The Truth About the Intel’s Hidden Minix OS and Security Concerns

By Sylvain Leroux

Intel Processors

If you have an Intel-chipset based motherboard, there are great chances it is equipped with the Intel Management (Intel ME) unit. This is not new. And concerns regarding the privacy issue behind that little know feature were raised for several years. But suddenly, the blogosphere seems to have rediscovered the problem. And we can read many half-true or just plain wrong statements about this topic.

So let me try to clarify, as much as I can, some key points for you to make your own opinion:

What is Intel ME?

First, let’s give a definition straight from Intel’s website:

Built into many Intel® Chipset–based platforms is a small, low-power computer subsystem called the Intel® Management Engine (Intel® ME). The Intel® ME performs various tasks while the system is in sleep, during the boot process, and when your system is running.

Simply said, that means Intel ME adds another processor on the motherboard to manage the other sub-systems. As a matter of fact, it is more than just a microprocessor: it’s a microcontroller with its own processor, memory, and I/O. Really just like if it was a small computer inside your computer.

That supplemental unit is part of the chipset and is NOT on the main CPU die. Being independent, that means Intel ME is not affected by the various sleep state of the main CPU and will remain active even when you put your computer in sleep mode or when you shut it down.

As far as I can tell Intel ME is present starting with the GM45 chipset—that brings us back to the year 2008 or so. In its initial implementation, Intel ME was on a separate chip that could be physically removed. Unfortunately, modern chipsets include Intel ME as part of the northbridge which is essential for your computer to work. Officially, there is no way to switch off Intel ME, even if some exploit seems to have successfully been used to disable it.

I read it runs on “ring -3” what does that mean?

Saying Intel ME as running in “ring -3” leads to some confusion. The protection rings are the various protection mechanisms implemented by a processor allowing, for example, the kernel to use certain processor instructions whereas applications running on top of it cannot do it. The key point is software running in a “ring” has total control over software running on a higher level ring. Something that can be used for monitoring, protection or to present an idealized or virtualized execution environment to software running in higher level rings.

Typically, on x86, applications run in ring 1, the kernel run in ring 0 and an eventual hypervisor on ring -1. “ring -2” is sometimes used for the processor microcode. And “ring -3” is used in several papers to talk about Intel ME as a way to explain it has even higher control than everything running on the main CPU. But “ring -3” is certainly not a working model of your processor. And let me repeat once again: Intel ME is not even on the CPU die.

I encourage you to take a look especially at the first pages of that Google/Two Sigma/Cisco/Splitted-Desktop Systems report for an overview of the several layers of execution of a typical Intel-based computer.

What is the problem with Intel ME?

By design, Intel ME has access to the other sub-systems of the motherboard. Including the RAM, network devices, and cryptographic engine. And that as long as the motherboard is powered. In addition, it can directly access the network interface using a dedicated link for out-of-band communication, thus even if you monitor traffic with a tool like Wireshark or tcpdump you might not necessarily see the data packet sent by Intel ME.

Intel ME architectural overview

Intel claims that ME is needed to get the best of your Intel Chipset. Most useful, it can be used especially in a corporate environment for some remote administration and maintenance tasks. But, no one outside Intel knows exactly what it CAN do. Being close sourced that leads to legitimate questions about the capabilities of that system and the way it can be used or abused.

For example, Intel ME has the potential for reading any byte in RAM in search for some keyword or to send those data through the NIC. In addition, since Intel ME can communicate with the operating system—and potentially applications— running on the main CPU, we could imagine scenarios where Intel ME would be (ab)used by a malicious software to bypass OS level security policies.

Is this science fiction? Well, I’m not personally aware of data leakage or other exploit having used Intel ME as their primary attack vector. But quoting Igor Skochinsky can give you some ideal of what such system can be used for:

The Intel ME has a few specific functions, and although most of these could be seen as the best tool you could give the IT guy in charge of deploying thousands of workstations in a corporate environment, there are some tools that would be very interesting avenues for an exploit. These functions include Active Managment Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys.

I let you take a look at Igor Skochinsky presentation for the REcon 2014 conference to have a first-hand overview of the capabilities of Intel ME:

As a side note, to give you an idea of the risks take a look at the CVE-2017-5689 published in May 2017 concerning a possible privilege escalation for local and remote users using the HTTP server running on Intel ME when Intel AMT is enabled.

But don’t panic immediately because for most personal computers, this is not a concern because they do not use AMT. But that gives an idea of the possible attacks targeting Intel ME and the software running in there.

What do we know about Intel ME? How is it related to Minix?

Intel ME and the software running on top of it are close sourced, and people having access to the related information are bound by a non-disclosure agreement. But thanks to independent researchers we still have some information about it.

Intel ME shares the flash memory with your BIOS to store its firmware. But unfortunately, a large part of the code is not accessible by a simple dump of the flash because it relies on functions stored in the inaccessible ROM part of the ME microcontroller. In addition, it appears the parts of the code that are accessible are compressed using non-disclosed Huffman compression tables. This is not cryptography, its compression— obfuscation some might say. Anyway, it does not help in reverse engineering Intel ME.

Up to its version 10, Intel ME was based on ARC or SPARC processors. But Intel ME 11 is x86 based. In April, a team at Positive Technologies tried to analyze the tools that Intel provides to OEMs/vendor as well as some ROM bypass code. But due to Huffman compression, they weren’t able to go very far.

However, they were able to do was to analyze TXE, the Trusted Execution Engine, a system similar to Intel ME, but available on the Intel Atom platforms. The nice thing about TXE is the firmware is not Huffman encoded. And there they found a funny thing. I prefer quoting the corresponding paragraph in extenso here:

In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum 🙂

Let make things clear: TXE contains code “borrowed” from Minix. That’s sure. Other hints suggest it probably runs a complete Minix implementations. Finally, despite no evidence, we can assume without too many risks that ME 11 would be based on Minix too.

Until recently Minix was certainly not a well know OS name. But a couple of catchy titles changed that recently. That and a recent open letter by Andrew Tannenbaum, the author of Minix, are probably at the root of the current hype around Intel ME.

