The Gentoo Experience

So it’s been almost a year that I’ve switched to Gentoo Linux, and I’d like to share my experience with those that are curious and want to try it.

Gentoo Linux has a reputation in the Linux community for being the most hardcore Linux distribution there is, second to perhaps “Linux from Scratch”. This reputation is kind of well deserved because a Gentoo Linux user is not your typical Linux user. Essentially a Gentoo Linux user commits to building the entire operating system from scratch, including compiling the Linux kernel and customizing every little detail. Initial installation as a new Gentoo user can take some time as you are learning new things but eventually after you figured everything out it doesn’t take that long.

The main experience with Gentoo is all about learning, you get to learn basically a little bit of everything. If you are the kind of person that usually loses patience when something doesn’t work right, then Gentoo is probably not for you. But on the other hand, if you’re willing to invest the time to learn Gentoo then you will be greatly rewarded.

How will you be rewarded? Well that answer is relative. For example if you use a distribution like Ubuntu and you plugged in a brand new hardware, there’s a chance that the hardware might not work because support for that hardware is not available in the kernel.

Perhaps your hardware requires a special firmware that needs to be downloaded manually and built into the kernel or may be a special FLAG needs to be set in the config file when you are manually compiling the kernel. If you have experience with Gentoo, you probably would be familiar with all these stuff and perhaps can fix the issues on your own for the most part. Thing is compiling the kernel is not as intimidating as it seems, as a Gentoo Linux user you get so used to compiling kernel that it becomes a habit. Sort of like drinking your morning coffee ūüôā

Anyway, the point is investing the time in learning Gentoo is worth it. If you are using an Open Source Operating System like Linux, sooner or later you will definitely run into issues. That is just the nature of how things work in the Linux world ūüôā

The skills that you pick up along the way as a full time Gentoo user are quite useful, so you can pretty much debug the hardware/software issues on your own without relying too much on the developers for support. Not to mention Gentoo forum is one of the best places for getting support. I’ve seen a lot of distributions for example Arch Linux where the community is very strict, you need to be careful when posting in Arch Linux forums as there’s strict rules related to forum etiquette and in general they are not as friendly to newbies. Compared to that Gentoo Linux community is welcoming and friendly to newbies.

Personally I’ve learned a lot using Gentoo, it made Linux fun for me again. At some point (in my early years as a Linux user) I was kind of disappointed with the Linux community because I was unable to debug and fix my hardware / software issues on distributions like Ubuntu. Filing bug reports and expecting them to get fixed was taking too long and I can’t really blame the developers because¬† most of the contribution towards Open Source software is done by people on their free time and a lot of them don’t get paid for doing so. As I gained more experience I realized that it’s not actually them to blame but my mindset or to be more specific my lack of knowledge.

Linux is fun, it is exciting for the advanced users who have invested years learning it and have figured everything out. But at the same time it can also be quite frustrating and intimidating for the beginners. It is just a question of how much time you are willing to invest, either way it is worth it.

Preventing Evil Maid and Rubber Ducky style attacks on Linux

So you are running Linux and you think that perhaps you are relatively secure compared to Windows right? Well actually there’s not much difference when it comes to security of either platforms because there are certain attacks that your operating system will never be able to defend against unless you pro actively take the right security measures to prevent it.

What am I talk about here? Let’s start with hard disk encryption, and let us assume that we are on Linux. So, you have encrypted your default Ubuntu partition with a really strong passphrase during installation (Luks + Dmcrypt) and you must be thinking man am I secure. Well that is true to some extension but the catch here is that your boot partition needs to be left un-encrypted so that it will be able to unlock your drives after entering the correct password.

So here is the dilemma, even on Linux we have an un-encrypted boot partition therefore it is in a way a vulnerability waiting to be exploited. Someone can just mess around with the contents of your boot partition while you are away and perhaps even write a simple shell script that will log the password and send it back to the author?! This is what you call an Evil Maid style of attack. There are not many ways that you can defend against such an attack but a good measure would be to have your boot partition somewhere else, perhaps on a USB drive. Thus whenever you go outside you can keep that USB with yourself at all times and have the peace of mind that the laptop at your home will not be messed around with because all that is there is just a block of encrypted data whose contents can not be tampered with. Today I will not go into details on how you would go about making such a setup because trust me doing this manually will take a lot of work especially if you are on a Distro like Gentoo!

