Archaeopteryx

GRUB2 with BLS is now in MicroOS and Tumbleweed

Recently the openSUSE project released for MicroOS and Tumbleweed a new version of the GRUB2 package, with a new subpackage grub2-$ARCH-efi-bls. This subpackage deliver a new EFI file, grubbls.efi, that can be used as replacement of the traditional grub.efi.

The new PE binary is a version of GRUB2 that includes a set of patches from Fedora, which makes the bootloader follow the Boot Loader Specification (BLS). This will make GRUB2 understand the boot entries from /boot/efi/entries, and dynamically generate the boot menu showed during boot time.

This is really important for full disk encryption (FDE) because this means that now we can re-use all the architecture and tools designed for systemd-boot. For example, installing or updating the bootloader can now be done with sdbootutil install, the suse-module-tools scriptlets will create new BLS entries when a new kernel is installed, and the tukit and snapper plugins will take care of doing the right thing when snapshots are created or removed.

Reusing all those tools without modification was a significant win, but even better, many of the quirks that classical GRUB2 had when extending the event log are no longer present. Before this package, sdbootutil needed to take ownership of the grub.conf file, as this will be measured by GRUB2 by executed lines. That is right! For each line that is read and executed by the GRUB2 parser, a new PCR#8 will take place, and because GRUB2 support conditional as other complex constructors, it is very hard to predict the final value of PCR#8 without imposing a very minimal and strict grub.conf.

However, with the new BLS subpackage, this file, along with the fonts and graphical assets for the theme, and the necessary modules (such as bli.mod), are now included in the internal squashfs within the EFI binary. GRUB2 will no longer measure those internal files without compromising security guarantees because now it is the firmware that measures the entire EFI when the bootloader is executed during the boot process.

As today, we cannot use YaST2 to install GRUB2 with BLS, but we can do that manually very easily. We need to make a systemd-boot installation, replace LOADER_TYPE from systemd-boot to grub2-bls, install the new GRUB2 BLS package, and do sdbootutil install. Another option is to play with one of the available images for MicroOS or Tumbleweed.

Have a lot of fun!

Hello everyone!

I'd like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will currently offer you Base, GNOME, and KDE.

Users can get our new Agama install images from get.opensuse.org/leap/16.0. The installer will currently offer you Base, GNOME, and KDE installation.

Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025.

We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they're used to from previous releases.

Further details are available on our roadmap. The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes.

Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our Factory development codebase.

There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS.

The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware.

For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025.

Specifically for Agama I highly recommend using github.com/agama-project and collaborating with the YaST team on suggestions and incorporating any changes.

For the rest of the components, the workflow isn't changing; just select version 16.0 for bug submissions.

Feature requests will be reviewed every Monday at a feature review meeting where we'll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable.

The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o. You can get a list of all SLFO/SLES packages simply by running osc ls SUSE:SLFO:1.1:Build.

Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X.

I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article.

For quality control, we have basic test suites based on Agama installations in Leap 16.0 job group. Later, we plan to rework the existing Leap 16.0 Images job group for testing the remaining appliance images.

The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+).

Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers poo#164141 Leap 16.0 enablement and poo#166562 upgrade from 15.6.

Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we'd like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over.

Do you want to help us on this front? Spread the news and feel free to join the #openSUSE_Marketing Telegram channel(https://t.me/openSUSE_Marketing)! https://en.opensuse.org/openSUSE:Marketing_team

Many thanks to all who helped us to reach this point.

Lubos Kocman on behalf of the openSUSE Release team

Hello everyone!

I'd like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will currently offer you Base, GNOME, and KDE.

Users can get our new Agama install images from get.opensuse.org/leap/16.0. The installer will currently offer you Base, GNOME, and KDE installation.

Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025.

We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they're used to from previous releases.

Further details are available on our roadmap. The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes.

Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our Factory development codebase.

There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS.

The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware.

For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025.

Specifically for Agama I highly recommend using github.com/agama-project and collaborating with the YaST team on suggestions and incorporating any changes.

For the rest of the components, the workflow isn't changing; just select version 16.0 for bug submissions.

Feature requests will be reviewed every Monday at a feature review meeting where we'll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable.

The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o. You can get a list of all SLFO/SLES packages simply by running osc ls SUSE:SLFO:1.1:Build.

Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X.

I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article.

For quality control, we have basic test suites based on Agama installations in Leap 16.0 job group. Later, we plan to rework the existing Leap 16.0 Images job group for testing the remaining appliance images.

The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+).

Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers poo#164141 Leap 16.0 enablement and poo#166562 upgrade from 15.6.

Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we'd like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over.