Andrew Tanenbaum?

If you don’t know him, Andrew S. Tanenbaum is a computer scientist and professor emeritus at the Vrije Universiteit Amsterdam in the Netherlands. Generations of students, including me, have learned computer sciences through Andrew Tannenbaum books, work, and publications.

For educational purposes, he started development of the Unix-inspired Minix operating system in the late 80s. And was famous for its controversy on Usenet with a then young guy named Linus Torvalds about the virtues of monolithic versus micro-kernels.

For what interests us today, Andrew Tanenbaum has declared not having any feedback from Intel about the usage they have made of Minix. But in an open letter to Intel, he explains he was contacted a few years ago by Intel engineers asking many technical questions about Minix and even requesting code change to being able to selectively remove part of the system in order to reduce its footprint.

According to Tannenbaum, Intel never explained the reason for their interest in Minix. “After that initial burst of activity, there was radio silence for a couple of years”, that is up until today.

In a final note, Tannenbaum explains its position:

For the record, I would like to state that when Intel contacted me, they didn’t say what they were working on. Companies rarely talk about future products without NDAs. I figured it was a new Ethernet chip or graphics chip or something like that. If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated […​]

Worth mentioning if we can question the moral behavior of Intel, both regarding the way they approached Tannenbaum and Minix and in the aim pursued with Intel ME, strictly speaking, they acted perfectly in accordance with the terms of the Berkeley license accompanying the Minix project.

And what about using AMD?

I’m not familiar with AMD technologies. So if you have more insight, let us know using the comment section. But from what I can tell, the AMD Accelerated Processing Unit (APU) line of microprocessors have a similar feature where they embed an extra ARM-based microcontroller, but this time directly on the CPU die. Amazingly enough, that technology is advertised as “TrustZone” by AMD. But like for its Intel counterpart, no one really know what it does. And no one has access to the source to analyze the exploit surface it adds to your computer.

So what to think?

It is very easy to become paranoid about those subjects. For example, what proves the firmware running on your Ethernet or Wireless NIC don’t spy at you to transmit data through some hidden channel?

What makes Intel ME more a concern is because it works at a different scale, being literally a small independent computer looking at everything happening on the host computer. Personally, I fell concerned by Intel ME since it’s initial announcement. But that didn’t prevent me from running Intel-based computers. Certainly, I would prefer if Intel made the choice to open-source the Monitoring Engine and the associated software. Or if they provided a way to physically disable it. But that’s an opinion that only regards me. You certainly have your own ideas about that.

Finally, I said above, my goal in writing that article was to give you as much as possible verifiable information so you can make your own opinion…

From: It’s FOSS

Share

The Truth About the Intel’s Hidden Minix OS and Security Concerns

By Sylvain Leroux

Intel Processors

If you have an Intel-chipset based motherboard, there are great chances it is equipped with the Intel Management (Intel ME) unit. This is not new. And concerns regarding the privacy issue behind that little know feature were raised for several years. But suddenly, the blogosphere seems to have rediscovered the problem. And we can read many half-true or just plain wrong statements about this topic.

So let me try to clarify, as much as I can, some key points for you to make your own opinion:

What is Intel ME?

First, let’s give a definition straight from Intel’s website:

Built into many Intel® Chipset–based platforms is a small, low-power computer subsystem called the Intel® Management Engine (Intel® ME). The Intel® ME performs various tasks while the system is in sleep, during the boot process, and when your system is running.

Simply said, that means Intel ME adds another processor on the motherboard to manage the other sub-systems. As a matter of fact, it is more than just a microprocessor: it’s a microcontroller with its own processor, memory, and I/O. Really just like if it was a small computer inside your computer.

That supplemental unit is part of the chipset and is NOT on the main CPU die. Being independent, that means Intel ME is not affected by the various sleep state of the main CPU and will remain active even when you put your computer in sleep mode or when you shut it down.

As far as I can tell Intel ME is present starting with the GM45 chipset—that brings us back to the year 2008 or so. In its initial implementation, Intel ME was on a separate chip that could be physically removed. Unfortunately, modern chipsets include Intel ME as part of the northbridge which is essential for your computer to work. Officially, there is no way to switch off Intel ME, even if some exploit seems to have successfully been used to disable it.

I read it runs on “ring -3” what does that mean?

Saying Intel ME as running in “ring -3” leads to some confusion. The protection rings are the various protection mechanisms implemented by a processor allowing, for example, the kernel to use certain processor instructions whereas applications running on top of it cannot do it. The key point is software running in a “ring” has total control over software running on a higher level ring. Something that can be used for monitoring, protection or to present an idealized or virtualized execution environment to software running in higher level rings.

Typically, on x86, applications run in ring 1, the kernel run in ring 0 and an eventual hypervisor on ring -1. “ring -2” is sometimes used for the processor microcode. And “ring -3” is used in several papers to talk about Intel ME as a way to explain it has even higher control than everything running on the main CPU. But “ring -3” is certainly not a working model of your processor. And let me repeat once again: Intel ME is not even on the CPU die.

I encourage you to take a look especially at the first pages of that Google/Two Sigma/Cisco/Splitted-Desktop Systems report for an overview of the several layers of execution of a typical Intel-based computer.

What is the problem with Intel ME?

By design, Intel ME has access to the other sub-systems of the motherboard. Including the RAM, network devices, and cryptographic engine. And that as long as the motherboard is powered. In addition, it can directly access the network interface using a dedicated link for out-of-band communication, thus even if you monitor traffic with a tool like Wireshark or tcpdump you might not necessarily see the data packet sent by Intel ME.

Intel ME architectural overview

Intel claims that ME is needed to get the best of your Intel Chipset. Most useful, it can be used especially in a corporate environment for some remote administration and maintenance tasks. But, no one outside Intel knows exactly what it CAN do. Being close sourced that leads to legitimate questions about the capabilities of that system and the way it can be used or abused.

