maximum of 16 channels--no support for multiport interfaces--and support for hardware interfaces only in UART mode, also called dumb mode. The OSS/Free API supported a raw MIDI device, /dev/midi, and an advanced device, /dev/sequencer, for interfaces controlling the timing of the MIDI data queue.
From kernel 2.6 onward, ALSA (the Advanced Linux Sound Architecture) is the kernel sound system. It includes backwards-compatibility with OSS/Free MIDI support while offering new support for more modern MIDI systems, including a sequencer architecture that allows connections between ALSA sequencer clients and a module for creating virtual MIDI ports on machines without MIDI hardware--handy on a laptop.
ALSA's MIDI hardware support includes standalone MIDI cards, soundcard MIDI hardware connectors, serial and parallel port interfaces and USB MIDI interfaces. The system also installs some useful MIDI utilities, such as the aconnect sequencer client router, the amidi tool for sending and receiving raw MIDI data and the amidirecord utility for recording a standard MIDI file at the command prompt. Besides the OSS/Free /dev/midi and /dev/sequencer devices, ALSA adds its own /dev/snd/midiCxDx logical devices, where C is the card number and D is the device number.
The ALSA sequencer API is an evolution in Linux MIDI support. Compliant programs may be connected freely, with multiple inputs allowable on a single port. Graphic patch bays are available that display and edit the send/receive status of the available clients. Incidentally, ALSA's virmidi (virtual MIDI) ports appear to the system as though they are real ports, and their data may be routed to and from any other port, real or virtual.
Approaches:
- Old-school approach: a sequencer is software or hardware that records MIDI data entered by way of a performance on a MIDI-enabled instrument --and provides some means for editing and arranging the recorded data.
- New-school is more software-based, using softsynths and plugins in place of racks of external gear. Modern sequencers also are expected to support audio tracks that can be synchronized with MIDI tracks. The audio/MIDI sequencer is now the rule: MIDI-only sequencers still are available, but they have become the exception.
Tools
Midi files such as found in /home/marc/impro-visor-version-10.2-files/midi can be played with various Linux media applications such as Gnu's Videos.
Linux and language
Raspberry Pi
Backing up a Windows PC
Synology
Sundry