Zack's Kernel News

Learning Developer Practices Sometimes a patch can be good, but it may still face hurdles getting into the kernel. This time, Aditya Garg posted a patch by Paul Pawlowski to add driver support for the T2 Security Chip. The T2 is an embedded system that runs alongside the primary computer with all its own hardware resources such as RAM. It responds to requests over USB from the primary system, but it also stays active even when that primary system is asleep. The T2 makes sure that upgrades to the primary system have all been properly signed. It’s a gatekeeper intended for Apple hardware, but it has various other abilities, such as controlling microphones, cameras, speech recognition, and whatnot.

The T2 also has a variety of security holes, some of which are apparently unfixable, because of being built into the hardware design itself.

This reveals a fascinating aspect of security in the Linux and open source world. The T2 was essentially used by Apple to prevent users from getting control of the hardware in order to install software that Apple had not itself approved. The unfixable security holes simply remove Apple’s ability to exert that control, paving the way for users to do things such as install Linux on machines “protected” by the T2.

But! Because Linux itself has no interest in preventing users from controlling their own systems, the T2 security features (including the broken ones) do not seem to pose any problems for Linux security. Linux doesn’t try to stop users from installing any desired software, so those T2 features are irrelevant. The T2 becomes just another peripheral with various resources such as RAM and CPU to be used by the system.

While fundamentally delicious, even the tastiest treats may not always go down so well.

For one thing, an issue arose about where the Linux driver actually belonged in the kernel. As Greg Kroah-Hartman put it: