I have zero interest in anything Microsoft has to say about Free software.
this post was submitted on 22 Mar 2025
84 points (93.8% liked)
Linux
53953 readers
854 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 6 years ago
MODERATORS
Too bad they have a trojan horse at the LF board of directors.
Which is supposed to be who?
David Rudin, I guess? It says which company each person is from under their name. (The page defaults to the "Leadership" tab, so you gotta click on the "Board of directors" tab to see the correct list of people.)
Yeah, sorry about that. I don't know why it doesn't straight up lead you to the fight place
fight place
That it is.
Who?
"Fox proposes new brand of locks for henhouse."
Fuck off, microsoft...
I have zero trust in Microsoft's intentions here.
Embrace, Extend, Extinguish
Ah yes, the "extended Berkeley Packet Filter".
Wikipedia:
eBPF is a technology that can run programs in a privileged context such as the operating system kernel.
Hornet uses a similar signature verification scheme similar to that of kernel modules. A pkcs#7 signature is appended to the end of an executable file. During an invocation of bpf_prog_load, the signature is fetched from the current task's executable file. That signature is used to verify the integrity of the bpf instructions and maps which where passed into the kernel. Additionally, Hornet implicitly trusts any programs which where loaded from inside kernel rather than userspace, which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL programs to run.
So this is to make kernel-level instructions from userspace (something that's already happening) more secure.
The thread linked by the OP is Jarkko Sakkinen (kernel maintainer) seemingly saying "show your work, your patch is full of nonsense" in a patch submitted for review to the Linux kernel.
Edit: the OP has edited the link, it used to point to this comment in the mailing list chain.
Backdoor hidden in plain sight?
Loading BPF code from user space is, I hope, only possible with root access to the system. That would mean that an attacker needs root access to exploit BPF, but if an attacker has root access what stops him/her to do anything they want? At this time the system is lost anyway.
Or am I missing anything?
If the executable binary has to be signed with a key, similar to the module signing key, Microsoft could sign their binaries
This, along with secureboot, would prevent the owner of the machine from running eBPF programs Microsoft doesn't want you to run, even with root
Yeah, that's why I am against Microsoft Keys on my systems
I fail to see the positive side of that...
I wasn't trying to give a positive side, I was just explaining why Microsoft wants the feature
The thread linked by the OP is Jarkko Sakkinen (kernel maintainer) seemingly saying “show your work, your patch is full of nonsense” in a patch submitted for review to the Linux kernel.
That’s not what he’s saying. He’s saying: ‘You’re using terms which aren’t that familiar to everyone. Could you explain them?’
I hope we will learn from the SecureBoot debacle and not give Microsoft the primary signing keys and infrastructure for this again.
You can generate your own.
Yes I can. But I am a Linux system administrator with 20 years of experience. This should not be the level of measurement for stuff like this. 😉
What I meant was: Don't put a Microsoft master trusted authority in the Kernel, unless one chooses to install a Microsoft distribution. And don't go the SSL/TLS way with the huge number of default authorities that get installed on every system. It would be a pain to be forced to always build my own Kernel again just to keep Microsoft or any other institution/company that I find untrustworthy out of it.
Yeah. Stay in your lane microsoft.
Do people in this thread not understand that Microsoft frequently contributes to Linux? They've already lost the battle there. They rely on Linux for servers as much as everybody else.
Not necessarily saying this is a good thing or not, but writing off any Linux contributions Microsoft makes would be pretty silly.
Their contributions are welcome and appreciated.
But, given Microsoft's history, any suggestions from them should be treated with skepticism.
It's not like it's a proprietary blob. No one is stupid enough to accept a proprietary security blob from Microsoft.
Moreover, if you click through to the article, you see that this module entirely concerns eBPF, which is essentially unused outside of corporate servers (and Android phones) in the first place and is therefore barely our business to begin with.
yes they lost the battle, now they're most likely aiming to win the war.
Or they're just adding improvements to the software they heavily rely on.
I don't trust or like Microsoft, but the likelihood of there being malicious intentions in this is incredibly low. Just imagine the fallout if Microsoft tried to sabotage the kernel.
Or they’re just adding improvements to the software they heavily rely on.
which they can do in private any time they wish, without any of the fanfare.
if they actually believe in opensource let them opensource windows 7 ^1^, or idk the 1/4 of a century old windows 2k
instead we get the fanare as they pat themselves on the back for opensourcing MS-DOS 4.0 early last year (not even 8.0, which is 24 years old btw, 4.0 which came out in 1986).
38 years ago...
MS-fucking-DOS, from 38 years ago, THAT'S how much they give a shit about opensource mate.
all we get is a poor pantomime which actually only illustrates just how stupid they truly think we are to believe the charade.
does any of that mean they're 100% have to be actively shipping "bad code" in this project, not by any means. does it mean microsoft will never make a useful contribution to linux, not by any means. what it does mean is they're increasing their sphere of influence over the project. and they have absolutely no incentive to help anyone but themselves, in fact the opposite.
as everyone knows (it's not some deep secret the tech heads on lemmy somehow didn't hear about) microsoft is highly dependent on linux for major revenue streams. anything a monolith depends on which they don't control represents a risk. they'd be negligent if they didn't try to exert control over it. and that's for any organisation in their position. then factor in their widespread outspoken agenda against opensource, embrace, extend, extinguish and the vastly lacking longterm evidence to match their claims of <3 opensource.
they're welcome to prove us all wrong, but that isn't even on the horizon currently.
^1^ yes yes they claim they can't because "licensing", which is mostly but not entirely fucking flimsy, but ok devils advocate: release the rest, but nah.
@ikidd After years of Embrace, extend and extinguish, and now the cloud and copilot stuff, can't put my faith on Micro$oft anymore, EVER 🙅🙅🙅♀️
Certainly don't take my posting of this as an endorsement of anything Microsoft does. I loathe Microsoft.
They probably named it HORNET for a reason - think Japanese Murder Hornets... What Could Possibly Go Wrong??
It will probably start out as little glitches and slowdowns to destroy faith in your system ("Windows works right all the time") a random 2 second pauses. Finally one day every Linux box in the world crashes, all at the same time, because some 'dummy' in Microsoft deleted the private signing key.