In the latest monthly update for openSUSE Tumbleweed in January 2024, the distribution unveils a new format to better communicate major changes, improvements, and key issues. This update is now recommended by contributors involved in openSUSE’s marketing efforts.

Kernel and Hardware Support

The Linux Kernel receives updates to versions 6.6.7, 6.6.9, 6.6.10, 6.6.11, and 6.7.1, addressing memory management and security vulnerabilities. Notable enhancements include PCI updates for Zhaoxin Root Ports, contributing to improved compatibility and performance for Zhaoxin’s CPUs and motherboards.

Browser and Graphics Updates

Mozilla Firefox is updated to version 121.0 and 121.0.1, resolving issues such as hanging when loading sites with column-based layouts. The KDE Frameworks update to version 5.114.0 brings significant improvements, including fixes in Extra CMake Modules, holiday additions for Kenya, and adjustments for AVIF in KImageFormats.

The Mesa update to version 23.3.3 introduces a new Vulkan driver for NVIDIA hardware (NVK) in the experimental phase. This marks a step forward in support for NVIDIA GPUs, accompanied by enhancements in graphics performance and compatibility for Asahi and RADV.

System Management and PHP Enhancements

Systemd sees updates to version 254.8, focusing on the cautious resolution of reported bugs and ensuring stability in device management systems. PHP is updated from version 8.2.14 to 8.2.15, bringing fixes for SSA integrity verification, improvements in CLI built-in web server timeouts, and resolving issues with stream wrapper registration.

Multimedia and Networking

GStreamer is updated to version 1.22.8, addressing vulnerabilities in the AV1 video codec parser and making improvements in reverse playback and seeking in qtdemux. Samba sees updates to version 4.19.4, resolving issues related to the machine account password, improving documentation generation, and addressing critical vulnerabilities and bugs.

Security and Bug Fixes

The update includes critical security patches across various packages, with notable improvements in Firefox, systemd, Samba, and PHP. Multiple Common Vulnerabilities and Exposures (CVEs) are addressed in packages like xorg-x11-server, xwayland, gnutls, java-11-openjdk, and samba, enhancing overall security and stability.

Armbian, a popular Linux distribution for single-board computers (SBCs), has recently released a comprehensive update to enhance the user experience. The latest updates include improvements to the Armbian Build Framework, kernel upgrades, merging of Rockchip kernel families, and device-specific updates.

The Armbian Build Framework now includes official Github Action scripts, making it easier for users to re-compile images for their hardware. These scripts allow users to choose different configurations with or without customization. The framework can be accessed through the GitHub Marketplace.

Kernel upgrades have been completed for the current kernel selection, with the default upcoming kernel on most platforms now based on the most recent LTS kernel base 6.6.y. Additionally, EDGE kernels are already distributed with the latest 6.7.y.

Efforts are also underway to merge disassociated Rockchip kernel families, which will streamline maintenance and provide a more cohesive user experience.

In terms of device-specific updates, LicheePi 4A now has current kernel support, although it is still a work in progress (WIP). The old 32-bit Marvell kernel has also been successfully updated, ensuring that the popular NAS, Helios4, will continue to receive updates and maintainer support.

Several bug fixes and improvements have been made, including fixing a significant bug that affected network speed on RockPi S, applying numerous patches to address issues with display, wireless, Bluetooth, and DVFS on H616/H618 Zero2 and Zero3 series, and changing the default CPU governor to schedutil to optimize performance and responsiveness.

openSUSE Tumbleweed and MicroOS have made some significant changes to their boot loader and full disk encryption (FDE) capabilities. The new image now uses systemd-boot as the boot loader and implements full disk encryption based on systemd. This update aims to improve the security of the distribution while simplifying the design.

systemd-boot

The previous boot loader used by openSUSE, GRUB2, is feature-rich but complex and slow to develop. The openSUSE package for GRUB2 contains over 200 patches, some of which have been present for many years. While GRUB2 supports various systems and file systems, the introduction of UEFI made many of its features redundant, as the system firmware already provided similar functionalities.