Do you want to help us on this front? Spread the news and feel free to join the #openSUSE_Marketing Telegram channel(https://t.me/openSUSE_Marketing)! https://en.opensuse.org/openSUSE:Marketing_team

Many thanks to all who helped us to reach this point.

Lubos Kocman on behalf of the openSUSE Release team

Welcome to the monthly update for Tumbleweed for September 2024! This month, the rolling-release model has kept pace with numerous important updates and bug fixes. PostgreSQL received a major update moving to 17 and text shaping engine harfbuzz had a major update to version 10. Packages like systemd, git, bash and qemu were also updated this month in the rolling release. Various packages saw CVE fixes and desktop components for GNOME and KDE were also updated. As always, remember to roll back using snapper if any issues arise.

Happy updating and tumble on!

Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

• Linux Kernel 6.11.0: The latest update brings reversion of the PCI ACS configurability extension to address an issue bsc#1229019. Key updates in the release include a fix to the block subsystem, resolving how the scheduler is handled in elv_iosched_local_module. A correction was made in the AMD GPU display driver to address a mistake from a previous revert related to bsc#1228093. Updates also include refreshed ALSA patches to enhance power management blacklist options. The improvements are expected to provide greater stability and performance for various hardware configurations.
• postgresql17: This major release provides key improvements like a revamped memory management system for vacuum, boosting efficiency by reducing memory usage by up to 20x along with optimized processing for high concurrency workloads. Version 17 also enhances query execution with faster processing using B-tree indexes and parallel BRIN index builds. Developers benefit from the addition of the SQL/JSON JSON_TABLE command and expanded MERGE capabilities, as well as a 2x speed improvement in data exports with the COPY command. Logical replication now simplifies major version upgrades by eliminating the need to drop replication slots, improving ease of use in high availability setups. The software package further enhances database security and operational management, with new TLS options, incremental backups, and detailed monitoring tools.
• harfbuzz 10.0.1: Significant fixes were made for the text shaping engine including support for Unicode 16.0.0. The version has a new Application Programming Interfaces that allows clients to customize glyphs when a Unicode Variation Selector isn't supported by the font, as well as a callback for getting table tags from hb_face_t. Updates also address pair positioning lookup subtable application for compatibility and ensure subsetting fails if no glyphs are present to prevent silent errors.
• GNOME 46.5: gnome-shell now addresses issues with smartcard logins, fixes glitches when quick settings menu animations are interrupted, and resolves problems with new Wi-Fi connections for restricted users. It also ensures required animations remain enabled, fixes display of pending PAM messages on the login screen and plugs memory leaks. Un update of the gnome-software has a reduction in power usage when the main window is closed, along with translation updates..
• KDE Plasma 6.1.5: In Discover, snapType mapping is corrected, and Flatpak now properly reports extensions without errors. KWin addresses several crash scenarios, such as null dereference and input event handling from removed devices. Plasma Desktop includes fixes for keyboard navigation in Kickoff, task list alignment in RTL mode and it has proper handling of background icons and test windows. Plasma Workspace enhances touchscreen interaction, system tray tooltips and clipboard functionality. Additional fixes included targeted crashes in hotplugging and svg rendering, while SDDM KCM improves state management.
• Frameworks 6.6.0: Attica adds CI jobs for Alpine/musl, while Baloo sets up crash handling for baloo_file. New icons are introduced in Breeze. KCoreAddons improves dbus error handling and licensing, and KDeclarative adjusts rendering for better DPI positioning. KIO resolves issues with restoring trash entries and enhances service menu handling. KTextEditor receives performance optimizations and additional C++ porting for sorting and unique functionalities. Kirigami continues to improve icon handling and toolbars, while KNewStuff and KWalletf ocus on making shared actions more reliable and enhancing crash handling.
• KDE Gear 24.08.1: Akademy 2024 Videos are out, but a lot of efforts went into last month’s conference. Akonadi resolves a crash related to query cache eviction and fixes configuration file handling. Dolphin improves usability with fixes for button functionality and file list resizing, while Elisa enhances its Now Playing view and toolbar layout. Itinerary and Kalarm both receive updates for better dark mode handling and audio alarm functionality. Kdenlive addresses multiple timeline and rendering issues, optimized keyframe handling and fixes several bugs related to effects and transitions. Kate adds support for the Odin language in its formatter and Okular now sets tooltips for forms.

