RE: Linux kernel and DRM

The place to post if you need help or advice

Moderators: ChrisThornett, LXF moderators

Postby nelz » Fri Jun 15, 2012 12:00 am

Ombra wrote:The point being whatever you want to call these bits & pieces of code (or whatever) they are in the kernel. Secondly, whether you view them as harmless or not, I'd like to find a list of them so I can eradicate them (once I learn how).


They are in the kernel source, because the kernel also runs on many embedded systems that require such controls. That does not mean the code is enabled in kernels supplied with distros.

If you want to make sure your kernel contains none of the features you dislike, compile your own.

Incidentally, the only references to Trusted Gentoo that Google turned up for me was a 7+ year old announcement of a project to use TCP with Gentoo, no mention since and no mention of DRM anywhere.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8522
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby Ombra » Sat Jun 16, 2012 10:56 pm

wyliecoyoteuk wrote:Your biggest mistake is to regard any hardware linked security measures as DRM.
As a sysadmin, being able to certify that my kernel is not tampered with is very important.
As a consumer, I would not be so worried.
Most freely distributable Distros probably do not contain much, if any of the code, that you resent.
However, even if you clear the Kernel, you cannot remove it from the hardware that you use.
HDCP is not supported under Linux, for example, and is largely irrelevant unless you want to play protected media such as Blu-ray disks.

I wish you luck with your investigations.

By the way, there is only one current version of the kernel, although it may be compiled differently by different distros to add or remove different functions. You can always compile your own from the source code and leave out all the stuff that you don't want.


Again, we differ. I do not regard all "hardware linked security measures as DRM." On the other hand, I've absolutely no problem calling a spade a spade. As me Granny used to say "If it walks like a duck and quacks like a duck, its a duck"...and Trusted Computing is definitely quacking.You just prefer not to hear it, because of that nice juicy carrot-on-a-stick that TCG is offering. And that's okay. I understand why you and others think this crud is just 'the best new thing'.
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Again, we differ.
Lets play Batman, and I'll be the Riddler. Riddle me this Batman (maniacal laughter)...what's the difference between Trusted Computing, LaGrande, Longhorn, NGSCB, and Microsoft Palladium? Tune in same bat time, same bat channel for the answer...or you could just research it yourself!
You think the possible benefit outweighs all the possible risks. I see it the opposite. Some no doubt think the benefit of playing Sony CDs on their PC makes the rootkit acceptable. I do not.
Yes, CONFIG_INTEL_TXT "can be used to prevent changes to the kernel for security reasons." What apologists always seem to forget to mention is them other far less benign things it can be used for. But thats up to each individual to decide whether the risk is less than the benefit. It ain't my calling to convert you to the DRM resistance movement. All I care about is getting me a DRM-free OS, and finding help to get-er-done!
Ombra
 
Posts: 20
Joined: Sat May 26, 2012 1:00 am

Postby lok1950 » Sun Jun 17, 2012 12:22 am

As nelz has mention roll your own kernel from the source code leaving out the doggy bits lots of documentation on the web on doing that for just about all distros but you are being at bit paranoid as there is no current implementation of DRM on Linux mainstream distro kernels,it is a possibility but remote as there is no need for it in most home/commercial installations so in their policy distro's do not include those modules of the kernel to keep it's size down.

Enjoy the Choice :)
User avatar
lok1950
LXF regular
 
Posts: 1036
Joined: Tue May 31, 2005 5:31 am
Location: Ottawa

Postby wyliecoyoteuk » Sun Jun 17, 2012 8:33 am

As ever, there is a difference between what something can be used for and what it is actually used for.
That 9 year old article on Trusted Computing is mentioned in this more up to date article which might interest you, maybe you should stop using your phone? ;)

Sony root kits were illegal, secure signing with consent is not.
Without similar security methods, it would be impossible to use the web for commerce, and yet you don't, I suppose, see that as DRM?
Yes, TXT can be used for DRM, but that is not its primary purpose.
Anyway, as several posters have stated, it remains optional and its drivers are unlikely to be in any free distros' kernels.

Any security system can be used for DRM, simply because that is what DRM is, a way of using a security system.
Would you outlaw breadknives because some people use them as weapons?
:)
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3461
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby nelz » Sun Jun 17, 2012 10:17 am

lok1950 wrote:As nelz has mention roll your own kernel from the source code leaving out the doggy bits


Does that give you the opposite of Puppy Linux? :D
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8522
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby nelz » Sun Jun 17, 2012 10:23 am

Ombra wrote:Yes, CONFIG_INTEL_TXT "can be used to prevent changes to the kernel for security reasons." What apologists always seem to forget to mention is them other far less benign things it can be used for.


The same applies to kitchen knives, that's no reason to get rid of them.

