Today, the three Raspberry Pis that we have on our network went down. They were all running Raspbian (Debian for Raspberry Pi) Stretch.

While this issue can be solved, it is serious enough to require to remove the micro-SD card and manually fix the the root filesystem. Therefore, it seems you cannot fix this issue unless you have physical access to your system.

Here are details to attract attention to this issue…

As I started telling you, our systems were down, well almost. Some services were still running, as they were still responding to ping through our VPN. However, SSH access was no longer available:

$ ssh scan
ssh_exchange_identification: Connection closed by remote host

After connecting a serial cable to one of the Pis, and adding init=/bin/sh to the /boot/cmdline.txt file. I found that I couldn’t seem to execute at least some executables. Everything I tried to execute was causing a segmentation fault.

It was time to remove the micro-SD card and look at system logs. Inspecting /var/log/apt/history.log revealed that the raspi-copies-and-fills package was updated yesterday (March. 11, 2019). This allowed me to make a search for issue reports with this package name. Indeed, before having such a lead, I couldn’t find what I was looking for, as there are too many discussions about the use of the Raspberry Pi! So, here’s what I quickly found following this lead:

raspi-copies-and-fills package gone AWOL? (Raspberry Pi forums)
Ras3 crashes after update (Raspberry Pi forums)

These posts have all details. All you need to do is take away the micro-SD card, repair the second partition with e2fsck -f /dev/mmcblk0p2 and remove the etc/ld.so.preload file inside this partition.

Note, that at the time of this writing, this issue has already been fixed, so it is safe to upgrade your Pi if it is still up and running, or right after repairing your Raspbian root filesystem.

This incident is very unfortunate, as you need to physically access your board to recover from it. I hope you don’t run updates as frequently as we do (or right after the time when the update was issued), and that your Pis are not impacted, otherwise possibly forcing you to travel or to crawl into difficult to access places to reach your boards.

However, I don’t want blame the community volunteers running Raspbian. They have made a terrific job maintaining this distro which had been flawlessly running for more many years on our systems. This seems as good as what we get from commercial distributions.

I hope that not too many services ran by Raspberry Pis will be disrupted because of this issue. However, that may be yet another way to prove how popular such devices are.

MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it’s designed to secure traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases.

We have recently worked on enabling hardware offloading of MACsec operations on a Microsemi VSC8584 Ethernet PHY in Linux, by contributing support for MACsec offloading to the Linux networking stack. In this blog post, we present this work through an introduction to MACsec, details on the current state of MACsec support in Linux and finally our work to support MACsec hardware offloading.

Introduction to MACsec

MACsec uses its own frame format with its own EtherType (a 2-bytes field found in Ethernet frames to indicate what the protocol encapsulated in the payload is). As an example, when encapsulating an IPv4 frame, we would have Ethernet<MACsec<IPv4 instead of Ethernet<IPv4.

The MACsec configuration within a node is represented at the top level by Secure Channels. A secure channel is identified by its SCI (Secure Channel Identifier) and contains parameters such as the encryption, protection and replay protection booleans. A secure channel is either a transmit or a receive one: the receive secure channel configuration on a given host should match the transmit one of another host for MACsec traffic to flow successfully.

Within each secure channel, security associations are described. They are identified by an association number and define the encryption/decryption keys used and the current packet number, which is used for replay protection.

MACsec support in Linux

Linux has a software implementation of MACsec, found at drivers/net/macsec.c, which was introduced by Red Hat engineer Sabrina Dubroca in 2016 and available since Linux 4.5. The support is implemented as full virtual network devices, on per transmit secure channel, attached to a parent network device. The parent interface only sees raw packets, which are in the MACsec case raw Ethernet packets with protected or encrypted content. This design is very similar to other supported protocols in Linux such as VLANs.

MACsec support was also introduced in iproute2, a collection of utilities aiming at configuring various networking parts of the kernel (interfaces management, IP configuration, routes…). The command to use is ip macsec.

