Should we allow real-time kernels?

I only ask this, because I was looking up stuff about real-time kernels since there are some selections in the Manjaro Settings Manager application and I see some kernels labelled with rt (and showing as real-time, specifically) only to find this commentary from Ubuntu Studio team about their use.

A real juicy statement from that page reads as follows.

Security Implications

All it would take is one malicious process to execute and take advantage of the real-time code to completely lock-out a user from their machine, turning that machine into part of a botnet or other malicious purpose. Real-Time processes have the potential to completely take-over a machine. This is the number one reason Ubuntu does not carry a Real-Time kernel.

So, why is this a user-accessible option if any of this is true?

While technically true… its a bit alarmist.
The regular kernel off and on can be found to have a vulnerability to allow run-away processes and such.
Heck, you could configure that yourself on your current (non-rt) system in a number of ways.
Which brings us to the main point:
RT kernels are not for everybody.
They are useful for people like Audio Engineers and the like, who know what they are and why they want them. For those folks the rt kernels are very nice. Everyone else though? They have no reason to use RT. And in Manjaro we are lucky enough to have some folks build them and make them available for people who need them.
Removing those from mhwd/repos etc … wouldnt make them impossible to use, and folks would still want them, but they would have to get them and build them from the AUR themselves and it wouldnt be managed/integrated with mhwd.
Simply creating a worse situation for the users who actually need the rt kernels.
For all other users … it doesnt mean anything at all.

4 Likes

I for one am quite happy Manjaro has rt kernels. I produce and listen to High quality audio constantly on my machine. Running a realtime kernel makes it stupid simple and reliable to give audio priority over other processes. this is important for my use case. I have done it in other distros, but often had to compile it myself. Manjaro supplying these is one of things that pushed me to try it. I don’t see it as a likely security issue, yes, I suppose it can be done, but I don’t think it’s very much to worry about.

2 Likes

Malicious programs can achieve those even without real-time features.

2 Likes

The first part is correct. most users do not need a realtime kernel, but some do

Do I need a realtime kernel to use realtime scheduling? | JACK Audio Connection Kit

The rest is nonsense

Is a real-time kernel a security risk? - LinuxMusicians

It does not mean that the applications have now more or direct access to the kernel, but how the kernel itself makes use of the available resources to increase responsiveness. It means things like assigning priorities in a different way, minimising time spend in irq routines etc

I’m not going to post the code, but feel free to search for “fork bomb” and then try it don’t try it unless you have mitigations into place

As in all things: breaking stuff is much easier than repairing stuff… and RT kernels have their use beyond audio and video engineers: E.G. they get updated less frequently and running a RT kernel while a bug gets fixed in the LTS version can be a life-saver.

Because, ultimatelyYOU are responsible for the safety/security/operation of YOUR system.

LOL. It would be an interesting experiment to see who the blindly copies/pastes terminal commands users are. :smiling_imp:

But for the life of me, I’ll never understand why someone would

curl <whatever_URL> | [ba]sh
1 Like