Linux

Refer to LTK, and to Linux OS background here.

Contents

General interest

Booting

Regular booting: firmware, boot loader, init

Firmware: UEFI

DebbyBuster has the InsydeH2O BIOS, the Insyde Software (Taiwan) implementation of the Intel Platform Innovation Framework for UEFI/EFI.

GRUB

GRUB (GRand Unified Bootloader) can be used to boot most operating system on the intel platforms. There are two versions: Grub Legacy (Grub 1) and Grub 2. What do I have?

Secure booting

UEFI Secure Boot and Shim

The UEFI 2.3.1 Errata C specification (or higher) defines a protocol known as Secure Boot, which can secure the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an acceptable digital signature. Supported by Debian since Debian 10.

Shim is a boot loader to chain-load signed boot loaders under Secure Boot. Shim becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.

Windows 10 allows OEMs to decide whether or not Secure Boot can be managed by users of their x86 systems. The Machine Owner Key (MOK) allows you to add signed files.

Finding out your status: Installed shim files:

Debian and TPM

See also local files: Debian TPM tools: Do a 'dpkg -L tpm2-tools' to see the files.

Debian's tpm2-tools are based on TrouSerS, a Trusted Computing Software Stack (TSS). Installed:

Linux kernel

Linux distinguishes between: Four interfaces: And then there's the TEE...

Use 'ps aux' to see what processes are running. Any kworker processes are kernel processes doing "work" (processing system calls). You can have several of them in your process list: kworker/0:1 is the one on your first CPU core, kworker/1:1 the one on your second etc..

Perf analyses what kernel tasks are hogging your CPU:

Disks, partitions, logical volumes

Networking and network security

Within the Linux kernel

Separate firewall software

Shells and bash

Basics

Execution and shebang

The most common need for shebang is when writing shell scripts. Script that greets the user:
#!/bin/sh
echo "Hello, ${USER}"
'/bin/sh' is the symlink to an sh-compatible implementation of sh (Shell Command Language). In most cases, it’ll be bash (Bourne-Again SHell), but to secure portability, one should use the symlink.

The script must be executable to work, which can be done using the chmod command: chmod +x name_of_the_file.

To use non-standard program locations the env program can be used, passing the name of the target interpreter as its argument. Then env will look up the interpreter in the user’s PATH variable. Illustration: another “Hello world” script, using Node:
#!/usr/bin/env node
console.log('Hello world!');

Brace expansion

Brace expansion ('alternation') generates a set of alternative combinations, e.g. Braces combined with wildcards:

Bash execution

When Bash starts, it executes the commands in a variety of dot files. Unlike Bash shell scripts, dot files do not typically have execute permission enabled nor an interpreter directive like #!/bin/bash. This includes the skeleton ~/.bash_profile.

This may include a short-circuit evaluation such as '[ -r filename ] && cmd' that tests if filename exists and is readable, skipping the part after the && if it is not.

Bash conditional command execution separators

Bash supplies "conditional execution" command separators that make execution of a command contingent on the exit code set by a precedent command. For example: Where ./do_something is only executed if the cd command was "successful" (returned an exit status of zero) and the echo command would only be executed if either the cd or the ./do_something command return an "error" (non-zero exit status).

Bash also supports if ...;then ...;else ...;fi and case $VARIABLE in $pattern)...;;$other_pattern)...;; esac forms of conditional command evaluation.

Bash debugging

Bash doesn’t provide any built-in debugger. However, there are commands and constructs that are helpful, including the set and trap commands.

Refer also to Baeldung on bash debugging.

-v for verbose

Minimalistic approach: bash -v invokes verbosity during execution.

-n for noexec (but validation)

To validate the script syntactically prior to its execution one can use the noexec mode using the -n option. As a result, Bash will read the commands but not execute them.

-x for execution trace

To trace the state of variables and commands during execution one can execute the script in xtrace (execution trace) mode using the -x option. This mode prints the trace of commands for each line after they are expanded but before they are executed.

-u for identifying unset variables

To identify unset variables, the -u option treats unset variables and parameters as an error when performing parameter expansion.

trap command, conditional debugging, ...

See https://www.baeldung.com/linux/debug-bash-script

Bash execution exit

For all commands the exit status is stored in the special variable $?.

User space

Observation: there are other ways to automatically start services. E.g. autostart: Microsoft Teams is started via /home/marc/.config/autostart/teams.

Linux security

Linux kernel security

Linux kernel TEE support

Intro

OP-TEE

AMD TEE

Gramine (Graphene) - Intel SGX

Gramine (ex-Graphene) is a lightweight guest OS, designed to run a single Linux application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine – including guest customisation, ease of porting to different host OSes, and process migration.

It supports running Linux applications using Intel SGX (Graphene-SGX) where applications are secured in hardware-encrypted memory regions (called SGX enclaves). SGX protects code and data in the enclave against privileged software attacks and against physical attacks on the hardware off the CPU package (e.g., cold-boot attacks on RAM). It is able to run unmodified applications inside SGX enclaves, without the toll of manually porting the application to the SGX environment.

