Open Source Summit Europe 2024

In this session, we're going to talk about how we can easily record the API calls of any user-level application at Kernel using an EBPF program and convert those to realistic test cases and data mocks/stubs without writing any scripts. How we can set our testing pipelines on auto-pilot? We'll be discussing how to utilise UProbes and KProbes for the same. We'll also talk about how we can integrate this pipeline in popular language native testing libraries like JUnit, Jest, and Go-Test and easily achieve high test coverage on functional test suites. Since testing is very use-case specific, developers often avoid spending effort in writing test cases. Manual effort is being spent by QA to test apps and the industry standard for test automation is 24%. On average 50% of engineering efforts are spent to write and maintain the test scripts. Creating dummy test data is also very time-consuming and still, it is unrealistic test -data, leaving bugs leaking to production. The new-gen AI LLM-based test generation tools like ChatGPT are not fire-and-forget, since it requires effort to understand and correct the scripts generated by those tools and the dummy data is again unrealistic.

Despite all controversies, Rust in recent times has gained popularity as the second Linux kernel high-level language. There’s been discussions about its applicability in various kernel subsystems which yielded tentative conclusions. People have been advised by kernel gurus to use Rust for subsystem implementations rather than for drivers, and the author totally shares that stance. With that said, the author had a zswap backend called zblock ready for but still not accepted into the mainline, so the idea came naturally: to rewrite it in Rust and compare performance and complexity of the two implementations. Whichever wins gets submitted. This talk will cover the main principles of zblock (which stay the same no matter the language used), the obstacles the author met while implementing it in Rust, and finally the comparison of the two. It will be fun.

Landlock's goal is to make it possible for Linux applications to sandbox themselves. On Linux, many traditional access control mechanisms are only available to the system administrator, which do not follow the principle of least privilege. As a result, sandboxing policies were created independently of an actual program execution, leading to unnecessarily broad policies. With Landlock, unprivileged processes can safely create sandboxing policies well-tailored to the expected needs of a running application. Landlock also solves the organizational aspect of keeping policy and software in sync with each other, by putting the policy definition and maintenance in the developer's hands. In this talk, we explain how Landlock works and how it can be used to protect Linux users, without being noticed, except by attackers.

The C runtime offers a range of string processing routines, such as strcmp() and strlen(). The throughput of these routines has a significant impact on many applications and benchmarks, so they are one of the many optimization targets of toolchain developers. Unfortunately, these functions have certain properties and corner cases that limit the optimization opportunities. This talk makes a journey through common optimization techniques ranging from utilization of alignment information in the compiler. It ends with specific instructions that speed up string processing (RISC-V’s orc.b instruction). Further, the talk will show how these optimizations can boost the throughput on real HW by orders of magnitudes in synthetic benchmarks and the impact on the SPEC CPU 2017 benchmark suite. The presentation will include assembly listings, so basic assembly knowledge will help follow the talk.

The year 2038 problem is a well known integer overflow issue on many 32 bit platforms, some of which will be still in use on the day when it happens: January 19 2038. In this talk I would like to present where the problem comes from, what the Yocto project has done to address the issue, which base work in kernel and libc has been utilized to avoid a total system collapse, how to test a system's readiness for that date, and which further issues this has uncovered in common open source components. I hope this prompts an interesting discussion and further ideas to ensure the world does not go down in 14 years.

IT infrastructure is all over the place: Cloud VPC's, edge servers, data centers, office networks, and more. Much of it exists on private networks or behind routers and firewalls. IT administrators are often tasked with making these resources available over the internet to employees or remote servers that are elsewhere on earth. In this tutorial, we'll use just a couple of VM's running Linux and WireGuard to set up a minimal, secure, and easily-maintainable remote access system. We'll demonstrate with a fictional business that has a physical office, uses the cloud, and has remote IT staff, an extremely common scenario. We'll walk attendees through: 1. How to set up secure access to the office network from the remote staffs' workstations. 2. How to establish access to a cloud VPC from servers in the office network. 3. How to account for corporate firewalls and other common networking challenges. By the end of this tutorial, attendees will have a good understanding of how they can use Linux and WireGuard in common IT networking scenarios.

his presentation will focus on CXL (Compute Express Link) as an advanced interconnect between machines and peripherals. CXL allows to leverage the PCIe physical interconnect to link together different device types (CPU, memory, I/O, cache, switches etc) into a combined hierarchy. This allows IHVs to create tailored solutions for eg large-scale AI systems or dynamic resource pooling between machines. As it's also possible to connect or pool memory resources it means the we can end up with some really interesting NUMA topologies. Plus we need to look at memory placement, as CXL memory is inherently hotpluggable, and as such not really suitable for some data structures like DMA areas etc. In this talk I will give an overview over CXL and the implications for NUMA topologies, and I'll be giving a short demo with an emulated CXL instance under qemu.

Come learn about the great accomplishments of our Outreachy Linux Kernel Interns! Outreachy offers open source internships to people subject to systemic bias and impacted by under-representation in the technical industry where they are living. Julia Lawall offers an overview of the Outreachy Linux Kernel Community followed by intern presentations showcasing their projects and experiences: * Dorcas Litunya: Improving support for the Vivid Test Driver * Khadija Kamran: Analyzing Linux Kernel Security Subsystems * Tahera Fahimi: Improving Landlock Access Control Linux Kernel Maintainer Hans Verkuil wraps up the panel by sharing his experience as an Outreachy mentor.

The Cyber Resilience Act is reshaping the landscape for Yocto-based products. Join us as we navigate the implications of this ever-changing legislation. • Introduction to the Cyber Resilience Act: an overview of the CRA, its objectives, and its relevance to the IoT and embedded systems industry. • Understanding the Key Provisions of the CRA/CSA that are relevant to Yocto-based product developers. • Yocto Project and Security Compliance: how Yocto supports security measures, including secure boot, code signing, and vulnerability management. • Regulatory and Compliance Challenges: the challenges and complexities associated with complying with cybersecurity regulations in the embedded systems space. • Building Secure Yocto-Based Products: best practices for building secure Yocto-based products that align with the CRA's requirements. • Impact on Product Development Lifecycle: how the Act affects different stages of the Yocto-based product development lifecycle.

Firewalls play a pivotal part in securing a hypervisor and its guests from internal and external threats. In this talk I want to show how to utilize nftables for creating complex rulesets in a virtualized Linux network environment.

This talk will start with a short introduction on nftables and Linux network virtualization. I will then dive deeper by showing how to create complex rulesets efficiently by utilizing the built-in nftables datastructures. Furthermore, I will show how zone-based firewalling can be implemented by leveraging the nftables bridge family, with a focus on virtualized network environments common in hypervisors. To finish off, I will talk about how to use Rust for interfacing with nftables via JSON by using the provided nftables-json schema to programmatically create firewall rules.

Testing is an integral part of the software lifecycle. For software which are in continuous development it's even more important to have regular testing so that any bugs or errors can be detected early. In this talk, I will present how I started testing the Linux Kernel in a personal capacity and the status of Kernel testing that is now being done as part of Codethink. I will also present how that testing infrastructure has evolved to test Debian Sid on a RPI4 from a CI pipeline and the problems we had to overcome. That same infrastructure is now being modified to test Yocto from a gitlab CI pipeline.