CONFIG_INTEL_TXT is an OPTION that can be used by those building custom kernels for use in their corporate environment, it is not intended to be used, nor is it used, by standard desktop distros.

It is there for the owner of the computer to prevent its misuse, not for someone other than the owner to control your use of it.

Your trying to link anything security related to DRM is as bad as the opposite stance taken on "secure boot" where the name implies that disabling it makes the computer insecure and therefore that operating system that need it disabled (i.e. Linux) are somehow less secure than good old Windows.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8522
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Thanks!

Postby Ombra » Sun Jun 17, 2012 9:39 pm

Rhakios wrote:You could always start with gNewSense, if it's good enough for RMS it should meet at least some of your needs.


It looks really interesting...have to research it to be certain it fits the bill. I don't suppose anyone at this forum is a user/pundit?
Ombra
 
Posts: 20
Joined: Sat May 26, 2012 1:00 am

Postby wyliecoyoteuk » Sun Jun 17, 2012 10:05 pm

nelz wrote:
lok1950 wrote:As nelz has mention roll your own kernel from the source code leaving out the doggy bits


Does that give you the opposite of Puppy Linux? :D


Maybe that is Pussy Linux :)
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3461
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby Ombra » Sun Jun 17, 2012 10:07 pm

nelz wrote:
Ombra wrote:The point being whatever you want to call these bits & pieces of code (or whatever) they are in the kernel. Secondly, whether you view them as harmless or not, I'd like to find a list of them so I can eradicate them (once I learn how).


They are in the kernel source, because the kernel also runs on many embedded systems that require such controls. That does not mean the code is enabled in kernels supplied with distros.

If you want to make sure your kernel contains none of the features you dislike, compile your own.

Incidentally, the only references to Trusted Gentoo that Google turned up for me was a 7+ year old announcement of a project to use TCP with Gentoo, no mention since and no mention of DRM anywhere.


'Trusted Gentoo' (along with 'Knoppix 5.1.1 for Trusted Computing', and several others I did not bother to note down) was mentioned on some site as being riff with DRM...er, I mean loaded up with wonderful Trusted Computing features! I obviously did not pursue it.

"That does not mean the code is enabled in kernels supplied with distros."
From your wording, I assume it means that the code may or may not be enabled in kernels, and if this is correct, the obvious question would be how to avoid those having the code enabled (although this would only be a stop-gap solution to buy time). So far as I know, anything enabled can be disabled, anything disabled can be enabled, and its only a matter of time before someone finds out how to re-enable such disabled crud remotely...so the only sure thing is not to have this code at all, which brings us to:
If you want to make sure your kernel contains none of the features you dislike, compile your own."
Far easier for you to say than for a newbie to do, but this was exactly my conclusion, and the reason for this posting from the start. So lets forget the pro/anti DRM debate, and focus on the nitty-gritty of how I can get a DRM-free kernel and OS. If this was XP Pro, the process would go something like this:
1. Find list detailing the exact file names and locations of all the Trusted Computing junk targeted for erasure. I assume its the same for Linux, except one must do this for both kernel & OS (distro).
2. Find out exactly how to delete the targets. In XP Pro, its a two-part process. XPLite or nLite can be used to do custom-install, sans most of Lil Billie's well-hidden crud. Other software can be used to terminate any crapola that survived the pre-installation process. So how about with Linux?
Educate me...I need all the help and advice possible on this.
Ombra
 
Posts: 20
Joined: Sat May 26, 2012 1:00 am

Postby wyliecoyoteuk » Sun Jun 17, 2012 10:40 pm

Sorry, but you just don't understand the idea of open-source do you?
Unlike the Windows closed-source kernel, where you have no way of knowing what is compiled in, with Linux anyone can recompile a kernel,and choose which parts to include or exclude.
Compiling your own kernel is not terribly difficult, and there is loads of documentation on the net.The kernel modules are not enabled or disabled, they are added at compile time or they are not added at compile time. some modules can be dynamically loaded when required, but not without the user's knowledge.
That said, it is largely unnecessary. Linux Distros are generally not produced by large companies with DRM concerns, they are produced by open communities mainly composed of volunteers.

The Intel TXT driver is implemented as an option in RedHat, and I expect in Oracle and Suse, and possibly Ubuntu business remix (all corporate distros) But that is because their corporate customers demand it.
I would be surprised if anyone bothered to install it (or any other DRM driver) in a free desktop distro.

Note that it is impossible to totally disable or remove DRM from Windows. It is built in to the (undocumented) Kernel at a very low level, all you can do is delete external programs which use it.
Last edited by wyliecoyoteuk on Sun Jun 17, 2012 10:50 pm, edited 1 time in total.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3461
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby Ram » Sun Jun 17, 2012 10:50 pm

wyliecoyoteuk wrote:
Note that it is impossible to totally remove DRM from Windows, it is built in to the Kernel at a very low level.