If we were to configure a secure channel between two hosts we would first need to create a virtual MACsec interface (representing a transmit secure channel) on both hosts, on top of a physical network interface. Let’s say we use eth0 on both our hosts (Alice and Bob), and we want to encrypt the MACsec traffic:

Alice # ip macsec add link eth0 macsec0 type macsec encrypt on
  Bob # ip macsec add link eth0 macsec0 type macsec encrypt on

The next step would be to configure matching receiving secure channel on both hosts:

Alice # ip macsec add macsec0 rx port 1 address <Bob's eth0 MAC>
  Bob # ip macsec add macsec0 rx port 1 address <Alice's eth0 MAC>

We would then configure the transmit channels, and for each we would need to generate a key:

Alice # hexdump -n 16 -e '4/4 "%08x" 1 "\n"' /dev/random
d29a43c8cba96a325f6b6a40a214c58c
Alice # ip macsec add macsec0 tx sa 0 pn 1 \
        on key d29a43c8cba96a325f6b6a40a214c58c

Bob # hexdump -n 16 -e '4/4 "%08x" 1 "\n"' /dev/random
a1e15a1d91222196fde87b2d75a4fac0
Bob # ip macsec add macsec0 tx sa 0 pn 1 \
      on key a1e15a1d91222196fde87b2d75a4fac0

We finally need to configure the receive channels, so that the hosts can authenticate and decrypt packets:

Alice # ip macsec add macsec0 rx port 1 \
        address <Bob's MAC> sa 0 pn 1   \
        on key 00 a1e15a1d91222196fde87b2d75a4fac0
 
  Bob # ip macsec add macsec0 rx port 1 \
        address <Alice's MAC> sa 0 pn 1 \
        on key 00 d29a43c8cba96a325f6b6a40a214c58c

Once all of the MACsec configuration is done we would be able to exchange traffic between Alice and Bob, using authenticated and encrypted packets:

Alice # ip link set macsec0 up
Alice # ip addr add 192.168.42.1/24 dev macsec0

  Bob # ip link set macsec0 up
  Bob # ip addr add 192.168.42.2/24 dev macsec0

What’s coming next: hardware offloading

There are hardware devices featuring a MACsec transformation implementation which can be used to offload the frame generation and encryption / authentication of MACsec frames (for both ingress and egress frames). The benefit of hardware offloading is to discharge the CPU from doing certain operations (in our case MACsec transformations) by doing them in a dedicated hardware engine, which may or may not provide better performance. The idea is essentially to free the CPU from being used by a single application so that the system in its whole runs better.

MACsec offloading devices aren’t currently supported in the Linux kernel and no generic infrastructure is available to delegate MACsec operation to a given hardware device. At Bootlin over the last months we worked on adding such an infrastructure and support for offloading MACsec operations to a first device.

This work was done in two steps. First we needed to extend the current MACsec implementation to propagate commands and configuration to hardware drivers. Our idea was to leverage the current MACsec software implementation to use the exact same commands described above to setup an hardware accelerated MACsec connection, when a Linux networking port supports it. This should allow to have a more maintainable implementation as well.

We then worked on implementing a MACsec specific helper in a networking PHY driver : the Microsemi VSC8584 Ethernet PHY. This PHY has a MACsec engine which can be used to match flows and to perform MACsec transformations and operations. When configured packets can be encrypted and decrypted, protected and validated, without the CPU intervention.

Conclusion

We recently sent a first version of patch series to the Linux network mailing list, which is currently being discussed. This series of patches introduces both the hardware offloading support for MACsec and the ability to offload MACsec operations to a first hardware engine. We hope support for other MACsec engines will come after!

Here are details about booting the Beagle Bone Black Wireless board through NFS. I’m writing this here because it doesn’t seem to be documented anywhere else (except in our Linux kernel and driver development course, for which I had to support this feature).

