Profile

Cover photo
Matthew Garrett
Works at CoreOS
Attended University of Cambridge
Lives in Oakland
3,360 followers|318,448 views
AboutPostsPhotosVideos
People
Have him in circles
3,360 people
Melvin Jose's profile photo
Jacqueline R Matthew's profile photo
Thomas Andersen's profile photo
Kenneth Johansson's profile photo
Jason Owen's profile photo
Gabriel Pettier (Tshirtman)'s profile photo
Vivek Das Mohapatra (fledermaus)'s profile photo
mwo khan's profile photo
Nate Berry's profile photo
Education
  • University of Cambridge
    Genetics, 1998 - 2001
  • University of Cambridge
    Genetics, 2004 - 2008
Basic Information
Gender
Male
Relationship
Married
Apps with Google+ Sign-in
  • Asphalt 8:Airborne
Work
Occupation
Software
Employment
  • CoreOS
    Security, 2015 - present
  • Nebula
    Security, 2012 - 2015
  • Red Hat
    Software, 2008 - 2012
  • Canonical
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Oakland
Previously
Cambridge - London - Omagh - Boston

Stream

Matthew Garrett

Shared publicly  - 
 
Actual technical content! How to use the kernel keyring to enrol keys that are accessible even when using sudo or logging in as root, and why doing so is relevant to rkt.
The Linux kernel keyring is effectively a mechanism to allow shoving blobs of data into the kernel and then setting access controls on them. It's convenient for a couple of reasons: the first is that these blobs are available to the kernel itself (so it can use them for things like NFSv4 ...
25
6
Harish Pillay's profile photoMichael Gebetsroither's profile photoLevente Varga's profile photoDave Quigley's profile photo
9 comments
 
+Mirosław Baran A better reply would be for instance to state that SElinux and Smack were created to separate user processes with the same base privileges from each other. Surely it must be sensical (yes I know you probably agree with me here).
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Canonical have improved their IP policy such that it no longer violates the GPL, but it's still awful. Tldr; don't build a product on top of Ubuntu 
(In order to avoid any ambiguity here, this is a personal opinion. The Free Software Foundation's opinion on this matter is here) Canonical have a legal policy surrounding reuse of Intellectual Property they own in Ubuntu, and you can find it here. It's recently been modified to handle concerns ...
65
17
Trevor Woerner's profile photoMarcelo Magallon's profile photoLuis A. Garcia's profile photoLapo Calamandrei's profile photo
9 comments
 
I want to be your friend on gun fu:stickman 2
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Optimal power saving on recent Intel mobile platforms requires a bunch of good integration work at the distribution level, and we haven't been doing it.
Haswell and Broadwell (Intel's previous and current generations of x86) both introduced a range of new power saving states that promised significant improvements in battery life. Unfortunately, the typical experience on Linux was an increase in power consumption. The reasons why are kind of ...
76
11
Drew Fustini (pdp7)'s profile photoPádraig Brady's profile photoAndrew Bradford (bradfa)'s profile photoMartin Creutziger (MMx)'s profile photo
9 comments
 
+Matthew Garrett indeed, slumber is part of the initial spec, although I'm unsure how much savings it gives on my device. But the power savings you're talking about are host-related, not device, right?
Also, do you have a branch to test? 
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Some discussion of what Intel Boot Guard actually means for users
PC World wrote an article on how the use of Intel Boot Guard by PC manufacturers is making it impossible for end-users to install replacement firmware such as Coreboot on their hardware. It's easy to interpret this as Intel acting to restrict competition in the firmware market, but the reality ...
44
20
Jens Van Broeckhoven's profile photoAdrian Marius Popa's profile photoDeltit Nu's profile photoPeter Green's profile photo
18 comments
 
http://www.apress.com/9781430265719 describes Boot Guard in detail, incl. who signs what and what is burnt into fuses (even though the location of the fuses is still somewhat unclear).

Also http://patrick.georgi-clan.de/2015/02/17/intel-boot-guard/ for an alternative way to work with current-era Boot Guard, that should handle the security vs. freedom issue.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Why I think joining the FSF board was important, and why I hope it wasn't a mistake
I joined the board of directors of the Free Software Foundation a couple of weeks ago. I've been travelling a bunch since then, so haven't really had time to write about it. But since I'm currently waiting for a test job to finish, why not? It's impossible to overstate how important free ...
46
2
Elad Alfassa's profile photoJef “Credible Hulk” Spaleta's profile photoMirosław Baran (Jubal)'s profile photoMichael J Gruber's profile photo
14 comments
 
was it extremely offensive? Sorry for that.
Add a comment...