Key Package Updates

• git 2.46.1: A clarification has been made to git checkout --ours to inform users they need to specify paths, avoiding confusion. An issue with git add -p failing for users with diff.suppressBlankEmpty was corrected. Additionally, git notes add -m '' --allow-empty no longer improperly invokes an editor, and unnecessary re-encoding operations for tracing have been removed.
• qemu 9.1.0: The update introduces new migration capabilities, such as compression offload support via Intel In-Memory Analytics Accelerator (IAA) or User Space Accelerator Development Kit (UADK) and improved postcopy failure recovery. RISC-V architecture also sees support for several extensions, while x86 adds KVM support for AMD SEV-SNP guests and emulation for newer Intel CPU models like Ice Llake and Sapphire Rapids.
• systemd 256.6: This version no longer attempts to restart udev socket units, addressing issue bsc#1228809 where safely restarting socket-activated services and their socket units simultaneously was problematic.
• pipewire 1.2.4: The update addresses a crash during the cleanup of globals and enhances the RequestProcess dispatch mechanism. The Simple Plugin API framework now uses systemd-logind to detect new devices. Pulse-Code Modulation device handling is also improved.
• GStreamer 1.24.8: The multimedia framework package improves handling in decodebin3 and encodebin for better media decoding and smart rendering, respectively. Enhancements for proper viewport resizing when video size changes were made and audio stream enhancements were made for better compatibility with Firefox. There were some stability fixes for wayland including crash prevention and Application Binary Interface corrections.
• Mesa 24.1.7: This release continues to support OpenGL 4.6 and Vulkan 1.3, though the version reported depends on the specific driver used. Key bug fixes include resolving issues with smartcard logins, race conditions when generating enums, and artifacts in games such as Black Myth Wukong and DCS World with certain GPUs.
• GTK4 4.16.1: This GTK Scene Graph Kit layer sees speed optimizations for Vulkan operations, reduces startup time by skipping unnecessary GL and Vulkan initialization and fixes a crash related to certain Vulkan drivers. Memory format conversions in GIMP Drawing Kit are now faster. The builder-tool has also been improved for better box conversion.
• bash 5.2.37: This update has key patches to address issues such as an incorrect handling of quoted text during auto-completion and multibyte character handling in readline. The update resolves system compatibility with select and pselect availability and fixes a parsing issue in compound assignments during alias expansion. A typo in the autoconf test affecting strtold availability when compiled with GNU Compiler Collection 14 was corrected.
• vim 9.1.0718: One notable fix in the text editor resolves issues with personal Vim runtime directory recognition. The update also addresses unnecessary NULL checks in parse_command_modifiers() and corrects color name parsing errors introduced in a previous version. Other improvements include updates to syntax highlighting for various file types such as HCL, Terraform, and tmux. Performance improvements were also made to include the more efficient inserting with a count and resolving cursor position crashes.

Bug Fixes

• curl 8.10.0:
  • CVE-2024-8096 may have incorrectly validated certificates using Online Certificate Status Protocol stapling, ignoring certain errors like 'unauthorized'.
• OpenSSL:
  • CVE-2024-41996 was fixed, which could have allowed remote attackers to trigger costly server-side DHE calculations via public key order validation in Diffie-Hellman.
• postgresql17
  • CVE-2024-7348 fixes a race condition that could allow attackers to execute arbitrary SQL as the user running pg_dump.
• python311: This package fixed a few CVE’s. Here are a couple of fixes
  • CVE-2024-4030 had a fix to ensure Unix "700" permissions are applied to secure the directory.
• tiff 4.7.0:
  • CVE-2023-52356 had a segmentation fault allowing remote attackers to trigger a heap-buffer overflow that could cause a denial of service.
  • CVE-2024-7006 had a null pointer dereference in that could trigger application crashes and cause denial of service.
• LibreOffice 24.8.1.2
  • CVE-2024-5261 was fixed that disabled TLS certificate verification, allowing improper certificate validation during document processing in third-party components.
• Mozilla Firefox 130.0.1:
  • This release fixes several CVEs. One of the most critical fixes involves CVE-2024-8385, where a WASM type confusion issue could lead to exploitable vulnerabilities. Another significant fix is for CVE-2024-8381, which could trigger a type confusion vulnerability when looking up property names within a "with" block. CVE-2024-8388 fixed an issue where fullscreen notifications could be hidden on Android devices, potentially leading to UI spoofing attacks. Two memory safety bugs, CVE-2024-8387 and CVE-2024-8389, were also patched.
• apr 1.7.5:
  • CVE-2023-49582 had shared memory permissions that could expose sensitive data to local users.

Conclusion

September 2024 brings important updates for Tumbleweed users. Security fixes across packages like PostgreSQL, libtiff, and LibreOffice ensure stability and security. Significant improvements were made in tools like systemd, git, and qemu, enhancing performance and compatibility. Noteworthy updates in PostgreSQL 17 and Harfbuzz 10 also bring major enhancements, contributing to a more robust and refined rolling release environment.