For example, Intel ME has the potential for reading any byte in RAM in search for some keyword or to send those data through the NIC. In addition, since Intel ME can communicate with the operating system—and potentially applications— running on the main CPU, we could imagine scenarios where Intel ME would be (ab)used by a malicious software to bypass OS level security policies.

Is this science fiction? Well, I’m not personally aware of data leakage or other exploit having used Intel ME as their primary attack vector. But quoting Igor Skochinsky can give you some ideal of what such system can be used for:

The Intel ME has a few specific functions, and although most of these could be seen as the best tool you could give the IT guy in charge of deploying thousands of workstations in a corporate environment, there are some tools that would be very interesting avenues for an exploit. These functions include Active Managment Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys.

I let you take a look at Igor Skochinsky presentation for the REcon 2014 conference to have a first-hand overview of the capabilities of Intel ME:

As a side note, to give you an idea of the risks take a look at the CVE-2017-5689 published in May 2017 concerning a possible privilege escalation for local and remote users using the HTTP server running on Intel ME when Intel AMT is enabled.

But don’t panic immediately because for most personal computers, this is not a concern because they do not use AMT. But that gives an idea of the possible attacks targeting Intel ME and the software running in there.

What do we know about Intel ME? How is it related to Minix?

Intel ME and the software running on top of it are close sourced, and people having access to the related information are bound by a non-disclosure agreement. But thanks to independent researchers we still have some information about it.

Intel ME shares the flash memory with your BIOS to store its firmware. But unfortunately, a large part of the code is not accessible by a simple dump of the flash because it relies on functions stored in the inaccessible ROM part of the ME microcontroller. In addition, it appears the parts of the code that are accessible are compressed using non-disclosed Huffman compression tables. This is not cryptography, its compression— obfuscation some might say. Anyway, it does not help in reverse engineering Intel ME.

Up to its version 10, Intel ME was based on ARC or SPARC processors. But Intel ME 11 is x86 based. In April, a team at Positive Technologies tried to analyze the tools that Intel provides to OEMs/vendor as well as some ROM bypass code. But due to Huffman compression, they weren’t able to go very far.

However, they were able to do was to analyze TXE, the Trusted Execution Engine, a system similar to Intel ME, but available on the Intel Atom platforms. The nice thing about TXE is the firmware is not Huffman encoded. And there they found a funny thing. I prefer quoting the corresponding paragraph in extenso here:

In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum 🙂

Let make things clear: TXE contains code “borrowed” from Minix. That’s sure. Other hints suggest it probably runs a complete Minix implementations. Finally, despite no evidence, we can assume without too many risks that ME 11 would be based on Minix too.

Until recently Minix was certainly not a well known OS name. But a couple of catchy titles changed that recently. That and a recent open letter by Andrew Tannenbaum, the author of Minix, are probably at the root of the current hype around Intel ME.

Andrew Tanenbaum?

If you don’t know him, Andrew S. Tanenbaum is a computer scientist and professor emeritus at the Vrije Universiteit Amsterdam in the Netherlands. Generations of students, including me, have learned computer sciences through Andrew Tanenbaum books, work, and publications.

For educational purposes, he started development of the Unix-inspired Minix operating system in the late 80s. And was famous for its controversy on Usenet with a then young guy named Linus Torvalds about the virtues of monolithic versus micro-kernels.

For what interests us today, Andrew Tanenbaum has declared not having any feedback from Intel about the usage they have made of Minix. But in an open letter to Intel, he explains he was contacted a few years ago by Intel engineers asking many technical questions about Minix and even requesting code change to being able to selectively remove part of the system in order to reduce its footprint.

According to Tannenbaum, Intel never explained the reason for their interest in Minix. “After that initial burst of activity, there was radio silence for a couple of years”, that is up until today.

In a final note, Tannenbaum explains its position:

For the record, I would like to state that when Intel contacted me, they didn’t say what they were working on. Companies rarely talk about future products without NDAs. I figured it was a new Ethernet chip or graphics chip or something like that. If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated […​]

Worth mentioning if we can question the moral behavior of Intel, both regarding the way they approached Tannenbaum and Minix and in the aim pursued with Intel ME, strictly speaking, they acted perfectly in accordance with the terms of the Berkeley license accompanying the Minix project.

More information on ME?

If you’re looking for more technical information about Intel ME and the current state of the community knowledge of that technology, I encourage you to take a look at the Positive Technology presentation published for the TROOPERS17 IT-Security conference. While not easily understandable by everyone, this is certainly a reference to judge the validity of information read elsewhere.

And what about using AMD?

I’m not familiar with AMD technologies. So if you have more insight, let us know using the comment section. But from what I can tell, the AMD Accelerated Processing Unit (APU) line of microprocessors have a similar feature where they embed an extra ARM-based microcontroller, but this time directly on the CPU die. Amazingly enough, that technology is advertised as “TrustZone” by AMD. But like for its Intel counterpart, no one really know what it does. And no one has access to the source to analyze the exploit surface it adds to your computer.

So what to think?

It is very easy to become paranoid about those subjects. For example, what proves the firmware running on your Ethernet or Wireless NIC don’t spy at you to transmit data through some hidden channel?

What makes Intel ME more a concern is because it works at a different scale, being literally a small independent computer looking at everything happening on the host computer. Personally, I fell concerned by Intel ME since it’s initial announcement. But that didn’t prevent me from running Intel-based computers. Certainly, I would prefer if Intel made the choice to open-source the Monitoring Engine and the associated software. Or if they provided a way to physically disable it. But that’s an opinion that only regards me. You certainly have your own ideas about that.

Finally, I said above, my goal in writing that article was to give you as much as possible verifiable information so you can make your own opinion…

From: It’s FOSS

Share

Arch Linux Ends Support for 32-Bit Systems

By Derick Sullivan M. Lobga

Arch Linux 32 bit support ends

Brief: Arch Linux joins the growing list of Linux distributions that terminated support for 32-bit systems.

Arch Linux has ended support for i686 architecture i.e 32-bit systems. This is not a sudden decision because an announcement was made in January this year. Decreasing popularity was cited as the driving factor behind this decision: “Due to the decreasing popularity of i686 among the developers and the community, we have decided to phase out the support of this architecture.”

