https://bbs.archlinux.org/viewtopic.php?id=237765
Can someone tell us whether those modules related to speck have been disabled?
If not can someone post specific instructions on how to disable them?
Blacklist the module.
linux-4.17.2 will have the module disabled and not built.
linux /boot/vmlinuz-linux root=UUID=000000000 rw quiet net.ifnames=0 CONFIG_CRYPTO_SPECK=0
Would this be sufficient to add this to the bootloader command line?
https://wiki.archlinux.org/index.php/Kernel_module#Blacklisting
That document doesn't say much
I'd like to know the proper way to blacklist Speck and Simon as well. The links don't provide much detail other that how to use blacklist.conf and the Arch thread doesn't help either.
Find the module with `lsmod`, and then add the following to /etc/modprobe.d/blacklist.conf
blacklist <name_of_module>
This is all there in that link artoo posted. Read it again carefully
That part is obvious. But if there is something specific for this case thats the part I'm looking for. I dont know what the modules are called yet because I'm not on the 4.17 kerel yet and I want to make sure that it doesn't also require something being added to grub, etc.
II think the module name is CONFIG_CRYPTO_SPECK as I listed in that hupothetical grub line above.
It is not much of an issue as long as you don't intentionally use it, it is like most of the stuff in the kernel that don't get used at all or most of the time.
But this linus guy has been sleeping around with strange bed fellows. It is time people took notice.
To be honest, without knowing what the source code of the module does just having it there could be an issue. I'm not a developer so I wouldn't be able to definitively make that determination.
Since I don't really understand what this NSA module is all about I have downgraded back to 4.16.12-1-ARTIX until 4.17.2 is released...just for my peace of mind.
Best regards.
I cant find that module in my system - is this a new introduction in 4.17 linus?
I have below installed.
$ uname -a
4.16.12-1-ARTIX #1 SMP PREEMPT Sat May 26 13:30:18 UTC 2018 x86_64 GNU/Linux
yes it is in 4.17
As far as I can understand it is a set of cryptography algorithms that have been proposed as the future standard of cryptography for all internet "the internet of things". Luckily it has been rejected as an iso standard but a google engineer went ahead wrote the module and it was incorporated in linux.4.17
The excuse is that it runs very fast so weak arm devices can encrypt and decrypt in logical amounts of time
The critics say that the nosuchagency proposal must be for encryption that they can decrypt easily, therefore there must be a backdoor to it, you have to know it to break it.
It can't hurt you till you use it and be under the impression your data is secure by this encryption. But do you know? When you log in to your paypal account do you know what encryption is used to transfer the data to your screen?
The sad thing is we have relied on linux to make wise decisions for such matters for us, we had delegated this power and we slept easy. Open and Free doesn't mean jack shit anymore when large corporations and government agencies can dictate what open and free goes in your system and what stays out.
Just when you thought you can escape with an alternative init system
This isn't necessarily true. A module injected into the kernel, at the kernel level or present on the system which can later on be injected into the kernel, can be much more than just a simple crappy encryption module. We don't know it's payload and even if we investigate it now, because it's already in the system, whos to say that it won't contain a more nafarious payload later on after it passes a code analysis? I don't know anyone that is going to re-analyze each time it's updated. Hopefully artix will not compile it during kernel updates and cover the majority and we won't have it on our systems so we don't as individuals have to jump through hoops compiling our own kernel's without it after the fact. Besides, is there any intent for Artix to run on any IoT hardware? If not, then we don't need it at all.
Can you (or someone on the team) confirm that it was disabled?
system/linux 4.17.2-1 (base) [installed: 4.16.12-1]
The Linux kernel and modules
system/linux-headers 4.17.2-1 [installed: 4.16.12-1]
Header files and scripts for building modules for Linux kernel
I can confirm that the speck module is not configured at all in [system].
https://github.com/artix-linux/packages/blob/master/linux/repos/core-x86_64/config#L9340
What exactly does "not configured" imply? Can it still be used? Is it still advisable to blacklist it?
Not configured means the code for the speck module won't be compiled at all.
yes, in Artix is disabled : CONFIG_CRYPTO_SPECK=n
in Archlinux is still enabled
I added the following line to /etc/pacman.conf just in case:
NoExtract = usr/lib/modules/*/kernel/crypto/speck.ko.xz
But I can confirm that I don't see any other signs of Simon or Speck other than the header speck.h in /usr/lib/modules/4.17.2-1-ARTIX/build/include/crypto/
I don't see a header for simon at all.
The last version of the linux that came into gremlins is labeled 14.7.11-arch1 instead of the usual 14.7.11-arch1-ARTIX
Why is this?
linux-4.17.14-artix1-1-ARTIX
:)
Good one!
https://git.archlinux.org/svntogit/packages.git/tree/trunk/config?h=packages/linux
line 9448
# CONFIG_CRYPTO_SPECK is not set
Don't know how recent this is
SPECK is being dropped out of the mainline kernel in 4.20, from what I read. The Arch kernel maintainer obviously didn't pay much attention at first and included it at first but removed it later.
When I brought it up in the arch forum the moderator said I was a troll and removed the topic. That doesn't mean the maintainer didn't rethink about it and changed her/his mind. To be fair, in situations like this, arch being at the cutting edge of development faces such dilemmas and heat. Debian on the other extreme can wait till the smoke clears and not be pressured to take a responsible position.
The question remains why did Linus choose to include something that was rejected by iso and was already controversial? 4.17-4.19 still include it. This has also been a long stretch to a new LTS kernel. Let's see how that goes.
My first (and only) post there, a tutorial, was instantly deleted without notification or explanation. I inquired and was later told that such tutorial posts are not allowed. Nice place.