Matthew Garrett

Shared publicly  - 
17
4
Kristian Köhntopp's profile photoCarsten Aulbert's profile photoLevente Varga's profile photoJohn de Largentaye's profile photo
 
"No video?!?"
Spoiled brat
(want to hear narration for pages 7-12)
Add a comment...
Have him in circles
3,360 people
Melvin Jose's profile photo
Jacqueline R Matthew's profile photo
Thomas Andersen's profile photo
Kenneth Johansson's profile photo
Jason Owen's profile photo
Gabriel Pettier (Tshirtman)'s profile photo
Vivek Das Mohapatra (fledermaus)'s profile photo
mwo khan's profile photo
Nate Berry's profile photo

Matthew Garrett

Shared publicly  - 
 
I wrote about how Canonical's IP policy claims that you're violating their copyright if you distribute containers built on modified Ubuntu images - +Dustin Kirkland called that "sensationalist and untrue". I spent a few minutes yesterday talking to Mark Shuttleworth, who made it very clear that Canonical believe they hold copyright over their binaries and require you to ask their permission to do anything other than distribute unmodified images.

Since that's what their policy actually says, that's not surprising. What was more surprising was that he was perfectly willing to admit that their policy is deliberately unclear and overreaching because that increases the number of people who will pay them rather than risk a lawsuit.
I bumped into Mark Shuttleworth today at Linuxcon and we had a brief conversation about Canonical's IP policy. The short summary: Canonical assert that the act of compilation creates copyright over the binaries, and you may not redistribute those binaries unless (a) the license prevents ...
55
23
Igor Gnatenko's profile photoJan Groenewald's profile photoPaulo Neves's profile photoClint Byrum's profile photo
66 comments
 
+Mark Shuttleworth​ the reason I asked that question was because I read your IP policy and couldn't find the answer, and while I don't expect you to come along suing me for doing it, there are situations people get into where they have to check what they're doing. Make it clear rather than telling people to relax.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
A bunch of people have misinterpreted some excellent security research work as evidence of a widespread firmware backdoor, but that doesn't mean that there's no threat.
This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story. But first, some background. System Management Mode (SMM) is a feature in most x86 processors ...
57
23
Bruno Ramos's profile photoDarren Hart's profile photoMadd Sauer's profile photoLucas Alvares Gomes's profile photo
 
Thanks, this really, really clears up a lot.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Lenovo are dreadful, but let's not ignore our own failings
So blah blah Superfish blah blah trivial MITM everything's broken. Lenovo deserve criticism. The level of incompetence involved here is so staggering that it wouldn't be a gross injustice for the company to go under as a result[1]. But let's not pretend that this is some sort of isolated ...
56
12
Lorenzo Millucci's profile photoCarla Sella's profile photoAaron Eischeid's profile photoS. Wilson's profile photo
11 comments
 
I'm kind of afraid of what will happen when my Nexus 5 dies outside of warranty. It did die inside of warranty (thanks, EU, for mandating longer warranties!) and I got a defective refurbished Nexus 5 replacement (sitting on my desk now) that needs to be replaced with another refurbished Nexus 5 (hopefully not defective this time).

But what should happen after the N5? A (too-huge) Nexus 6? or non-Nexus — which is probably asking for problems (depending on manufacturer).

There's always Firefox OS, I suppose, but I'd lose at least ½ the functionality of the device. (But it is really the best option for something closest to a working, functional, kinda-close to Free Software phone. Sadly, it does depend on blobs like everything else (sigh), but at least the OS itself is developed in the open. Runner up would be the Ubuntu phone, which suffers from some of the same issues.)

It would be super-nice if we could have a friendly, open source, open hardware pocket computer that has Internet access and not have to run proprietary software on it for video and networking.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
I did some rough numerical analysis of Hacker News story ranking and found that stories connected with social issues tended to be penalised.
I'm not a huge fan of Hacker News[1]. My impression continues to be that it ends up promoting stories that align with the Silicon Valley narrative of meritocracy, technology will fix everything, regulation is the cancer killing agile startups, and discouraging stories that suggest that the world ...
16
DeeAnn Little's profile photo
 
Thank you for doing this. I'm curious as to how this is going to shake out. Something interesting on the LJ commentary so far is the idea that social issues are off-topic, which I find interesting in that we all need to work together for a healthy ecosystem and I would personally place social issues with the same weight as hard technical.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
Supporting ACPI isn't just a matter of adding the code, it's a matter of exposing a consistent interface to the firmware. On x86 we achieve that by copying whatever Windows does. How are we going to cope on ARM?
ACPI is a complicated specification - the latest version is 980 pages long. But that's because it's trying to define something complicated: an entire interface for abstracting away hardware details and making it easier for an unmodified OS to boot diverse platforms.
34
6
Vladimir Pantelic's profile photoAndrew Pinski's profile photoMakc Belousow's profile photoMarc Jones's profile photo
14 comments
 
+John Dulaney Yea, I hope this work will help x86 too.
Add a comment...

Matthew Garrett

Shared publicly  - 
 
How to set up a Nexus device so it'll only run OS images signed by the owner. (Spoiler: it's awkward)
The security model on the Google Nexus devices is pretty straightforward. The OS is (nominally) secure and prevents anything from accessing the raw MTD devices. The bootloader will only allow the user to write to partitions if it's unlocked. The recovery image will only permit you to install ...
35
4
Rui Seabra's profile photoDeltit Nu's profile photoMarcos Marado's profile photoFlorian Hubold's profile photo
6 comments
 
+David Alan Gilbert Once you have to build your own tools, I think it's fair to say that it's not straightforward
Add a comment...