But let me tell you of another attack that is quite common these days and not many people know about it. Have you heard about the USB rubber ducky? If not, go out on the web and Google around a bit. Or if you wanna save time, let me tell you.

Basically, the USB rubber ducky looks like a regular USB…even has a similar size but when you plug it in, it acts as a HID (Human Interface Device). HID is usually reserved for mouse or keyboards, so basically posing as USB and being able to act as a keyboard allows it to interact with an active system in a way that you would least expect. It can own you in a matter of seconds if you haven’t taken the right precautions, especially on a Distro like Ubuntu that allows anything to be automatically mounted by default. This is not just a big threat for Windows but also for Linux.

Perhaps the USB rubber ducky could run as a background process that would spawn a shell and try to sniff the password that you type when you login to your device, after it receives the password it could automatically call home with the new gained credentials.

So I looked around for a bit on how to stop such an attack on Linux, and to my surprise I found that the Linux kernel provides an easy to call interface that would disable the USB ports.

So you could just paste this script and it would disable your USB ports, depending on the number of USB ports you have you may need to modify those commands and follow the instructions in the comments. This script if set correctly, would basically disable USB ports on boot so that you don’t have to worry about manually disabling them (you might forget).

Also you can add this code to your .bashrc or .zshrc, so that you can enable or disable USB manually when necessary.

# Disable usb devices to mitigate rubber ducky style attacks

usboff(){echo 0 > /sys/bus/usb/devices/usb*/authorized_default}

 

#Enable usb devices

usbon(){echo 1 > /sys/bus/usb/devices/usb*/authorized_default}

 

You will need root permission to use these functions so don’t forget to add sudo.

Anyway, this concludes my today’s post and I hope that this will be helpful.

Cheers!

Gentoo Linux Review

So it’s been a month that I’ve switched to Gentoo Linux. I must say that I gave it a very long and careful thought. I was intimidated at first with the idea of even spelling the name of Gentoo Linux and there is a reason for that. Thing is from the very beginning, since the day I first made the switch from Windows to Linux a thought was planted in my brain that Gentoo is the most hardcore Linux distribution there is…but as I learned that is far from the truth.

Basically you compile everything from source, it’s not like a traditional binary Linux distribution. You build it from scratch, step by step and you decide what and how you want things to be built. The end result is that you get a very highly customized Linux operating system¬†that is fine tuned for your hardware and all the software is built on that same machine as well as optimized for your architecture. Not only does it result in a boost of speed but the main benefit I saw using Gentoo was in the customization of software using what they call USE flags.

USE flags are a pretty interesting concept. Let’s say you want to install a software like Firefox. You can see what USE flags it uses and then you can add or remove the flags ¬†to enable or disable certain features like whether it should use pulseaudio or alsa for audio playback. Whether Firefox should have native language support for your country built in or if you want to add gstreamer support to have native video decoding capabilities. There’s hundreds of different USE flags depending on the type of software you are interested in and they can all be tweaked to suit your needs. This customization option is pretty much unavailable on a binary distro unless you are compiling stuff manually which for the most part can break a lot of stuff in your system. Thus this makes Gentoo a really attractive Linux distribution for experienced Linux users.

Anyway for me personally it took me two weeks to have a fully working system with all issues fixed from touchpad to suspend to ram, audio, etc. now working perfectly fine. It was a rather interesting learning experience for me as for the first time I learned how to compile the Linux kernel from scratch…actually I had to do it 5-6 times to have a fully working setup.

If I had to reinstall Gentoo from scratch may be I would have to give it a second thought because it is quite time consuming. Most of your time is spent reading and learning from the wiki, very less time on actually doing something trivial. But once you have figured it all out you know what to do so the subsequent installations should be much faster. A good idea is to always clone the image of your Gentoo install and back it up elsewhere once you have figured everything out.

Is Gentoo for you? Well if you can set aside time for it and you have the patience and the will power to learn then it is definitely worth it. Personally there were times while setting up Gentoo when I felt hopeless, frustrated and was about to give up. But the burning desire in me to cross over to the other side and be with the elites of the Linux world kept me going. Some of the most talented and smartest people I know in the Linux community use Gentoo and you will never understand what Gentoo is like until you have actually installed it. I think if you are a serious Linux user and you just want to learn how all the underlying parts of the Linux operating system fit together then this learning experience is definitely worth it.