As a result, more straightforward boot loaders focused on UEFI, such as gummiboot, emerged. Eventually, this code was integrated into systemd and renamed systemd-boot. Compared to GRUB2, systemd-boot is much simpler and serves as a small EFI binary that presents a menu with different boot loader entries and delegates the execution to the selected kernel.

systemd-boot can also work with unified kernel images (UKI) that aggregate the kernel, command line, and initrd into a single unit. openSUSE plans to support UKIs in the future.

openSUSE has been planning to provide systemd-boot as an alternative to GRUB2 for some time, and in August 2023, Tumbleweed started supporting systemd-boot. The yast-bootloader tool also gained support for systemd-boot for new installations.

While supporting another boot loader comes with challenges, such as decreased support for different architectures and compatibility issues with btrfs file systems, openSUSE is actively working on addressing these problems.

Full Disk Encryption

openSUSE has also introduced support for full disk encryption based on systemd. While GRUB2 already supported unlocking LUKS volumes, systemd offers some additional features, such as partial support for LUKS2 encryption and integration with TPM2 devices.

The TPM2 (Trusted Platform Module 2) is a cryptographic device that can unlock secrets only when certain conditions related to the system’s state are met. The TPM2 will unlock the secret if the system is in a known good state, ensuring that the firmware, boot loader, kernel, and initrd have not been tampered with.

To take advantage of TPM2 for FDE, openSUSE has developed a policy that instructs the TPM2 to decrypt a secret only if certain platform configuration registers (PCR) contain the expected values. The PCR values are measured during the boot process, and any changes to the system will result in different PCR values, preventing the secret from being decrypted.

openSUSE has also improved the prediction of PCR values using the pcr-oracle tool, which can encrypt a key under a set of PCR values that can change. This allows for flexible unlocking mechanisms and better system integrity checks.

Using systemd for Disk Encryption

While GRUB2 is still functional for FDE, the use of systemd-boot provides an alternative architecture that works with any boot loader that follows the Boot Loader Specification (BLS). With systemd-boot, the kernel and initrd are placed in the unencrypted EFI system partition (ESP), and the unlock of the sysroot (where the system is located) is done from inside the initrd using systemd-cryptsetup options.

To support this new architecture, openSUSE provides a MicroOS image named kvm-and-xen-sdboot that showcases the new FDE capabilities. This image includes systemd-boot, sdbootutil scripts for synchronizing boot entries, pcr-oracle for predicting PCR values, disk-encryption-tool for encrypting the sysroot device, and dracut-pcr-signature, a dracut module that loads predictions into the initrd from the ESP.

The tools work together to ensure a secure and seamless boot process. The VM with a virtual TPM2 device measures the executed code and data, extending the PCR values. systemd-boot then reads the correct boot entry, and the disk-encryption-tool script encrypts the sysroot device. Finally, the jeos-firstboot modules handle the enrollment of FIDO2 keys and provide recovery key information.

Future Improvements

While the current implementation is a sound proof of concept, there are several areas for improvement. The disk-encryption-tool should be integrated into the installer, and the jeos-firstboot modules should also live in the installer or be merged with the functionality provided by the encryption tool. Separating system keys from user keys and enabling the use of TPM2 and FIDO2 keys simultaneously are also potential improvements.

Additionally, openSUSE aims to work with upstream projects, such as systemd and GRUB2, to incorporate the current tools and features. The diagnosis of TPM2 rejection for unlocking the LUKS2 key could be improved, and the integration of multiple encrypted disks should be validated and enhanced.

Ultimately, openSUSE is considering the use of unified kernel images and further standardization to simplify the architecture. The generation and registration of new keys, as well as the selection of PCR values, may be automated or better documented to streamline the process.