Linux security/subsystem level

Linux kernel security/LSM

SELinux

Linux kernel security/encryption

Linux kernel crypto API

The kernel crypto API serves the following entity types: Documentation

DMCrypt

Device-mapper is infrastructure in the Linux kernel that provides a generic way to create virtual layers of block devices.

Device-mapper crypt (dm-crypt) provides transparent encryption of block devices using the kernel crypto API.

The user can basically specify a symmetric ciphers, an encryption mode, a key, an iv generation mode and then the user can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. One can mount the filesystem on it as usual or stack dm-crypt device with another device like RAID or LVM volume.

PBD/NBDE

Policy-Based Decryption (PBD) is a collection of technologies that enable unlocking encrypted root and secondary volumes of hard drives on physical and virtual machines. PBD uses a variety of unlocking methods, such as user passwords, a Trusted Platform Module (TPM) device, a PKCS #11 device connected to a system, for example, a smart card, or a special network server.

Network Bound Disc Encryption (NBDE) is a subcategory of PBD that allows binding encrypted volumes to a special network server. Redhat's PBD is based on the Clevis framework, which offers support for tang (network based decryption) and TPM2. Tang is a DH-inspired approach, created by McCallum and Relyea (both Redhat).

Linux kernel security checking

Refer also to cybersecurity.

Integrity checking

IMA and AIDE.

Benchmarking

CVE

Linux security/other

Linux Distributions

Debian

MX Linux and AV Linux

Other distributions

D-bus middleware

D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed.

D-Bus supplies both a system daemon (for events such as "new hardware device added" or "printer queue changed") and a per-user-login-session daemon (for general IPC needs among user applications). Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). Currently the communicating applications are on one computer, or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.

Desktops

Display servers

Application level encryption

Hardware, support, consulting

Linux printing

Legacy printers need a driver, modern printers are driverless.

CUPS - the Common Unix Printing System

Printers sold in the last 10 years or so are almost always AirPrint devices and therefore would support driverless printing when the device is connected by ethernet or wireless. Additionally, a USB connected modern printer might be capable of driverless printing if it is IPP-over-USB-capable.

Starting from GNOME 3, CUPS printing has been handled in the Settings application. The GUI can add CUPS printers and manage CUPS printers and queues. Before GNOME 3, the GNOME Print Settings (formerly called CUPS Manager) were used to fulfil these tasks.

AirPrint

AirPrint was devised by Apple to enable an iPhone, an iPad, ..., referred to as iOS clients to print without having to install drivers on the client device. More and more new printers come with firmware to support AirPrint. In fact, it would be unusual nowadays for a network-aware printer not to provide AirPrint support. There are two technologies central to the AirPrint facility on a printer: The broadcast mDNS packets contain information about the capabilities of the printer, its identity and its location on the network. They also utilise some extensions (not necessarily fully explained in existing literature) to the existing Bonjour specification to allow iOS clients to search specifically for AirPrint-capable printers and display them in a print dialogue.

IPP (version 2.0) is needed for print management. The client uses IPP to send the print job with information about what printer language it is in, whether it is to be duplexed, the number of copies, the resolution to be used for printing, the media output location on the printer etc.

On Debian, avahi-daemon is essential to detect the Bonjour broadcasts from a printer.

Linux mobile and embedded

Linux audio architecture

                 +-------------------------+
       SOFTWARE  |      Applications       |
                 +-----------+-------------+
                             |
                             |
                  +----------+------------+
                  | PipeWire |    JACK    |
SYSTEM SOFTWARE   +-----------------------+   SOUND SERVERS
                  |      PulseAudio       |
                  +----------+------------+
                             |
                  +----------+------------+
                  |    Advanced Linux     |
KERNEL, DRIVERS   |  Sound Architecture   |
                  |        (ALSA)         |
                  +----------+------------+
                             |
                             |
                 +-----------+-------------+
                 | Equalizer | Sound board |
       HARDWARE  +-----------+-------------+
                 |   Mixer   | Sound card  |
                 +-----------+-------------+
                 |          ...            |
                 +-------------------------+

Audio HARDWARE

Device specific.

Kernels, drivers and ALSA

ALSA is an integral part of the Linux kernel with a number of features: It is a software framework and part of the Linux kernel that provides an application programming interface (API) for sound card device drivers.

On Linux, sound servers, like sndio, PulseAudio, JACK (low-latency professional-grade audio editing and mixing) and PipeWire, and higher-level APIs (e.g OpenAL, SDL audio, etc.) work on top of ALSA and its sound card device drivers. ALSA succeeded the older Linux port of the Open Sound System (OSS). ALSA includes: To get the complete toolset, we can install alsa-utils via apt: $ apt install alsa-utils

Of course, we need to have kernel support for ALSA and compatibility with our sound device.