After having used Gentoo, I can never look at another Linux distribution the same way again. On my previous Arch Linux install (on my netbook) I had issues with browsers like Chromium and Firefox, they used to crash randomly especially during video playback but after having installed Gentoo it didn’t even crash once. Smooth, stable, fast in my opinion the Gentoo experience is second to none.

Smooth video playback @Youtube [Linux]

So recently I’ve been researching about how to get a better¬†video playback experience on Linux when browsing sites like Youtube. Video playback from the early days of Linux was most of the times a headache, especially because there were¬†not many¬†“good” alternative to a lot of proprietary codecs. Especially now that flashplayer is long dead and is no longer being supported widely,¬†we look up to html5 to solve our media¬†playback woes online.

But the thing is html5 doesn’t solve our problem yet. On sites like Youtube, vp9 is the codec that is being served by default when html5 is enabled on your browser.¬†Vp9 is a successor to vp8 and is about 5-15% improvement over it’s predecessor but on the downside¬†hardware acceleration for vp9¬†is not built onto¬†most hardware other than the latest smartphones like the Samsung Galaxy S6, etc.

Hardware based decoding is important because it is more efficient than software based decoding, not only in terms of raw performance but the overall cpu usage goes down resulting in less energy being used on your laptops or mobile devices. Therefore hardware based decoding also helps conserve battery life by a big margin when watching videos.

Even if hardware acceleration of vp9 is built into your hardware,¬†the software side of things aren’t ready yet on¬†almost all¬†platforms since vp9 is still a pretty recent¬†development and the industry needs¬†some time to catch up.

Anyway long story short, I turned towards various browsers at first without doing much research hoping that they would magically solve my problem but that was not the case. After a while I learned about this open sourced api being developed by intel (vaapi) thats¬†allows hardware decoding of various codecs using the built in intel gpu on most CPUs. Vaapi on Arch Linux can be accessed¬†by installing the packages “libva-intel-driver” and “libva”. On other distros should be something similar.

Another thing I discovered while testing the browsers is that Firefox for some reason uses a lot more cpu during video playback than a Google chrome based browser like Chromium although they both rely on software based decoding methods. It probably has something to do with how Firefox renders the video internally.

Anyway, the bad news is that vaapi doesn’t yet support vp9 decoding but what¬†you can do is install a browser plugin that forces h264 codec only and then take advantage of hardware acceleration using vaapi as h264 decoding is supported. In my case I used an external player (mpv) with my custom config¬†¬†(placed in ~/.config/mpv/config) and a firefox plugin called open-with¬†and I can just right click on any video and select open_with mpv to have awesome video playback with negligible cpu¬†usage.

Before hardware accelerated video playback my average cpu usage on Chromium was around 20-25% where as on Firefox was around 40-50%. After hardware acceleration on my netbook with n3700 processor, cpu usage is less than 10% using Firefox. Power usage dropped from 9-10W to 5-6W. That’s a pretty big improvement not to mention the video playback seemed more crisp compared to the¬†software decoded version.

It might seem that I was complaining about Firefox at the start, but after switching video playback to mpv it seems to be a much better solution than even chromium.

If you have some tricks of your own, feel free to comment and share below! ūüôā

 

Efficient browsing / productivity with Vimium

For quite a while now I’ve been doing pretty much everything on Linux with just keyboard shortcuts. I’ve switched to a tiling window manager called i3 which eliminates the need for a mouse as everything from resizing window frames, making them full screen or tiling them in a certain way can be done with the press of a few buttons. I’ve found that it increased my productivity by quite a big margin and I feel like mouse was just a block in the road towards productivity.

Only place mouse was needed for me was for browsing the web. Luckily, even though a bit late I’ve found a way to even get rid of that by using a plugin called Vimium for Chrome. I’m a big time Vim user and it’s kind of funny that I thought the learning curve that I had to go through for vim and the hours I spent learning it could only be used for stuff like coding / text editing. The time I invested learning vim actually pays off when you consider plugins like¬†Vimium, which allows you to use the same keyboard shortcut like features you’re used to in Vim and works as a replacement for your mouse.

It’s actually difficult to imagine how the experience is like when you consider the fact that there’s no mouse at all, you just press keys and things work the same way as if you had a mouse. From opening links in new tabs, scrolling, interacting with custom frames, clicking on elements, opening older tabs from history or going through your bookmarks; everything works smoothly as if you’re doing it with a real mouse.

