today I learned that there is a company that sells "agentless" Linux EDR. you might wonder what it means to do EDR without an agent.
apparently "agentless" means "instead of installing a daemon that runs in the background, one super-uber-privileged server will periodically ssh into all your Linux boxes as root, drop executable files in a temporary folder, run those executable files to run a detection pass, and wipe itself from the system again".
See this diagram from their documentation:

— "Can you believe how stupid and primitive the ancient Greeks were? When they didn't know something, they asked an oracle, and they believed whatever it said!"
— "That's nuts. Where was this oracle?"
— "No idea. Let's go ask ChatGPT."

(gdb) c
Continuing.
Recursive internal problem.

Time to take a break, I guess…

Home made shoyu ramen

@alison Huh? Do you fear that the splat contains confidential information?

Today I finally carved out some time to implement return value capture for the Linux kernel function tracer. As of 6.17-rc1, this is done via the HAVE_FUNCTION_GRAPH_FREGS architecture feature. On ARM32, that basically means stashing function call specific registers in pt_regs inside the ftrace arch code.

Once I wrapped my head around the intended semantics, it came together surprisingly smoothly.

Then I enabled the ftrace self-test… and hit this splat:

[    3.299111] ------------[ cut here ]------------
[    3.299173] WARNING: CPU: 0 PID: 1 at kernel/trace/trace.c:2215 run_tracer_selftest+0x110/0x148
[    3.299441] Modules linked in:
[    3.299725] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc1-gd7ee5bdce789 #141 NONE 
[    3.299806] Hardware name: Generic DT based system
[    3.299887] Call trace: 
[    3.299932]  unwind_backtrace from show_stack+0x18/0x1c
[    3.299987]  show_stack from dump_stack_lvl+0x54/0x68
[    3.299999]  dump_stack_lvl from __warn+0x88/0x12c
[    3.300013]  __warn from warn_slowpath_fmt+0x194/0x19c
[    3.300026]  warn_slowpath_fmt from run_tracer_selftest+0x110/0x148
[    3.300039]  run_tracer_selftest from register_tracer+0x11c/0x1cc
[    3.300054]  register_tracer from do_one_initcall+0x60/0x210
[    3.300066]  do_one_initcall from kernel_init_freeable+0x1d4/0x240
[    3.300079]  kernel_init_freeable from kernel_init+0x20/0x140
[    3.300091]  kernel_init from ret_from_fork+0x14/0x28
[    3.300131] Exception stack(0xe080dfb0 to 0xe080dff8)
[    3.300204] dfa0:                                     00000000 00000000 00000000 00000000
[    3.300217] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    3.300224] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[    3.300282] ---[ end trace 0000000000000000 ]---

I double- and triple-checked my changes, still no clue. Then it dawned on me: the test fails even without any of my patches. 🫠

2012: "Secure boot is a plot by Microsoft to kill Linux"
2025: EA's insistence on invasive anti-cheat results in a bunch of Windows users managing to get their secure boot configuration into a state where their GPUs no longer work and there's no recovery path: https://www.reddit.com/r/Battlefield/comments/1miaynl/secure_boot_megathread_guide_community_support/

Microsoft would have to be *very* bad at this for a plot to have backfired this badly

I am so enjoying watching #ai brogrammers crying in their designer water bottles as upgraded #ai models take their carefully crafted prompt and outputs totally different bollocks to the last one so they can't tweak their app any more.

It's enough pain for real programmers handling tool upgrades to tweak their work and re-run test suites but for the AI lot it's carnage.

@agraf as usual, after committing, you notice a stupid typo in the code 😅😅😅

@agraf So far it does not explode and passes my smoke test:
https://git.kernel.org/pub/scm/linux/kernel/git/rw/misc.git/commit/?h=arm_ftrace_retval&id=f3c89203a1cd16be54127bb95f2da037f20446ba

@agraf The code exists, but it never made it upstream. Let's see whether I can find some cycles this weekend to redo the change for the latest version and resubmit.
https://lore.kernel.org/all/c61eb9290c3e817d4d70c429c0e987e3ec51a3c4.1680954589.git.pengdonglin@sangfor.com.cn/

• Step 1: While debugging a kernel issue, you want the return value of a function at startup.

• Step 2: Instead of just adding a printk() and recompiling, you try tracing like the cool kids.

• Step 3: Since 2023, the function graph tracer can show return values. You add to the kernel command line and reboot: ftrace=function_graph ftrace_filter=interesting_fn trace_options=funcgraph-retval

• Step 4: The trace shows no return value. You find that ARM return value capture exists only for AArch64, not ARM32.

• Step 5: You add a printk() and rebuild.

(disclaimer: i did not create this, but also could not find who created it)

Urgent help for OpenPrinting needed!

As many here know, I am co-founder and lead of OpenPrinting since 2001, known as the print guru for Linux and free software by many. I also got one of the 8 fellows of the Linux Foundation for this.

Up to now I was working at Canonical, hired back in 2006 just to run OpenPrinting and also to maintain printing-related Ubuntu packages.

... 🧵

Please boost.

#OpenPrinting #LinuxFoundation #getfedihired

list_add(figure_out_postgresql_replication, &task_list);

list_add(Linode, &shit_list);

"Ein Jahr nach dem #Crowdstrike -Ausfall: Was wurde aus dem IT-Fiasko gelernt?"

Nix. Es wird immer noch davon ausgegangen, dass Schlangenöl die IT-Sicherheit verbessern würde und verpflichtend gekauft werden muss. Jetzt halt mit noch mehr KI zur Cloud.

Linux Kernel Hardening: Ten Years Deep

Talk by @kees about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.

Video: https://www.youtube.com/watch?v=c_NxzSRG50g
Slides: https://static.sched.com/hosted_files/lssna2025/9f/KSPP%20Ten%20Years%20Deep.pdf

Fefe hat alle Genesungswünsche E-Mails gelesen und bedankt sich bei allen sehr! Gleich geht die Reha weiter!

#fefe

Just saw a software devloper coding in a cafe

-NO Cursor
-NO Windsurf
-NO DeepSeek
-NO ChatGPT
-No Google

He just sat there typing code manually in vim on his rusty Thinkpad and reading man pages on Arch Linux

What a psychopath 🫣

@wagi While the kernelnewbies website is kinda outdated, the IRC channel is not.
I recommend every newbie reading this mail on becoming a contributor:
https://lists.kernelnewbies.org/pipermail/kernelnewbies/2017-April/017765.html