Why

Booting a board on a root filesystem that is a directory on your workstation (development PC) or on a server, shared through the network, is very convenient for development purposes.

For example, you can update kernel modules or programs by recompiling them on your PC, and the target board will immediately “see” the updates. There’s no need to transfer them in some way.

Doing this is quite straightforward on boards that have an Ethernet port, and well documented throughout the Internet (see our instructions). However, things get more complicated with boards that have no such port, such as the Beagle Bone Black Wireless or the Pocket Beagle.

The Beagle Bone Black Wireless board has WiFi support, but booting on NFS directly from the kernel (instead of using an initramfs) is another kind of challenge.

Something easier to use is networking over USB device (also called USB gadget as our operating system is running on the USB device side), which is supported by both Linux and U-Boot.

Note that the below instructions also work on the original Beagle Bone Black, bringing the convenience of not having to use an RJ45 cable. All you need is the USB device cable that you’re using for power supply too.

These instructions should also support the Pocket Beagle board, which is similar, though much simpler.

Preparing U-Boot

This part may just work out of the box if the U-Boot version on your board is recent and was built using the default configuration for your board.

If that’s not the case, you can reflash U-Boot on your board using our instructions.

Now, let’s configure networking in U-Boot:

• ipaddr: IP address of the board
• serverip: IP address of your PC or server

setenv ipaddr 192.168.0.100
setenv serverip 192.168.0.1

Make sure that this address belongs to a separate network segment from the one used by your PC to connect to the network.

We also need to configure Ethernet over USB device:

• ethact: controls which interface is currently active.
• usbnet_devaddr: MAC address on the device side
• usbnet_hostaddr: MAC address on the host side

setenv ethact usb_ether
setenv usbnet_devaddr f8:dc:7a:00:00:02
setenv usbnet_hostaddr f8:dc:7a:00:00:01
saveenv

Note that the above MAC addresses are arbitrary.

Configure your PC

These instructions have been tested on Ubuntu 18.04, but they should be easy to adapt on other GNU/Linux distributions.

To configure your network interface on the workstation side, we need to know the name of the network interface connected to your board.

However, you won’t be able to see the network interface corresponding to the Ethernet over USB device connection yet, because it’s only active when the board turns it on, from U-Boot or from Linux. When this happens, the network interface name will be enx. Given the value we gave to usbnet_hostaddr, it will therefore be enxf8dc7a000001.

Then, instead of configuring the host IP address from NetWork Manager’s graphical interface, let’s do it through its command line interface, which is so much easier to use:

nmcli con add type ethernet ifname enxf8dc7a000001 ip4 192.168.0.1/24

To download the kernel and device tree blob which are also on your PC, let’s install a TFTP server on it:

sudo apt install tftpd-hpa

You can then test the TFTP connection, which is also a way to test that USB networking works. First, put a small text file in /var/lib/tftpboot.

Then, from U-Boot, do:

tftp 0x81000000 textfile.txt

The tftp command should have downloaded the textfile.txt file from your development workstation into the board’s RAM at location 0x81000000. You can verify that the download was successful by dumping the contents of memory:

md 0x81000000

We are now ready to load and boot a Linux kernel!

Kernel configuration

These instructions were tested with Linux 4.19

Configuring and cross-compiling the Linux kernel for the board is outside the scope of this article, but again, such information is easy to find (such as in our training slides).