Since March 2017, 32-bit images of Arch Linux have not been available. Existing 32-bit installs were given this ‘grace period’ to plan their switch to other Linux distributions that still support 32-bit processors.

After a 9-month deprecation period, the time has come to put 32-bit Arch into the ground.

Arch Linux broke the news yesterday that “By the end of November, i686 packages will be removed from our mirrors and later from the packages archive”. It also states that the [multilib] repository will not be affected.

In other words, Arch Linux 32-bit will stop getting any updates starting today. By the end of this month, Arch Linux distribution will only work on computers based on the x86_64 architectures i.e. 64-bit systems. The 32-bit Arch install will not get any kind of updates or install any program, practically making them useless.

Arch Linux 32-bit lives in the form of archlinux32

One of the reasons why I love Linux is its open source nature and the enthusiastic community.

Meet archlinux32, a community maintained fork of Arch Linux 32-bit. Check out their official website:

archlinux32

Transition instructions from Arch Linux to archlinux32 are also explained. Check out the transition instructions. A dual-bootable installation media has also been made available for users.

What do you think about Arch ending support for 32-bit systems? Please share your views in the comment section.

From: It’s FOSS

Share

Arch Linux Ends Support for 32-Bit Systems

By Derick Sullivan M. Lobga

Arch Linux 32 bit support ends

Brief: Arch Linux joins the growing list of Linux distributions that terminated support for 32-bit systems.

Arch Linux has ended support for i686 architecture i.e 32-bit systems. This is not a sudden decision because an announcement was made in January this year. Decreasing popularity was cited as the driving factor behind this decision: “Due to the decreasing popularity of i686 among the developers and the community, we have decided to phase out the support of this architecture.”

Since March 2017, 32-bit images of Arch Linux have not been available. Which means you can only install Arch Linux 64-bit version for some time now. Existing 32-bit installs were given this ‘grace period’ to plan their switch to other Linux distributions that still support 32-bit processors.

After a 9-month deprecation period, the time has come to put 32-bit Arch into the ground.

Arch Linux broke the news yesterday that “By the end of November, i686 packages will be removed from our mirrors and later from the packages archive”. It also states that the [multilib] repository will not be affected.

In other words, Arch Linux 32-bit will stop getting any updates starting today. By the end of this month, Arch Linux distribution will only work on computers based on the x86_64 architectures i.e. 64-bit systems. The 32-bit Arch install will not get any kind of updates or install any program, practically making them useless.

Arch Linux 32-bit lives in the form of archlinux32

One of the reasons why I love Linux is its open source nature and the enthusiastic community.

Meet archlinux32, a community maintained fork of Arch Linux 32-bit. Check out their official website:

archlinux32

Transition instructions from Arch Linux to archlinux32 are also explained. Check out the transition instructions. A dual-bootable installation media has also been made available for users.

What do you think about Arch ending support for 32-bit systems? Please share your views in the comment section.

From: It’s FOSS

Share

How to Use GNOME Shell Extensions [Complete Guide]

By Abhishek Prakash

GNOME Shell Extension in action

Brief: This is a detailed guide showing you how to install GNOME Shell Extensions manually or easily via a browser.

While discussing how to install themes in Ubuntu 17.10, I briefly mentioned GNOME Shell Extension. It was used to enable user themes. Today, we’ll have a detailed look at GNOME Shell Extensions in Ubuntu 17.10.

I may use the term GNOME Extensions instead of GNOME Shell Extensions but both have the same meaning here.

What are GNOME Shell Extensions? How to install GNOME Shell Extensions? And how to manage and remove GNOME Shell Extensions? I’ll explain all these questions, one by one. Let’s start with knowing about GNOME Extensions first.

What is a GNOME Shell Extension?

A GNOME Shell Extension is basically a tiny piece of code that enhances the capability of GNOME desktop.

Think of it as an add-on in your browser. For example, you can install an add-on in your browser to disable ads. This add-on is developed by a third-party developer. Though your web browser doesn’t provide it by default, installing this add-on enhances the capability of your web browser.

Similarly, GNOME Shell Extensions are like those third-party add-ons and plugins that you can install on top of GNOME. These extensions are created to perform specific tasks such as display weather condition, internet speed etc. Mostly, you can access them in the top panel.

GNOME Shell Extension to display weather information

There are also GNOME Extensions that are not visible on the top panel. But they still tweak GNOME’s behavior. For example, middle mouse button can be used to close an application with one such extension.

Installing GNOME Shell Extensions

Now that you know what are GNOME Shell Extensions, let’s see how to install them. There are three ways you can use GNOME Extensions:

  • Use a minimal set of extensions from Ubuntu (or your Linux distribution)
  • Find and install extensions in your web browser
  • Download and manually install extensions

Before you learn how to use GNOME Shell Extensions, you should install GNOME Tweak Tool. You can find it in the Software Center. Alternatively, you can use this command:

sudo apt install gnome-tweak-tool

At times, you would also need to know the version of GNOME Shell you are using. This helps in determining whether an extension is compatible with your system or not. You can use the command below to find it:

gnome-shell --version

1. Use gnome-shell-extensions package [easiest and safest way]

Ubuntu (and several other Linux distributions such as Fedora) provide a package with a minimal set of GNOME extensions. You don’t have to worry about the compatibility here as it is tested by your Linux distribution.

If you want a no-brainer, just get this package and you’ll have 8-10 GNOME extensions installed.

sudo apt install gnome-shell-extensions

You’ll have to reboot your system (or maybe just restart GNOME Shell, I don’t remember it at this point). After that, start GNOME Tweaks and you’ll find a few extensions installed. You can just toggle the button to start using an installed extension.

Change GNOME Shell theme in Ubuntu 17.1
GNOME Shell Extensions in GNOME Tweaks tool

2. Install GNOME Shell extensions from a web browser

GNOME project has an entire website dedicated to extensions. That’s not it. You can find, install, and manage your extensions on this website itself. No need even for GNOME Tweaks tool.