Synaptics shows the following files on GrayTiger:
/usr/bin/echomixer
/usr/bin/envy24control
/usr/bin/hdajackretask
/usr/bin/hdspconf
/usr/bin/hdspmixer
/usr/bin/rmedigicontrol
/usr/share
/usr/share/applications
/usr/share/applications/echomixer.desktop
/usr/share/applications/envy24control.desktop
/usr/share/applications/hdajackretask.desktop
/usr/share/applications/hdspconf.desktop
/usr/share/applications/hdspmixer.desktop
/usr/share/applications/rmedigicontrol.desktop
/usr/share/doc
/usr/share/doc/alsa-tools-gui
/usr/share/doc/alsa-tools-gui/changelog.Debian.gz
/usr/share/doc/alsa-tools-gui/changelog.gz
/usr/share/doc/alsa-tools-gui/copyright
/usr/share/doc/alsa-tools-gui/echomixer
/usr/share/doc/alsa-tools-gui/echomixer/README
/usr/share/doc/alsa-tools-gui/envy24control
/usr/share/doc/alsa-tools-gui/envy24control/README
/usr/share/doc/alsa-tools-gui/envy24control/README.profiles.gz
/usr/share/doc/alsa-tools-gui/hdajackretask
/usr/share/doc/alsa-tools-gui/hdajackretask/NEWS.gz
/usr/share/doc/alsa-tools-gui/hdajackretask/README.gz
/usr/share/doc/alsa-tools-gui/hdspconf
/usr/share/doc/alsa-tools-gui/hdspconf/README
/usr/share/doc/alsa-tools-gui/hdspmixer
/usr/share/doc/alsa-tools-gui/hdspmixer/NEWS.gz
/usr/share/doc/alsa-tools-gui/hdspmixer/README
/usr/share/doc/alsa-tools-gui/hdspmixer/TODO
/usr/share/doc/alsa-tools-gui/rmedigicontrol
/usr/share/doc/alsa-tools-gui/rmedigicontrol/NEWS.gz
/usr/share/doc/alsa-tools-gui/rmedigicontrol/README
/usr/share/icons
/usr/share/icons/hicolor
...
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/envy24control.1.gz
/usr/share/pixmaps
/usr/share/pixmaps/alsa-tools.xpm

Audio SYSTEM SOFTWARE/SOUND SERVERS

Sound servers work between ALSA and upper-level applications. There are many such servers, including: The idea behind sound servers is to take control of the ALSA devices. While PulseAudio and JACK redirect all audio through themselves, PipeWire can be configured to use some of the features that ALSA provides.

PulseAudio

Installed on GrayTiger it seems.

JACK

Pipewire

A fully configured PipeWire setup runs various pieces, each with their configuration options and files:

Sound server emulation

While we can work without a sound server, some applications such as the Mozilla Firefox Web browser require it. Yet, even in these cases, we can avoid the full installation and setup by using emulation: $ apt-get install apulse In this case, we install the apulse package, which can be used to expose a mock upper-level PulseAudio-like API that directly links to ALSA. This way, applications that expect such an API can work with it without configuring a full-fledged sound server.

SOFTWARE APPLICATIONS

Audio distributions

MIDI

Basics

See https://www.linuxjournal.com/article/7773 et al.

The OSS/Free kernel sound API supported the MIDI capabilities of the original SoundBlaster soundcards. This offered a maximum of 16 channels--no support for multiport interfaces--and support for hardware interfaces only in UART mode, also called dumb mode. The OSS/Free API supported a raw MIDI device, /dev/midi, and an advanced device, /dev/sequencer, for interfaces controlling the timing of the MIDI data queue.

From kernel 2.6 onward, ALSA (the Advanced Linux Sound Architecture) is the kernel sound system. It includes backwards-compatibility with OSS/Free MIDI support while offering new support for more modern MIDI systems, including a sequencer architecture that allows connections between ALSA sequencer clients and a module for creating virtual MIDI ports on machines without MIDI hardware--handy on a laptop.

ALSA's MIDI hardware support includes standalone MIDI cards, soundcard MIDI hardware connectors, serial and parallel port interfaces and USB MIDI interfaces. The system also installs some useful MIDI utilities, such as the aconnect sequencer client router, the amidi tool for sending and receiving raw MIDI data and the amidirecord utility for recording a standard MIDI file at the command prompt. Besides the OSS/Free /dev/midi and /dev/sequencer devices, ALSA adds its own /dev/snd/midiCxDx logical devices, where C is the card number and D is the device number.

The ALSA sequencer API is an evolution in Linux MIDI support. Compliant programs may be connected freely, with multiple inputs allowable on a single port. Graphic patch bays are available that display and edit the send/receive status of the available clients. Incidentally, ALSA's virmidi (virtual MIDI) ports appear to the system as though they are real ports, and their data may be routed to and from any other port, real or virtual.

Approaches:

Tools

Midi files such as found in /home/marc/impro-visor-version-10.2-files/midi can be played with various Linux media applications such as Gnu's Videos.

Linux and language

Raspberry Pi

Backing up a Windows PC

Synology

Sundry