story

Mitigations are attack surface, too (opens in new tab)

googleprojectzero.blogspot.com

104 pointsarchimag06y ago22 comments

22 comments

The irony of Google security blog giving advice to a problem that the company is responsible for it happening in first place.

Had they placed update requirements as part of the Play Store contract, vendors would be more keen in providing the said updates.

CiPHPerCoder6y ago

The irony is real, but I appreciate P0's transparency here.

CiPHPerCoder6y ago

> On Android, it is normal for vendors to add device-specific code to the kernel.

https://i.imgur.com/DnRNrZe.png

Normal for Android : Normal in general :: Madness : Sanity

> This code is a frequent source of security vulnerabilities.

If the first sentence was the shot, that's the chaser.

izacus6y ago

Your snark is very welcome, but do you have any proposal of how do you add support for a new Qualcomm SoC, GPU and it's camera modules without modifying the kernel? Or for their basebands?

Linux still has pretty much no path of adding these in userspace, neither it's interested in a stable ABI.

And no, forcing the only big SoC manufacturer in the world to opensource their drivers isn't really going to work.

wtallis6y ago

If forced to choose between open-sourcing and upstreaming their drivers, or supporting them for 5+ years and forcing their customers to actually deliver those updates to end users, then Qualcomm absolutely would choose the open-source route. QC's taking the path of least resistance, but if we take "ship it and forget it" off the menu of choices, they'll change.

izacus6y ago

How would that work? Really?

I mean, if you ever worked on any hardware, there's not many choices you have. Qualcomm says "no" and there's nothing much you can really do to get the same kind of software. It's also not interesting from financial perspective to do that. Incentives aren't there.

This "oh, just force them!" mindset is incredibly naive and hasn't worked for desktop Linux in years. Madness here is trying to do the same thing and expecting different results.

6 more replies

chalst6y ago

Eric Raymond argued for mandating suppliers provide source to firmware; this problem is harder, but somewhat similar.

http://esr.ibiblio.org/?p=6860 (from 2015; excuse the grandiose tone, but the idea is interesting)

Of course, no chance.

tasogare6y ago

Why Linux doesn't have a driver framework? That's seems the problem here. It exists in Windows, FreeBSD and probably elsewhere too.

adrianN6y ago

To encourage people to either open source their drivers so that they can be maintained inside the kernel tree, or to pay the cost of updating their stuff themselves so that Linux kernel hackers don't have to pay for backwards compatibility.

1 more reply

the_why_of_y6y ago

http://www.kroah.com/log/linux/stable_api_nonsense.html

zxcmx6y ago

I don't get it; if I'm shipping my own SOC, with my own wizzy latest hardware how else do I get drivers for all my stuff, without adding them myself?

Like, I expect the results to have all the expected "quality" of software written by hardware vendors, but I'm not sure what the alternative is?

EDIT: oh right, userspace drivers for everything. Leaving the comment here anyway...

tedunangst6y ago

Apertif: But in the Android ecosystem, that doesn't mean that it actually makes its way into device kernels.

j / k navigate · click thread line to collapse

22 comments

pjmlp6y ago

The irony of Google security blog giving advice to a problem that the company is responsible for it happening in first place.

Had they placed update requirements as part of the Play Store contract, vendors would be more keen in providing the said updates.

CiPHPerCoder6y ago

The irony is real, but I appreciate P0's transparency here.

CiPHPerCoder6y ago

> On Android, it is normal for vendors to add device-specific code to the kernel.

https://i.imgur.com/DnRNrZe.png

Normal for Android : Normal in general :: Madness : Sanity

> This code is a frequent source of security vulnerabilities.

If the first sentence was the shot, that's the chaser.

izacus6y ago

Your snark is very welcome, but do you have any proposal of how do you add support for a new Qualcomm SoC, GPU and it's camera modules without modifying the kernel? Or for their basebands?

Linux still has pretty much no path of adding these in userspace, neither it's interested in a stable ABI.

And no, forcing the only big SoC manufacturer in the world to opensource their drivers isn't really going to work.

wtallis6y ago

izacus6y ago

How would that work? Really?

This "oh, just force them!" mindset is incredibly naive and hasn't worked for desktop Linux in years. Madness here is trying to do the same thing and expecting different results.

6 more replies

chalst6y ago

Eric Raymond argued for mandating suppliers provide source to firmware; this problem is harder, but somewhat similar.

http://esr.ibiblio.org/?p=6860 (from 2015; excuse the grandiose tone, but the idea is interesting)

Of course, no chance.

tasogare6y ago

Why Linux doesn't have a driver framework? That's seems the problem here. It exists in Windows, FreeBSD and probably elsewhere too.

adrianN6y ago

1 more reply

the_why_of_y6y ago

http://www.kroah.com/log/linux/stable_api_nonsense.html

zxcmx6y ago

I don't get it; if I'm shipping my own SOC, with my own wizzy latest hardware how else do I get drivers for all my stuff, without adding them myself?

Like, I expect the results to have all the expected "quality" of software written by hardware vendors, but I'm not sure what the alternative is?

EDIT: oh right, userspace drivers for everything. Leaving the comment here anyway...

tedunangst6y ago

Apertif: But in the Android ecosystem, that doesn't mean that it actually makes its way into device kernels.

j / k navigate · click thread line to collapse