GNOME Shell Extensions Website

But in order to install extensions a web browser, you need two things: a browser add-on and a native host connector in your system.

Step 1: Install browser add-on

When you visit the GNOME Shell Extensions website, you’ll see a message like this:

“To control GNOME Shell extensions using this site you must install GNOME Shell integration that consists of two parts: browser extension and native host messaging application.”

Installing GNOME Shell Extensions

You can simply click on the suggested add-on link by your web browser. You can install them from the link below as well:

Step 2: Install native connector

Just installing browser add-on won’t help you. You’ll still see an error like:

“Although GNOME Shell integration extension is running, native host connector is not detected. Refer documentation for instructions about installing connector”

How to install GNOME Shell Extensions

This is because you haven’t installed the host connector yet. To do that, use this command:

sudo apt install chrome-gnome-shell

Don’t worry about the ‘chrome’ prefix in the package name. It has nothing to do with Chrome. You don’t have to install a separate package for Firefox or Opera here.

Step 3: Installing GNOME Shell Extensions in web browser

Once you have completed these two requirements, you are all set to roll. Now when you go to GNOME Shell Extension, you won’t see any error message.

GNOME Shell Extension
It’s a good idea to sort the extensions for current version of GNOME

A good thing to do would be to sort the extensions by your GNOME Shell version. It is not mandatory though. What happens here is that a developer creates an extension for the present GNOME version. In one year, there will be two more GNOME releases. But the developer didn’t have time to test or update his/her extension.

As a result, you wouldn’t know if that extension is compatible with your system or not. It’s possible that the extension works fine even in the newer GNOME Shell version despite that the extension is years old. It is also possible that the extension doesn’t work in the newer GNOME Shell.

You can search for an extension as well. Let’s say you want to install a weather extension. Just search for it and go for one of the search results.

When you visit the extension page, you’ll see a toggle button.

Installing GNOME Shell Extension
Toggle the button to enable or disable GNOME Shell Extensions

Click on it and you’ll be prompted if you want to install this extension:

Install GNOME Shell Extensions via web browser

Obviously, go for Install here. Once it’s installed, you’ll see that the toggle button is now on and there is a setting option available next to it. You can configure the extension using the setting option. You can also disable the extension from here.

Configuring installed GNOME Shell Extensions
Extensions can be configured via browser

You can also configure the settings of an extension that you installed via the web browser in GNOME Tweaks tool:

GNOME Tweaks to handle GNOME Shell Extensions
Installed extensions will always be accessible in Tweaks

You can see all your installed extensions on the website under installed extensions section. You can also delete the extensions that you installed via web browser here

Manage your installed GNOME Shell Extensions
Manage your installed GNOME Shell Extensions

One major advantage of using the GNOME Extensions website is that you can see if there is an update available for an extension. You won’t get it in GNOME Tweaks or system update.

3. Install GNOME Shell Extensions manually

It’s not that you have to be always online to install GNOME Shell extensions. You can download the files and install it later, without needing internet.

Go to GNOME Extensions website and download the extension with the latest version.

Download GNOME Shell Extension
Download GNOME Shell Extension

Extract the downloaded file. Copy the folder to ~/.local/share/gnome-shell/extensions directory. Go to your Home directory and press Crl+H to show hidden folders. Locate .local folder here and from there, you can find your path till extensions directory.

Once you have the files copied in the correct directory, go inside it and open metadata.json file. Look for the value of uuid.

Make sure that the name of the extension’s folder is same as the value of uuid in the metadata.json file. If not, rename the directory to the value of this uuid.

Manually install GNOME Shell extension
Name of extension folder should be the same as uuid

Almost there! Now restart GNOME Shell. Press Alt+F2 and enter r to restart GNOME Shell.

Restart GNOME Shell

Restart GNOME Tweaks tool as well. You should see the manually installed GNOME extension in the Tweak tool now. You can configure or enable the newly installed extension here.

And that’s all you need to know about installing GNOME Shell Extensions.

Remove GNOME Shell Extensions

It is totally understandable that you might want to remove an installed GNOME Shell Extension.

If you installed it via a web browser, you can go to the installed extensions section on GNOME website and remove it from there (as shown in an earlier picture).

If you installed it manually, you can remove it by deleting the extension files from ~/.local/share/gnome-shell/extensions directory.

Bonus Tip: Get notified of GNOME Shell Extensions updates

By now you have realized that there is no way to know if an update is available for a GNOME Shell extension except for visiting the GNOME extension website.

Luckily for you, there is a GNOME Shell Extension that notifies you if there is an update available for an installed extension. You can get it from the link below:

Extension Update Notifier

How do you manage GNOME Shell Extensions

I find it rather weird that you cannot update the extensions via the system updates. It’s as if GNOME Shell extensions are not even part of the system.

I’ll write a separate article about best GNOME Shell extensions in coming days. Meanwhile, share your experience with GNOME Shell extensions. Do you often use them? If yes, which ones are your favorite?

From: It’s FOSS

Share

How to Use GNOME Shell Extensions [Complete Guide]

By Abhishek Prakash

GNOME Shell Extension in action

Brief: This is a detailed guide showing you how to install GNOME Shell Extensions manually or easily via a browser.

While discussing how to install themes in Ubuntu 17.10, I briefly mentioned GNOME Shell Extension. It was used to enable user themes. Today, we’ll have a detailed look at GNOME Shell Extensions in Ubuntu 17.10.

I may use the term GNOME Extensions instead of GNOME Shell Extensions but both have the same meaning here.

What are GNOME Shell Extensions? How to install GNOME Shell Extensions? And how to manage and remove GNOME Shell Extensions? I’ll explain all these questions, one by one.

Before that, if you prefer video, I have demonstrated all these on It’s FOSS YouTube channel. I highly recommend that you subscribe to it for more Linux videos.

What is a GNOME Shell Extension?

A GNOME Shell Extension is basically a tiny piece of code that enhances the capability of GNOME desktop.

Think of it as an add-on in your browser. For example, you can install an add-on in your browser to disable ads. This add-on is developed by a third-party developer. Though your web browser doesn’t provide it by default, installing this add-on enhances the capability of your web browser.