Here, we’re just sharing the Linux kernel configuration settings that are needed for networking over USB device. Since they are not supported by the default configuration file for the omap2plus CPU family (for several reasons that were discussed on the Linux kernel mainling list), it took a bit of time to figure out which ones were needed. Here they are:

Add the below options to support networking over USB device:

• CONFIG_USB_GADGET=y
• CONFIG_USB_MUSB_HDRC=y: Driver for the USB OTG controller
• CONFIG_USB_MUSB_GADGET=y: Use the USB OTG controller in device (gadget) mode
• CONFIG_USB_MUSB_DSPS=y
• Check the dependencies of CONFIG_AM335X_PHY_USB. You need to set CONFIG_NOP_USB_XCEIV=y to be able to set CONFIG_AM335X_PHY_USB=y
• Find the ”USB Gadget precomposed configurations” menu and set it to static instead of module so that CONFIG_USB_ETH=y

How did I found out which settings were needed? I had to check the device tree to find the USB device controller. Then, using git grep, I found the driver that was supporting the corresponding compatible string. Then, looking at the Makefile in the driver directory, I found which kernel configuration settings were needed.

When compiling is over, copy the zImage and am335x-boneblack-wireless.dtb files to the TFTP server home directory (/var/lib/tftpboot).

You also need an NFS server on your workstation:

sudo apt install nfs-kernel-server

Then edit the /etc/exports file as root to add the following line, assuming that the IP address of your board will be 192.168.0.100:

/home/user/nfsroot 192.168.0.100(rw,no_root_squash,no_subtree_check)

(If you don’t have a root filesystem yet, you can use the one in our lab data archive.)

Then, restart the NFS server:

sudo /etc/init.d/nfs-kernel-server restart

Configuring the kernel command line

Back to the U-Boot command line, configure the kernel command line by setting the bootargs environment variable (all in just one line):

setenv bootargs root=/dev/nfs rw ip=192.168.0.100:::::usb0 console=ttyO0,115200n8 g_ether.dev_addr=f8:dc:7a:00:00:02 g_ether.host_addr=f8:dc:7a:00:00:01 nfsroot=192.168.0.1:/home/user/nfsroot,nfsvers=3

Also set the series of commands to run at boot time:

setenv bootcmd 'tftp 0x81000000 zImage; tftp 0x82000000 am335x-boneblack-wireless.dtb; bootz 0x81000000 - 0x82000000'
saveenv

You are ready to boot:

boot

Now check the kernel log and make sure an IP address is correctly assigned to your board by Linux. If NFS booting doesn’t work yet, that could be because of NFS server or client issues. If that’s the case, you should find details in the NFS server logs in /var/log/syslog on your PC.

First of all, the entire team at Bootlin wishes you a Happy New Year, and best wishes for 2019 in your personal and professional life. The beginning of the new year is a good time to look back and see the achievements of the past year, which is why we review the 2018 year in terms of Bootlin news and activity:

• We’re now called Bootlin
• Kernel contributions
• U-Boot contributions
• Other contributions
• Other engineering projects
• Conferences
• Training
• Office expansion
• Recruiting
• Financial support

We’re now called Bootlin

Due to a legal battle related to trademarks, we decided to change our name to Bootlin at the beginning of 2018. The company was not sold or purchased, it is still owned by the same people, and driven by the same team of engineers. This change of name obviously took a lot of time, which could have been used for other more productive contribution activities, but it’s finally done, and in 2019 we can move on and leave this legal battle behind us. See our blog post for more details.

Kernel contributions

In 2018, we contributed to the 4.15, 4.16, 4.17, 4.18, 4.19 and 4.20 kernel releases a total of 1365 commits, putting Bootlin regularly in the top 20 companies contributing to the Linux kernel.

Our most significant contributions have been:

