Michael Tremer

IPFire 2.21 - Core Update 123 is available for testing
by Michael Tremer, 8 hours ago

The next release of IPFire is available for testing. It is a house-keeping release and contains a large number of fixed and also closes some security vulnerabilities.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!


This release ships a large number of microcode updates for various processors (linux-firmware 30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that improve security and fix bugs:

Add-ons

Michael Tremer

Protect yourself better against Meltdown, Spectre and other attacks with IPFire on 64 bit
by Michael Tremer, August 2

With IPFire 2.21, we have rebased the distribution on the latest long-term supported branch of the Linux kernel: Linux 4.14. That allows us to get various bug and security fixes from the upstream kernel maintainers and we will be able to update the kernel quicker and more often.

This is especially important with the latest revelations about hardware vulnerabilities in latest Intel, AMD and ARM processors. Mainly I am talking about Meltdown and Spectre here, but I guess it is safe to expect many similar vulnerabilities to come. They cannot be fixed in the hardware, because they require major changes in the architecture and hardware that is once released can obviously not be changed any more.

The Linux kernel maintainers have been working on mitigations that will no longer allow to exploit those vulnerabilities, but those come at a price. There were various articles about how the processors are slowed down excessively for various workloads and there are more downsides to those mitigations. One of them is, that they were mainly developed and tested on x86_64. The port to the 32 bit x86 architecture (i586 for IPFire) is a lot behind the 64 bit version since most systems run on the latter one now. There is efforts to port the mitigations but significantly less man-power is going into that. Therefore, we would urge everyone who’s hardware supports it to re-install the 64 bit version of IPFire.

Additionally, we had to drop grsecurity from IPFire with the latest release. From a technical perspective, this hurts us since we have lost some pro-active measures to prevent vulnerabilities to be exploited. Some have been ported into the mainline kernel which we got to keep in IPFire, too. The kernel developers again pay most attention to the modern 64 bit architectures that have more hardware features that can be used to reduce any performance penalties because of extended work that has to be done to keep the system secure. Those things never come free of any cost.

Ergo, we would like to give the same advice again and ask you to use the 64 bit version of IPFire to gain best security from these features that they and us have built but only have the lower performance penalty possible.

Michael Tremer

IPFire 2.21 is available for testing
by Michael Tremer, June 24

Finally, the next major version of IPFire is ready for testing. IPFire 2.2 rebases the distribution on the long-term supported Linux kernel 4.14 and many more improvements and bug fixes have found their way into the distribution.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Highlight: Linux 4.14

The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.

Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPFire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPUs when the system boots up to avoid any performance penalties caused by the mitigation techniques.

Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.

ARM systems won’t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.

Misc.

Smaller images due to more efficient compression

We have tried to make the download of the distribution faster and make it use less space on our servers. As a first step, the flash images have been merged together and there is only one image that boots on systems with serial console and normal video output. Secondly, we now compress all images with the XZ algorithm so that they download faster and even decompress quicker, too.

New partition layout

This release also changes the partition layout of the distribution. We have dropped the /var partition which was used for log files and data that the system collected. This data is now located on a single partition together with the OS. The size of the /boot partition has been increased to 128MB in the default partition layout.

Add-ons

Updates Packages
Michael Tremer

Increasing download & installation speed: Benefits of a smaller ISO image
by Michael Tremer, June 6

We provide a number of different images to install IPFire on a variety of systems. That can be virtual, a small embedded system or a plain rack server that is being installed from an USB key or CD. IPFire is very very versatile and we are proud to have it running on so many different platforms.

But with all these images, we bloat the size of each release. Each image is available for multiple architectures and with each of them being around 200 MB we reach a full 2GB per release or about ~650 MB per architecture. IPFire 2.17 which did not support the x86_64 architecture was therefore only 1.2GB per release. IPFire 2.11 was only about 500MB per release and the initial 2.0 release only had 60MB with only one ISO image. In total we have 102GB of images on the server for the IPFire 2 series.

The distribution is getting bigger and bigger since we ship more sofware but mainly because the Linux kernel is getting significantly bigger with each release. And of course with all the added drivers we need to ship more and more firmware which really eats up a lot of disk space.

The core components of IPFire itself are actually not that large on disk.

It is not worth fighting the fight to disable drivers that we think nobody is using any more or remove support for other features. We do not want to sacrifice compatibility for saving a few bytes on our server disks. We have decided to change the compression algorithm from gzip to XZ for the flash images for all architectures and we will compress it better by configuring XZ to do so. That on the other hand takes more time when composing the images, but that should be fine since we will save this time when downloading the image again.

This will allow us now to reduce the size for each release by ~300 MB to only 900 MB. Downloads will also be faster since there is less data to transfer and we will of course put less load on the mirrors.

That leaves us only with advantages except investing a little bit more time in compressing the images.

Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011