You beat me to that one...

lubuntu LXDE 13.10 running on AMD Phenom II*4; ASUS Crosshair III Formula MB; 4 GB Ram.....
User avatar
Ram
LXF regular
 
Posts: 1679
Joined: Thu Apr 07, 2005 9:44 pm
Location: Guisborough

Postby Rhakios » Sun Jun 17, 2012 10:58 pm

If you want to know what's compiled into your chosen distro's kernel you need to go to boot and look at the config file, such as:

Code: Select all
rhakios@pythia:/boot$ ls -l
total 67828
-rw-r--r-- 1 root root   791023 Apr 11 01:26 abi-3.2.0-23-generic
-rw-r--r-- 1 root root   791075 May 21 21:37 abi-3.2.0-24-generic
-rw-r--r-- 1 root root   791132 May 24 01:13 abi-3.2.0-25-generic
-rw-r--r-- 1 root root   140279 Apr 11 01:26 config-3.2.0-23-generic
-rw-r--r-- 1 root root   140341 May 21 21:37 config-3.2.0-24-generic
-rw-r--r-- 1 root root   140407 May 24 01:13 config-3.2.0-25-generic
drwxr-xr-x 3 root root    12288 Jun 13 17:53 grub
-rw-r--r-- 1 root root 14179793 Jun 12 18:57 initrd.img-3.2.0-23-generic
-rw-r--r-- 1 root root 14183435 Jun 12 19:50 initrd.img-3.2.0-24-generic
-rw-r--r-- 1 root root 14184503 Jun 13 17:53 initrd.img-3.2.0-25-generic
-rw-r--r-- 1 root root   176764 Nov 27  2011 memtest86+.bin
-rw-r--r-- 1 root root   178944 Nov 27  2011 memtest86+_multiboot.bin
-rw------- 1 root root  2884358 Apr 11 01:26 System.map-3.2.0-23-generic
-rw------- 1 root root  2884673 May 21 21:37 System.map-3.2.0-24-generic
-rw------- 1 root root  2886695 May 24 01:13 System.map-3.2.0-25-generic
-rw-r--r-- 1 root root  4965840 Apr 25 17:11 vmlinuz-3.2.0-23-generic
-rw------- 1 root root  4965968 May 21 21:37 vmlinuz-3.2.0-24-generic
-rw------- 1 root root  4969488 May 24 01:13 vmlinuz-3.2.0-25-generic


You can either load the config-x-y-z file into a text editor or grep for specific options if you prefer, e.g.

Code: Select all
rhakios@pythia:/boot$ cat config-3.2.0-25-generic | grep -i intel
CONFIG_HAVE_INTEL_TXT=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_X86_MCE_INTEL=y
CONFIG_MICROCODE_INTEL=y
CONFIG_INTEL_IDLE=y
CONFIG_MTD_CFI_INTELEXT=m
CONFIG_MTD_INTEL_VR_NOR=m
CONFIG_INTEL_MID_PTI=m
CONFIG_NET_VENDOR_INTEL=y
CONFIG_MOXA_INTELLIO=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_I2C_INTEL_MID=m
CONFIG_AGP_INTEL=y
CONFIG_FB_INTEL=m
# CONFIG_FB_INTEL_DEBUG is not set
CONFIG_FB_INTEL_I2C=y
CONFIG_SND_HDA_INTEL=m
CONFIG_SND_INTEL8X0=m
CONFIG_SND_INTEL8X0M=m
CONFIG_LEDS_INTEL_SS4200=m
CONFIG_INTEL_MID_DMAC=m
CONFIG_INTEL_IOATDMA=m
CONFIG_INTEL_MEI=m
CONFIG_INTEL_MENLOW=m
CONFIG_INTEL_IPS=m
CONFIG_INTEL_OAKTRAIL=m
CONFIG_INTEL_IOMMU=y
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
CONFIG_INTEL_TXT=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_KVM_INTEL=m


This shows which options are compiled into the kernel, which are loadable modules and which have not been compiled in at all (but which would be available should you choose to compile your own kernel from source).
Bye, Rhakios
User avatar
Rhakios
Moderator
 
Posts: 7634
Joined: Wed Apr 06, 2005 11:18 pm
Location: Midlands, UK

Postby nelz » Mon Jun 18, 2012 12:47 am

Ombra wrote:'Trusted Gentoo' (along with 'Knoppix 5.1.1 for Trusted Computing', and several others I did not bother to note down) was mentioned on some site as being riff with DRM...er, I mean loaded up with wonderful Trusted Computing features!