I’m starting to get used to it, so far it seems pretty easy to get started and I highly encourage people to try it out and see for yourself how it’s like. You don’t actually need previous experience with vim and the shortcuts can be configured as the plugin is quite flexible. Try it out, who knows you might even like it ūüôā

 

 

 

 

Linux Kernel Module / Hardware Tinkering

When I first got into the Linux world (5-6 years ago), I was a beginner at the time and¬†as usual if something didn’t work out of the box (hardware / software) I used to blame the distro and move¬†on to the next one. I thought it was a “fair” way to do things coming from the Windows world as a Windows user. Given that there were so many distros out there at the time it wasn’t actually a bad move though, but I knew that I’d have to change my mentality if I were to survive in the Linux world.

Slowly, as my experience and skills with Linux matured I realized that I actually enjoyed if things didn’t work and¬†I wanted things to not work as expected so that I can learn how to fix it and make it better.

In most cases just a simple google will work, but if the problem is complex; like something related to hardware perhaps the only way to go about fixing it is by being really persistent. Like the old saying goes “If there’s a will, there’s a way”.

Today I will share some of the little things I’ve learned as a Linux user on how to mess around with kernel modules, learn¬†what features of your hardware are supported by the module and how to disable / enable them.

Mainly I’m documenting this as a self reference in case I forget somethings in the near future.

Okay first of all, if you want to see what hardware you have; which kernel modules are being used by them or in general learn¬†more about what’s happening with your hardware you can use the following commands:

1) lspci -k
2) lshw -short
3) inxi -b
4) lsusb
5) dmesg | grep -i “keyword” //Replace keyword with something specific to your hardware / kernel module

Note that you may have to install inxi and lshw, they’re by default not installed on most distros.

Okay now, let’s say you’ve found the kernel module being used by the hardware you want to debug (Command #1).

You can see what options are supported by the kernel module with the command below.

modinfo -p [module name]

In my case, I wanted to debug my internal atheros wireless card ath9k.

To see what parameters / options are enabled / disabled by the module at the moment you can try:

systool -v -m [module name]

Selection_008

Note that in the section parameters, 1 means enabled and 0 means disabled.

By default most distributions try to have some basic module configs so that your hardware works as expected or so that some other module doesn’t interfere¬†with your hardware by blacklisting them. But it’s not practical to predict what kind of hardware you might have and there’s so many different types of hardware, so it’s better to debug your own hardware and tune the configs to something that is optimal for you.

At the time when I was debugging my wireless card, the powersaving option was disabled (ps_enable=0) and hardware crypt was enabled (nohwcrypt=0) which is why my wireless card was using a lot of power and was slow at the same time.

You can configure them to use the parameters that you want by writing a config file in the /etc/modprobe.d/ directory. What you name the file doesn’t matter,¬†but it needs to have a .conf extension for it to be recognized as a config file.

Usually it’s a good practice to name the file according to the module name, in my case it’s ath9k.conf.

This is the format of how you enter the parameters in the config file:

options [module name] [parameter=value]

Selection_009

You can have multiple parameters side by side separated by space.

After the changes have been written, you can simply remove the module and reload it to have the changes implemented or a reboot works fine too like in windows ūüôā

Removing module:
modprobe -r [module name]

Reloading module:
modprobe [module name]

Another thing that was interesting to learn was that let’s say there are some hardware or module that you want to disable or don’t want running.

For example, I find that I never really use the webcam and bluetooth devices on my laptop so disabling them is also a good way to save power and increase battery life.

You can blacklist modules by just having a config file with they key word blacklist followed by the module name. But in some cases, a module may be a dependency to another module and therefore blacklist feature might not work as expected and the module might end up being loaded anyway.

So to prevent that you can write the config file this way:

install [module name] /bin/false

For those wondering the bluetooth module by default is btusb and webcam module being uvcvideo.

Anyway, that’s it for today. I really didn’t wanna make this post since a lot of this info can be found publicly or in Arch Wiki.

But a part of me insisted that I do since a lot of stuff I learned were by trial and error. Usually Arch Wiki tells you what to do but not why, it is up to you to figure out why and that’s the most important part of the learning process in my opinion.