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

This is a quick start guide for Full Disk Encryption with TPM or FIDO2 and YaST2 on openSUSE Tumbleweed. It focuses on the few steps to install openSUSE Tumbleweed with YaST2 and using Full Disk Encryption secured by a TPM2 chip and measured boot or a FIDO2 key.

Hardware Requirement:

• UEFI Firmware
• TPM2 Chip or FIDO2 key which supports the hmac-secret extension
• 2GB Memory

Installation of openSUSE MicroOS

There is an own Quickstart for openSUSE MicroOS

Installation of openSUSE Tumbleweed

Boot installation media

• Follow the workflow until "Suggested Partitioning":
  • Partitioning: Select "Guided Setup" and "Enable Disk Encryption", keep the other defaults
• Continue Installation until "Installation Settings":
  • Booting:
    • Change Boot Loader Type from "GRUB2 for EFI" to "Systemd Boot", ignore "Systemd-boot support is work in progress" and continue
  • Software:
    • Install additional tmp2.0-tools, tpm2-0-tss and libtss2-tcti-device0
• Finish Installation

Finish FDE Setup

Boot new system

• Enter passphrase to unlock disk during boot
• Login
• Enroll system:
  • With TPM2 chip: sdbootutil enroll --method tpm2
  • With FIDO2 key: sdbootutil enroll --method fido2
• Optional, but recommended:
  • Upgrade your LUKS key derivation function (do that for every encrypted device listed in /etc/crypttab):

          # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id
          # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id
  

Adjusting kernel boot parameters

The configuration file for kernel command line options is /etc/kernel/cmdline.

After editing this file, call sdbootutil update-all-entries to update the bootloader configuration. If that option does not exist yet or does not work, a workaround is: sdbootutil remove-all-kernels && sdbootutil add-all-kernels.

Re-enrollment

If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2.

If you have a recovery PIN:

  # sdbootutil --ask-pin update-predictions

If you don't have the recovery PIN, you can set one with this steps:

  # sdbootutil unenroll --method=tpm2
  # PIN=<new recovery PIN> sdbootutil enroll --method=tpm2

Virtual Machines

If your machine is a VM, it is recommended to remove the "0" from the FDE_SEAL_PCR_LIST variable in /etc/sysconfig/fde-tools. An update of the hypervisor can change PCR0. Since such an update is not visible inside the VM, the PCR values cannot be updated. As result, the disk cannot be decrypted automatically at the next boot, the recovery key needs to be entered and a manual re-enrollment is necessary.

Next Steps

The next steps will be:

• Support grub2-BLS (grub2 following the Boot Loader Specification)
• Add support to the installers (YaST2 and Agama)
• Make this the default if a TPM2 chip is present

Any help is welcome!

Further Documentation

• Full Disk Encryption (FDE)
• Systemd-fde
• Systemd-boot and Full Disk Encryption with TPM and FIDO2

The "security" development project is switched to a 4096bit RSA key.

New key fingerprint:

Type : GPG public key

User ID : security OBS Project <security@build.opensuse.org>

Algorithm : rsa

Key size : 4096

Expires : 2026-12-02 13:27:55

Fingerprint : f9fa 0223 b56b 116c 3637 37ef 5da5 7bdd 6dd7 85ca

Python 3.13 RC2 is now available in Tumbleweed. This new version of the Python interpreter will be released in October 2024.

There is a lot of changes and new features in 3.13, but we're also bringing exiting experimental features in Tumbleweed.

Experimental JIT compiler

The default (python313) build has the flag --enable-experimental-jit=yes-off. This means that if you want to use this experimental JIT you can enable with an environment variable:

$ PYTHON_JIT=1 python3.13

You can find more information about the JIT compiler and how it can improve performance in PEP-744.

Free threaded CPython (no GIL)

With this new version of Python interpreter, there is an option to build without the famous Global Interpreter Lock, aka GIL. This is a really experimental feature, but why not have this on Tumbleweed? So we decided to build also this new version with a new package python313-nogil.

This new package is an isolated interpreter, so you can install without conflicts with python313. The package is building with the --disable-gil option and it provides the /usr/bin/python3.13t binary. It uses by default /usr/lib/python3.13t/site-packages for third-party libs so, with the default configuration, it won't use any python 3.13 module.

This means that now you can use threading.Thread in the Python interpreter, and it will be actual threads so, at the end using threads with python3.13t, interpreter should be a lot faster.

There's no packages for this interpreter in Tumbleweed, at this moment. So if you want to use third party libraries you should use virtualenv and pip for that:

$ python3.13t -m venv free-threaded-env
$ source free-threaded-env/bin/activate
(free-threaded-env) $ pip install requests
(free-threaded-env) $ python3
Python 3.13.0rc2 experimental free-threading build (main, Sep 07 2024, 16:06:06) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys; sys._is_gil_enabled()
False