Both of these are ancient. While Knoppix 5.1.1 did exist back in the mists of time, I don't think Trusted Gentoo ever got past the initial announcement.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8522
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby wyliecoyoteuk » Mon Jun 18, 2012 7:39 pm

On a side note, isn't it interesting how little attention people seem to pay to the date on webpages and blogs etc?
(and it is actually quite difficult to find the date on some of them).
Many of the search results, especially for obscure stuff can often be many years old, and have lost most if not all of their relevance.
I am as bad as anyone, but recently I have started adding "2012" or "2011" to my searches, just to try and filter out the huge mass of ageing data.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3461
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Now we're getting somewhere!

Postby Ombra » Mon Jun 18, 2012 8:54 pm

Rhakios wrote:If you want to know what's compiled into your chosen distro's kernel you need to go to boot and look at the config file, such as:

Code: Select all
rhakios@pythia:/boot$ ls -l
total 67828
-rw-r--r-- 1 root root   791023 Apr 11 01:26 abi-3.2.0-23-generic
-rw-r--r-- 1 root root   791075 May 21 21:37 abi-3.2.0-24-generic
-rw-r--r-- 1 root root   791132 May 24 01:13 abi-3.2.0-25-generic
-rw-r--r-- 1 root root   140279 Apr 11 01:26 config-3.2.0-23-generic
-rw-r--r-- 1 root root   140341 May 21 21:37 config-3.2.0-24-generic
-rw-r--r-- 1 root root   140407 May 24 01:13 config-3.2.0-25-generic
drwxr-xr-x 3 root root    12288 Jun 13 17:53 grub
-rw-r--r-- 1 root root 14179793 Jun 12 18:57 initrd.img-3.2.0-23-generic
-rw-r--r-- 1 root root 14183435 Jun 12 19:50 initrd.img-3.2.0-24-generic
-rw-r--r-- 1 root root 14184503 Jun 13 17:53 initrd.img-3.2.0-25-generic
-rw-r--r-- 1 root root   176764 Nov 27  2011 memtest86+.bin
-rw-r--r-- 1 root root   178944 Nov 27  2011 memtest86+_multiboot.bin
-rw------- 1 root root  2884358 Apr 11 01:26 System.map-3.2.0-23-generic
-rw------- 1 root root  2884673 May 21 21:37 System.map-3.2.0-24-generic
-rw------- 1 root root  2886695 May 24 01:13 System.map-3.2.0-25-generic
-rw-r--r-- 1 root root  4965840 Apr 25 17:11 vmlinuz-3.2.0-23-generic
-rw------- 1 root root  4965968 May 21 21:37 vmlinuz-3.2.0-24-generic
-rw------- 1 root root  4969488 May 24 01:13 vmlinuz-3.2.0-25-generic


You can either load the config-x-y-z file into a text editor or grep for specific options if you prefer, e.g.

Code: Select all
rhakios@pythia:/boot$ cat config-3.2.0-25-generic | grep -i intel
CONFIG_HAVE_INTEL_TXT=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_X86_MCE_INTEL=y
CONFIG_MICROCODE_INTEL=y
CONFIG_INTEL_IDLE=y
CONFIG_MTD_CFI_INTELEXT=m
CONFIG_MTD_INTEL_VR_NOR=m
CONFIG_INTEL_MID_PTI=m
CONFIG_NET_VENDOR_INTEL=y
CONFIG_MOXA_INTELLIO=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_I2C_INTEL_MID=m
CONFIG_AGP_INTEL=y
CONFIG_FB_INTEL=m
# CONFIG_FB_INTEL_DEBUG is not set
CONFIG_FB_INTEL_I2C=y
CONFIG_SND_HDA_INTEL=m
CONFIG_SND_INTEL8X0=m
CONFIG_SND_INTEL8X0M=m
CONFIG_LEDS_INTEL_SS4200=m
CONFIG_INTEL_MID_DMAC=m
CONFIG_INTEL_IOATDMA=m
CONFIG_INTEL_MEI=m
CONFIG_INTEL_MENLOW=m
CONFIG_INTEL_IPS=m
CONFIG_INTEL_OAKTRAIL=m
CONFIG_INTEL_IOMMU=y
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
CONFIG_INTEL_TXT=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_KVM_INTEL=m


This shows which options are compiled into the kernel, which are loadable modules and which have not been compiled in at all (but which would be available should you choose to compile your own kernel from source).


Don't grasp everything here, but hopefully between the two kernel-focused books I got, and google searches, I can figure it out. I assume the last part is not all the stuff I will need to erase, but it does look like a major chunk. Thanks!
Ombra
 
Posts: 20
Joined: Sat May 26, 2012 1:00 am

PreviousNext

Return to Help!

Who is online

Users browsing this forum: Yahoo [Bot] and 6 guests