Similarly, GNOME Shell Extensions are like those third-party add-ons and plugins that you can install on top of GNOME. These extensions are created to perform specific tasks such as display weather condition, internet speed etc. Mostly, you can access them in the top panel.

GNOME Shell Extension to display weather information

There are also GNOME Extensions that are not visible on the top panel. But they still tweak GNOME’s behavior. For example, middle mouse button can be used to close an application with one such extension.

Installing GNOME Shell Extensions

Now that you know what are GNOME Shell Extensions, let’s see how to install them. There are three ways you can use GNOME Extensions:

  • Use a minimal set of extensions from Ubuntu (or your Linux distribution)
  • Find and install extensions in your web browser
  • Download and manually install extensions

Before you learn how to use GNOME Shell Extensions, you should install GNOME Tweak Tool. You can find it in the Software Center. Alternatively, you can use this command:

sudo apt install gnome-tweak-tool

At times, you would also need to know the version of GNOME Shell you are using. This helps in determining whether an extension is compatible with your system or not. You can use the command below to find it:

gnome-shell --version

1. Use gnome-shell-extensions package [easiest and safest way]

Ubuntu (and several other Linux distributions such as Fedora) provide a package with a minimal set of GNOME extensions. You don’t have to worry about the compatibility here as it is tested by your Linux distribution.

If you want a no-brainer, just get this package and you’ll have 8-10 GNOME extensions installed.

sudo apt install gnome-shell-extensions

You’ll have to reboot your system (or maybe just restart GNOME Shell, I don’t remember it at this point). After that, start GNOME Tweaks and you’ll find a few extensions installed. You can just toggle the button to start using an installed extension.

Change GNOME Shell theme in Ubuntu 17.1
GNOME Shell Extensions in GNOME Tweaks tool

2. Install GNOME Shell extensions from a web browser

GNOME project has an entire website dedicated to extensions. That’s not it. You can find, install, and manage your extensions on this website itself. No need even for GNOME Tweaks tool.

GNOME Shell Extensions Website

But in order to install extensions a web browser, you need two things: a browser add-on and a native host connector in your system.

Step 1: Install browser add-on

When you visit the GNOME Shell Extensions website, you’ll see a message like this:

“To control GNOME Shell extensions using this site you must install GNOME Shell integration that consists of two parts: browser extension and native host messaging application.”

Installing GNOME Shell Extensions

You can simply click on the suggested add-on link by your web browser. You can install them from the link below as well:

Step 2: Install native connector

Just installing browser add-on won’t help you. You’ll still see an error like:

“Although GNOME Shell integration extension is running, native host connector is not detected. Refer documentation for instructions about installing connector”

How to install GNOME Shell Extensions

This is because you haven’t installed the host connector yet. To do that, use this command:

sudo apt install chrome-gnome-shell

Don’t worry about the ‘chrome’ prefix in the package name. It has nothing to do with Chrome. You don’t have to install a separate package for Firefox or Opera here.

Step 3: Installing GNOME Shell Extensions in web browser

Once you have completed these two requirements, you are all set to roll. Now when you go to GNOME Shell Extension, you won’t see any error message.

GNOME Shell Extension
It’s a good idea to sort the extensions for current version of GNOME

A good thing to do would be to sort the extensions by your GNOME Shell version. It is not mandatory though. What happens here is that a developer creates an extension for the present GNOME version. In one year, there will be two more GNOME releases. But the developer didn’t have time to test or update his/her extension.

As a result, you wouldn’t know if that extension is compatible with your system or not. It’s possible that the extension works fine even in the newer GNOME Shell version despite that the extension is years old. It is also possible that the extension doesn’t work in the newer GNOME Shell.

You can search for an extension as well. Let’s say you want to install a weather extension. Just search for it and go for one of the search results.

When you visit the extension page, you’ll see a toggle button.

Installing GNOME Shell Extension
Toggle the button to enable or disable GNOME Shell Extensions

Click on it and you’ll be prompted if you want to install this extension:

Install GNOME Shell Extensions via web browser

Obviously, go for Install here. Once it’s installed, you’ll see that the toggle button is now on and there is a setting option available next to it. You can configure the extension using the setting option. You can also disable the extension from here.

Configuring installed GNOME Shell Extensions
Extensions can be configured via browser

You can also configure the settings of an extension that you installed via the web browser in GNOME Tweaks tool:

GNOME Tweaks to handle GNOME Shell Extensions
Installed extensions will always be accessible in Tweaks

You can see all your installed extensions on the website under installed extensions section. You can also delete the extensions that you installed via web browser here

Manage your installed GNOME Shell Extensions
Manage your installed GNOME Shell Extensions

One major advantage of using the GNOME Extensions website is that you can see if there is an update available for an extension. You won’t get it in GNOME Tweaks or system update.

3. Install GNOME Shell Extensions manually

It’s not that you have to be always online to install GNOME Shell extensions. You can download the files and install it later, without needing internet.

Go to GNOME Extensions website and download the extension with the latest version.

Download GNOME Shell Extension
Download GNOME Shell Extension

Extract the downloaded file. Copy the folder to ~/.local/share/gnome-shell/extensions directory. Go to your Home directory and press Crl+H to show hidden folders. Locate .local folder here and from there, you can find your path till extensions directory.

Once you have the files copied in the correct directory, go inside it and open metadata.json file. Look for the value of uuid.

Make sure that the name of the extension’s folder is same as the value of uuid in the metadata.json file. If not, rename the directory to the value of this uuid.

Manually install GNOME Shell extension
Name of extension folder should be the same as uuid

Almost there! Now restart GNOME Shell. Press Alt+F2 and enter r to restart GNOME Shell.

Restart GNOME Shell
Restart GNOME Shell

Restart GNOME Tweaks tool as well. You should see the manually installed GNOME extension in the Tweak tool now. You can configure or enable the newly installed extension here.

And that’s all you need to know about installing GNOME Shell Extensions.

Remove GNOME Shell Extensions

It is totally understandable that you might want to remove an installed GNOME Shell Extension.