Fedora 40 is set to enhance system security by utilizing high-level security features offered by systemd, as reported by Phoronix. The upcoming release of Fedora plans to enable several optional settings provided by systemd to strengthen the security of services running on the system. These settings include PrivateTmp, ProtectSystem, ProtectHome, ProtectClock, ProtectHostname, ProtectKernelModules, PrivateDevices, PrivateNetwork, NoNewPrivileges, ProtectKernelTunables, and other options that provide additional restrictions and isolation for systemd services.

The change proposal for this systemd security hardening has been approved by the Fedora Engineering and Steering Committee (FESCo) and is expected to be implemented in Fedora 40, due to debut in the spring. The inclusion of these security measures will significantly enhance the default security of Fedora services, protecting against any potential unknown security vulnerabilities in default system services.

For more information on the systemd security hardening changes planned for Fedora 40, you can refer to the change proposal and the approval by FESCo.

Source: Phoronix.

Debian 12.4 has been released, superseding Debian 12.3 which had a bug that could potentially cause data corruption. The bug, which was reported under the bug advisory #1057843, concerned issues with kernel-image-6.1.0-14 (6.1.64-1). The latest release, Debian 12.4, includes fixes for this bug, along with other important bug fixes.

Debian 12.4 is an update to the stable distribution Debian 12, codenamed “bookworm”. This point release focuses on correcting security issues and addressing other serious problems. It is important to note that Debian 12.4 does not represent a new version of Debian 12, but rather updates certain packages included in the distribution. Users do not need to discard their old Debian 12 media, as they can simply upgrade their packages to the current versions using an up-to-date Debian mirror.

For users who regularly install updates from security.debian.org, there will be minimal package updates with this point release, as most of the updates have already been included. New installation images will be made available soon at the usual locations.

The update includes a comprehensive list of bug fixes for various packages. The complete list of bug fixes can be found in the Debian 12.4 Changelog. In addition to bug fixes, Debian 12.4 also includes security updates. The Security Team has released advisories for each of these updates, addressing vulnerabilities in packages such as Chromium, Firefox ESR, Exim4, Thunderbird, and more. The installer has also been updated to include the fixes incorporated into the stable release by the point release.

For more information about Debian 12.4, including the complete list of packages that have changed, the current stable distribution, proposed updates, and security announcements, visit the Debian website.

Alpine Linux has officially released version 3.19.0, marking the introduction of the v3.19 stable series. This release encompasses various updates and improvements across the system.

Core Component Upgrades

• Linux Kernel (6.6): The update includes a transition to Linux kernel version 6.6, focusing on stability and compatibility enhancements.

• Compiler (GCC 13.2): Alpine Linux now incorporates GCC version 13.2, providing developers with the latest compiler features and optimizations for software development.

• Scripting Language (Perl 5.38): The release adopts Perl version 5.38, introducing bug fixes and improvements for users working with the scripting language.

Virtualization and Database Updates

• Xen Hypervisor (4.18): Alpine Linux 3.19.0 brings an upgrade to Xen version 4.18, incorporating security, performance, and architectural enhancements.

• PostgreSQL (16): The PostgreSQL database is updated to version 16, offering users the latest features and improvements in the open-source relational database system.

• Node.js (LTS 20.10): The LTS version of Node.js is now at 20.10, providing a stable platform for server-side JavaScript applications.

• Ceph Storage (18.2): Alpine Linux includes Ceph version 18.2, enhancing distributed storage capabilities.

Notable Changes and Upgrade Notes

• Raspberry Pi 5 Support: Alpine Linux 3.19.0 introduces support for Raspberry Pi 5.

• Kernel Consolidation: The linux-rpi4 and linux-rpi2 kernels have been replaced by a unified linux-rpi.

• Routing Scheme Update (Yggdrasil): Yggdrasil, the networking software, has been upgraded to version 0.5, featuring a new routing scheme that may require adjustments for compatibility.

• Package Management (Python): Python’s package directory is now marked as externally managed, impacting pip installations to system directories managed by apk. Users are advised to consider alternatives such as pipx.

For a comprehensive list of changes, users can refer to the release notes, git log, and bug tracker.

As always, users are recommended to use apk upgrade --available when transitioning between major versions.