Hopefully this might be helpful to some of you ūüôā

Power Saving GOD Mode on Linux (Part – 2)

This is the advanced guide to Linux power saving. Advanced in the sense that I’ll walk you through the process of learning about the different modules used by your kernel; also how to apply the different power management settings supported by your hardware.

Part of the hacker mindset is to learn, explore & think outside the box which can sometimes lead you to a whole new world of opportunities & at other times can cause you trouble if you’re not careful enough ūüėČ

Alright, so first of all you need to know the devices which are present in your system (e.g graphics card, wireless adapters, etc.) and the modules they use that support power management options.

One way find that out is to use the command: lspci -v

gpuwifi

The command shows you a lot of details but as you can see above, I’ve an integrated intel card running the kernel module i915 & the Wireless Atheros card running ath9k module.

Okay so what you need to do next is learn more about the options supported by these modules.

You can do so by using the following command: modinfo -p [module name]

In my case these are the parameters supported by the module (ath9k) used by my wireless card.

wireless

As you can see, there’s the flag ps_enable which can be activated to enable power management options. By default it’s not activated, and even when I try to enable it through powertop it doesn’t seem to work. So in order to make sure that feature works I’ve to enable it by explicitly stating it in my boot settings.

We’ll get to that part (enabling @boot settings) a bit later but first let’s see the power management options supported by my intel card.

i915

The module i915 has a lot of features but I decided to just focus on the power saving aspect of it.

As you can see there’s 4 main features (i915_enable_rc6, i915_enable_fbc, lvds_downclock, enable_pc8) that you can enable in your boot settings to make them work properly. By default some of these features are probably disabled because it is known to cause problems with certain types of hardware. Therefore you should be cautious about which feature you plan on enabling & double check to see if everything works out fine.

As you can also see in the description of these parameters, most require 1 for enabling, 0 to disable, etc. so use them accordingly.

Let’s get started on setting up these parameters on our boot settings. Personally I use grub as my bootloader which is the default bootloader on a lot of other popular distros like Ubuntu, Mint, etc.

The default location for grub cofig file on my distro is in /etc/default/grub

Open that config file in your favourite text editor make sure you have root priviledge.

Go to the line that says:

GRUB_CMDLINE_LINUX_DEFAULT

There would probably be some parameters set in that line already, but to enable our power management parameters we have to do it like this:

[module name].[module function]=value

e.g:  ath9k.ps_enable=1

Each of the supplied parameters have to be separated by space.Therefore the settings in my grub file looks like this:

GRUB_CMDLINE_LINUX_DEFAULT=”quiet intel_pstate=disable ath9k.ps_enable=1 i915.i915_enable_rc6=1 i915.lvds_downclock=1 i915.i915_enable_fbc=1 i915.semaphores=1″

After you make the changes don’t forget to use the command update-grub otherwise the parameters won’t be set.

Also as you can see from the settings in my grub config file, I’ve set the parameter intel_pstate=disable

From what I’ve heard intel_pstate driver has issues with certain processors or the implementation doesn’t really work that well for the case of power management, etc.

I’ve disabled pstate & I configured tlp to clock the speed of my cores according to the speeds that I want.

These are the configurations on my tlp config file located in /etc/default/tlp

CPU_SCALING_GOVERNOR_ON_AC=ondemand
CPU_SCALING_GOVERNOR_ON_BAT=powersave

CPU_SCALING_MIN_FREQ_ON_AC=800
CPU_SCALING_MAX_FREQ_ON_AC=3200
CPU_SCALING_MIN_FREQ_ON_BAT=800
CPU_SCALING_MAX_FREQ_ON_BAT=2000

CPU_BOOST_ON_AC=1
CPU_BOOST_ON_BAT=0

SCHED_POWERSAVE_ON_AC=0
SCHED_POWERSAVE_ON_BAT=1

I’ve set the minimum frequency of the core down to 800 & I think by default it used to be around 2000. After reboot the changes should take place & you might notice less heating or power usage from your cpu aswell.

Also currently I run 3.14 kernel (did notice slight power improvements), and having made all these changes my power usage dropped to 9W (lowest) & averaging on about 10-11W.

So that’s it for my Linux power saving guide, I hope I’ve been able to share what I’ve learned & hope that it helped some people. If I had this knowledge earlier I’d have been so much happier, would appreciate any feedback.

Thanks ūüôā