If you installed it via a web browser, you can go to the installed extensions section on GNOME website and remove it from there (as shown in an earlier picture).

If you installed it manually, you can remove it by deleting the extension files from ~/.local/share/gnome-shell/extensions directory.

Bonus Tip: Get notified of GNOME Shell Extensions updates

By now you have realized that there is no way to know if an update is available for a GNOME Shell extension except for visiting the GNOME extension website.

Luckily for you, there is a GNOME Shell Extension that notifies you if there is an update available for an installed extension. You can get it from the link below:

Extension Update Notifier

How do you manage GNOME Shell Extensions?

I find it rather weird that you cannot update the extensions via the system updates. It’s as if GNOME Shell extensions are not even part of the system.

If you are looking for some recommendation, read this article about best GNOME extensions. At the same time, share your experience with GNOME Shell extensions. Do you often use them? If yes, which ones are your favorite?

From: It’s FOSS

Share

How to Install Firefox Quantum in Ubuntu and other Linux Right Now

By Abhishek Prakash

How to install Firefox Quantum in Linux

Brief: The game-changing Firefox Quantum is here to reclaim the lost userbase. Here’s how to install Firefox Quantum in Linux right now.

The latest version of Mozilla’s web browser Firefox is called Quantum because it’s blazing fast. It has been coded in Rust instead of the usual C++ and it is the first web browser to truly utilize the power of a multi-core processor.

Because of these changes, Mozilla claims that Firefox is two times faster and takes 30% less power than its previous release.

It’s not just Mozilla who is claiming things on its own. There has been lots of buzz around Quantum release. It is touted as a game-changing release that will help Firefox gain its lost userbase to Google Chrome.

Installing Firefox Quantum in Ubuntu and other Linux

Ideally, Firefox Quantum has been released. But it will be sometime before your Linux distribution makes it available for you. But since I couldn’t wait, I thought of installing it before it is officially available from Ubuntu.

Before you go on manually installing Firefox Quantum, I advise you to run the system update and see if it is already available. If not, here is how to upgrade it.

One more warning, if you are installing a new version of Firefox afresh (instead of a regular update via your system update) you will lose the bookmarks, history etc. So make sure that you make a backup or use Firefox Sync account.

If you too cannot wait, I’ll show you how to install Firefox 57 Quantum in any Linux distribution right now. The tutorial is divided into three parts:

  • Just run Firefox Quantum and test how it looks and works. This won’t replace your existing Firefox browser.
  • Install the Firefox Quantum and do some tweaks to replace your existing Firefox with Quantum with proper desktop icon and menu search support.
  • Use the development PPA from Firefox to easily install it on Ubuntu based Linux distributions.

Method 1: Use Firefox Quantum without replacing the older Firefox

You won’t be able to use a number of add-ons and extensions in Firefox Quantum. Perhaps for this reason, you would want to keep using Firefox 56.

But hey, everyone is talking about how awesome Firefox Quantum is. So you may want to try your hands on it.

Good thing is that you can do that without replacing your existing Firefox install. Let’s see how:

Step 1:

Download it from the official website:

Download Firefox Quantum

Step 2:

Extract the downloaded file (just right click on it and you’ll see the option) and Go to the extracted folder. If you have an older version of Firefox running, stop it.

Step 3:

Look for an executable file called Firefox. Now double click on the Firefox executable file to run the Firefox Quantum.

Firefox Quantum in Ubuntu Linux

Method 2: Install Firefox Quantum in Linux by replacing the older Firefox [with desktop icon and menu search support]

If you just used the above method and decided that you want to keep using Firefox Quantum, let’s see how to replace the older Firefox and make Quantum the default Firefox. This method will enable you to access the newer Firefox Quantum like a regular install. Which means you’ll have the icons in the launcher, it could be searchable in menu etc.

Let’s see how to do it.

Step 1:

If you haven’t done already, download Firefox Quantum from its official website:

Download Firefox Quantum

Step 2:

If you haven’t extracted it already, open a terminal and use the following commands to extract it.

cd ~/Downloads/
tar xjf firefox-57.0.tar.bz2

Step 3:

We’ll copy the extracted files in /opt location. It’s a standard practice to use /opt directory to keep application files.

Just to make sure that you don’t have a Firefox there already, run the command below:

sudo rm -r /opt/firefox

Now move the extracted Firefox Quantum directory to /opt

sudo mv ~/Downloads/firefox /opt/firefox

Step 4:

Just in case, if you want to use the older Firefox, make a backup of it:

sudo mv /usr/bin/firefox /usr/bin/firefox_old

Now create a symbolic link to the new Firefox 57 using the command below:

sudo ln -s /opt/firefox/firefox /usr/bin/firefox

And that’s it. You’ll see that when you start Firefox now, it uses the new Quantum version.

Method 3: Upgrading via PPA in Ubuntu, Linux Mint and elementary OS

Update: Firefox Quantum is already available in Ubuntu now so you just need to update your system and you shall have the new Firefox Quantum.

Mozilla has an official PPA to test the beta version. You can use the same PPA to install Firefox Quantum.

Open a terminal and enter the following command one by one:

sudo add-apt-repository ppa:mozillateam/firefox-next
sudo apt update && sudo apt upgrade

If you already have Firefox installed, you’ll see that it has been metamorphosed into Quantum. Firefox logo changed immediately.

Firefox Quantum vs Firefox 56 logo

Apart from the logo, you’ll also notice that the UI has been changed as well. It looks more like Opera now.

Firefox Quantum in Ubuntu Linux

In case you don’t have Firefox installed already, you can use the command below to install it:

sudo apt install firefox

That’s it. You can enjoy the newer, faster and better Firefox.

Revert Firefox Quantum to Firefox 56

If you do not like Firefox Quantum, you can remove it and install the stable Firefox 56. Though you won’t be able to enjoy Firefox 56 for long as it will be upgraded to Firefox 57 Quantum gradually.

To do that, use the commands below:

sudo apt remove firefox

sudo add-apt-repository --remove ppa:mozillateam/firefox-next

sudo apt install firefox

You should be back to the normal Firefox.

