LWN: Comments on "How Chrome OS works upstream"

How Chrome OS works upstream

ndesaulniers — Wed, 18 Sep 2019 03:33:34 +0000

In Android's defense, their kernel team doesn't consist of the same developers it did 10 years ago (despite that, the team still pays for sins of the father). A fresh set of leadership is cleaning up that mess, and the team has made significant progress burning down out of tree patches. The next step is getting SoC vendors on board. Also, there's stark differences in time to market between Android and CrOS devices, I think at least in some part due to these differences.

Network config ONC?

pauly — Thu, 12 Sep 2019 15:36:19 +0000

Still OT, but a IMHO potential security issue:
The next Chromebook was here today (Acer, last time it was HP).
The picture was exactly the same. Wired 802.1X not working at all,
we did everything directly as root.

Wifi is strange: For a certificate check with 802.1X networks like eduroam,
there are only two settings: "Do not validate" and "Default".
No way to pin the cert. When you choose "Default", the dialogue
keeps switching back to "Do not validate".
So the device might well be vulnerable to Evil Twin attack.

Martin

Network config ONC?

pauly — Wed, 11 Sep 2019 13:04:26 +0000

A bit OT, but still relevant to users.
Why don't recent Chromebooks import ONC files reliably any more?

The last half dozen Chromebooks that stopped by in our helpdesk really gave us a hard time to get eduroam to work.
(Technically, it's all about 802.1X or 802.11i, of course.) Some years ago the interface used to import ONC files silently,
not giving any feedback. While this is not exactly perfect, it did work. I was even able to hook up devices to our wired
eduroam installation, provided we got a supported USB adapter.

The last Chromebook I came across was an HP one. It would neither import a correct ONC file nor could I get the
certificate settings right manually. In the end, we put the device into developer mode, and, as root, created a proper
config file and ran wpa_supplicant manually. This way, both WiFi and wired eduroam worked flawlessly.
But CLI hacking is not what users buy Chromebooks for, right?

BTW: This is the file we tried to use -- anything wrong with it (it's from cat.eduroam.org)?
{
"Type": "UnencryptedConfiguration",
"Certificates": [
{
"GUID": "{d8bcdd62-b725-8a9c-9805-55915b7a142e}",
"Remove": false,
"Type": "Authority",
"X509": "MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIx
JTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMF
lQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY\/JIPwhq
gcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk\/9k9uN0goOA\/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzl
AVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v\/hqO2V81xrJvNHy+SE\/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB\/wQFMAMBAf8wDgYDVR0PAQH\/BAQDAgEGMB0GA1UdDgQWBBS\/WSA2AHmgoCJrjNXyYdK4
LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN\/q\/xWA5br
XethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO\/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg=
="
}
],
"NetworkConfigurations": [
{
"GUID": "07bd992d-0d9f-f537-cbd0-d9af02a3c86a",
"Name": "eduroam",
"Remove": false,
"Type": "WiFi",
"WiFi": {
"AutoConnect": true,
"EAP": {
"Outer": "PEAP",
"Inner": "MSCHAPv2",
"SaveCredentials": true,
"ServerCARefs": [
"{d8bcdd62-b725-8a9c-9805-55915b7a142e}"
],
"UseSystemCAs": false,
"AnonymousIdentity": "[email protected]"
},
"HiddenSSID": false,
"SSID": "eduroam",
"Security": "WPA-EAP"
},
"ProxySettings": {
"Type": "WPAD"
}
},
{
"GUID": "aa4575a3-caf4-1fc7-3fe6-8ca0d71c5d4e}",
"Name": "eduroam configuration (wired network)",
"Remove": false,
"Type": "Ethernet",
"Ethernet": {
"Authentication": "8021X",
"EAP": {
"Outer": "PEAP",
"Inner": "MSCHAPv2",
"SaveCredentials": true,
"ServerCARefs": [
"{d8bcdd62-b725-8a9c-9805-55915b7a142e}"
],
"UseSystemCAs": false,
"AnonymousIdentity": "[email protected]"
}
},
"ProxySettings": {
"Type": "WPAD"
}
}
]
}

How Chrome OS works upstream

peda — Mon, 09 Sep 2019 15:27:20 +0000

One of them is Axentia TSE-850, which is used for encoding and adding a DARC subcarrier onto an FM transmission. Sort-of like RDS, but higher bandwidth and not at all common. You probably don't need one :-)

arch/arm/boot/dts/at91-tse850-3.dts

How Chrome OS works upstream

marcH — Mon, 09 Sep 2019 12:48:42 +0000

Nice! Product names?

How Chrome OS works upstream

peda — Mon, 09 Sep 2019 11:06:31 +0000

I'm responsible for a couple of such (embedded) beasts. And oh what a nice place it is to be there! *Everything* is upstreamed (which was a handful of drivers plus a new subsystem actually, so it certainly wasn't a trivial process). And there is no longer any dependency on some long string of patches from the SoC vendor since they have done their part.

Which means that bisecting problems is actually possible and simple, something which I found very difficult before the SoC was sufficiently supported upstream.

It is highly recommended to seek this position!

That said, we pick a kernel from the stable tree (i.e. it has backports) when we do update, so it's not actually a SHA1 from Linus' tree. But close enough, and we could do that if we wanted to...

How Chrome OS works upstream

marcH — Fri, 06 Sep 2019 16:50:36 +0000

Thanks for the write up!

One thing that makes ChromeOS (or any other project) an actual open-source project is good documentation. Random example:
https://www.google.com/search?q=UPSTREAM+CHROMIUM+BACKPORT
Most of it is being transferred to Gerrit to enable contributions from outside Google

> They asked if in fact the Chrome OS kernel is basically the same as the upstream kernel.

Is there any real-world product that ships with absolutely zero backport and a SHA1 from Linus tree? The real question is not "if" but "how much" technical debt. That's what the tags above help measure and manage.