How is Firefox Quantum?

If you try Firefox Quantum, don’t forget to share your experience with it. Is it really as great as people say?

From: It’s FOSS

Share

How to Install Firefox Quantum in Ubuntu Right Now

By Abhishek Prakash

Firefox Quantum Wallpaper

Brief: If you cannot wait for the official release of the game-changing Firefox Quantum, you can install the beta version right now.

The upcoming version of Mozilla’s web browser Firefox is called Quantum because it’s blazing fast. It has been coded in Rust instead of the usual C++ and it is the first web browser to utilize the power of a multi-core processor.

There has been lots of buzz around Quantum release. It is touted as a game-changing release that will help Firefox gain its lost userbase to Google Chrome.

Ideally, Firefox Quantum should be released this month. But since I wanted to test it, I thought of installing it before its official release.

Installing Firefox Quantum beta in Ubuntu Linux

Warning: Your existing Firefox install will be upgraded to an unstable version of Quantum. A number of existing add-ons and extension won’t work in the newer version. Of course, you can remove Quantum and go back to the older and slower stable Firefox 56 by reinstalling it.

Mozilla has an official PPA to test the beta version. You can use the same PPA to install Firefox Quantum.

Open a terminal and enter the following command one by one:

sudo add-apt-repository ppa:mozillateam/firefox-next
sudo apt update

If you already have Firefox installed, you’ll see that it has been metamorphosed into Quantum. Firefox logo changed immediately.

Firefox Quantum vs Firefox 56 logo

In case you don’t have Firefox installed already, you can use the command below to install it:

sudo apt install firefox

That’s it. You can enjoy the newer, faster and better Firefox.

Firefox Quantum in Ubuntu Linux

Revert Firefox Quantum beta to Firefox stable

If you do not like the beta version of Firefox Quantum, you can remove it and install the stable Firefox 56.

To do that, use the commands below:

sudo apt remove firefox

sudo add-apt-repository --remove ppa:mozillateam/firefox-next

sudo apt install firefox

You should be back to the normal Firefox.

How is Firefox Quantum?

If you try Firefox Quantum, don’t forget to share your experience with it. Is it really as great as people say?

From: It’s FOSS

Share

How to Show Battery Percentage in Ubuntu 17.10 [Quick Tip]

By Abhishek Prakash

GNOME Tweaks tool in Ubuntu 17.10

Brief: This quick tip shows you how to display battery percentage in Ubuntu 17.10 that uses GNOME desktop environment.

One of the radical new features in Ubuntu 17.10 is the introduction of GNOME as the default desktop environment. And since it is a whole new desktop environment, finding small things like displaying battery percentage on the top panel can be tricky.

In Unity, you could show battery percentage of laptops from the system settings itself. However, that’s not the case in GNOME desktop used by Ubuntu 17.10. You’ll have to use a dedicated tool like GNOME Tweaks. Let’s see how to do this.

How to show battery percentage in Ubuntu 17.10

You can use the dconf editor for this task but we’ll be using GNOME Tweaks here. You can also use GNOME Tweaks to install themes in Ubuntu 17.10.

Step 1: Install GNOME Tweaks tool

Installing GNOME Tweaks too is fairly simple. Just search for it in the Software Center.

Alternatively, you can also use the command below to install GNOME Tweaks:

sudo apt install gnome-tweak-tool

Step 2: Enable battery percentage in GNOME Tweaks tool

Once installed, start the Tweaks tool by searching for it in applications. Use Super a.k.a. Windows key to bring up the search option.

In here, go to Top Bar in the left sidebar and then toggle the option of Battery Percentage in the right sidebar.

Display battery percentage in Ubuntu GNOME

The changes take place immediately. You can see that your laptop’s battery percentage is displayed in the top right corner:

Display battery ercentage in Ubuntu 17.10 and 18.04

I prefer to see the battery percentage, be it my laptop or my phone. It gives you an accurate idea of how much battery is remaining on the system instead of you trying to guess from those tiny bars in the battery icon.

I think I should include it in one of the first things to do after installing Ubuntu 17.10. What do you think?

From: It’s FOSS

Share

How to Show Battery Percentage in Ubuntu 17.10 [Quick Tip]

By Abhishek Prakash

GNOME Tweaks tool in Ubuntu 17.10

Brief: This quick tip shows you how to display battery percentage in Ubuntu 17.10 that uses GNOME desktop environment.

One of the radical new features in Ubuntu 17.10 is the introduction of GNOME as the default desktop environment. And since it is a whole new desktop environment, finding small things like displaying battery percentage on the top panel can be tricky.

In Unity, you could show battery percentage of laptops from the system settings itself. However, that’s not the case in GNOME desktop used by Ubuntu 17.10. You’ll have to use a dedicated tool like GNOME Tweaks. Let’s see how to do this.

How to show battery percentage in Ubuntu 17.10

You can use the dconf editor for this task but we’ll be using GNOME Tweaks here. You can also use GNOME Tweaks to install themes in Ubuntu 17.10.

Step 1: Install GNOME Tweaks tool

Installing GNOME Tweaks too is fairly simple. Just search for it in the Software Center.

Alternatively, you can also use the command below to install GNOME Tweaks:

sudo apt install gnome-tweak-tool

Step 2: Enable battery percentage in GNOME Tweaks tool

Once installed, start the Tweaks tool by searching for it in applications. Use Super a.k.a. Windows key to bring up the search option.

In here, go to Top Bar in the left sidebar and then toggle the option of Battery Percentage in the right sidebar.

Display battery percentage in Ubuntu GNOME

The changes take place immediately. You can see that your laptop’s battery percentage is displayed in the top right corner:

Display battery ercentage in Ubuntu 17.10 and 18.04

I prefer to see the battery percentage, be it my laptop or my phone. It gives you an accurate idea of how much battery is remaining on the system instead of you trying to guess from those tiny bars in the battery icon.

I think I should include it in one of the first things to do after installing Ubuntu 17.10. What do you think?

From: It’s FOSS

Share