• Thanks to a successful crowdfunding campaign launched in February, we have been able to dedicate enough time to develop and upstream a Linux kernel driver and associated user-space library to support hardware-accelerated video decoding on Allwinner processors. This was a massive effort as it required discussing with the Linux kernel community a new set of userspace interfaces to support stateless video decoders. The base of our driver was merged in Linux 4.20 and supports only MPEG2 decoding. Support for H264 and H265 decoding is ready and has been posted several times, but discussions on the userspace interface are still on-going. See our numerous blog posts and especially the end of year status.
• We have developed and contributed a brand new Linux kernel subsystem to support the MIPI I3C bus, a modern bus offering an alternative to SPI or I2C. Being vastly different from I2C, it required a completely separate subsystem located in drivers/i3c/. Along with the core subsystem itself, we developed a driver for the Cadence I3C master, and a driver for a Cadence I3C GPIO expander. See our blog posts on I3C for more details.
• We contributed a new interface called exec_op for NAND flash controller drivers, which allows the MTD subsystem to more easily support optimized NAND flash controllers and vendor-specific NAND commands. This new interface was originally developed for the Marvell NAND controller driver, but a number of other drivers have been converted since then, and all new drivers make use of his interface. See our blog post for more details.
• We contributed support for the Microsemi VSC7513 and VSC7514 MIPS processors, with the base support (irqchip, pinctrl, gpio, reset, DT) but more importantly a massive switchdev driver to support the major feature of these processors: a built-in gigabit Ethernet switch. Our switchdev driver supports bridging, STP, IGMP snooping, VLAN filtering and link aggregation. See our blog posts about platform support and switchdev support.
• We contributed a new subsystem called spi-mem, which allows to support SPI flash memories in a generic way, re-using SPI controller drivers for regular SPI devices, SPI NOR flashes and SPI NAND flashes, instead of having separate controller drivers as was done until now for SPI NOR support. On top of spi-mem, we added support for SPI NAND flash memories to Linux. See our blog post on spi-mem: bringing some consistency to the SPI memory ecosystem.
• We contributed a number of drivers for Cadence hardware IPs: Cadence MIPI CSI receiver, Cadence MIPI CSI transceiver, Cadence DSI encoder, Cadence PCIe host controller, Cadence PCIe endpoint controller and as detailed above Cadence I3C master controller.
• We continued to work on improving the support for Marvell ARM processors
  • Improvements in the inside-secure crypto accelerator driver: support for new crypto algorithms, support for the EIP97 variant which enabled using the driver on Armada 37xx in addition to the already support EIP197 variant used on Armada 7K/8K, numerous fixes and performance improvements
  • Improvements in the mvpp2 network controller driver, used on Armada 7K/8K: RSS support, support for SFP ports, HW offloading for VLAN filtering, 1000baseX and 2500baseX support
  • On Armada 7K/8K, we added support for the NAND controller and the thermal sensors.
  • On Armada 37xx, we added cpufreq support and the first pieces of suspend/resume support.
• Allwinner platform support improvements: of course the Allwinner VPU driver detailed above, but also general improvements to the Allwinner A83 support (for which we delivered a complete BSP for a customer), improvements to the sun4i display driver (especially support for YUV planes, and MIPI DSI support on Allwinner A33), improvements to the sun8i-codec audio driver, and improvements to the AXP209 and AXP813 PMIC drivers.
• For Microchip/Atmel platforms, we continued our maintenance work, with a focus this year on reworking the representation of the platform clocks in the Device Tree.

U-Boot contributions

Even if Bootlin is mainly active as a Linux kernel contributor, we also contribute to U-Boot, and we have been more active in 2018 than we were in the past. In a recent blog post, we summarized our most significant contributions:

• Support for SPI NAND memories, as well as a significant sync of the MTD stack in U-Boot with the one from Linux, and the introduction of a generic mtd U-Boot command to manipulate all types of flash memories
• Generic support for TPMv2 and for TPMv2 chips connected over SPI
• Brand new subsystem to support 1-wire controllers and devices
• Support for the Microsemi Ocelot and Luton MIPS processors. We also contributed support for Microsemi Ocelot to Linux, as discussed above
• Support for the ARM PL022 SPI controller
• Support for multiple U-Boot environment backends
• Support for Microsemi VSC8574 and VSC8584 Ethernet PHYs

In total, we contributed 172 commits to U-Boot in 2018.

Other contributions

Beyond Linux and U-Boot, we also contributed to a few other open-source projects:

• We continued to be very active in the Buildroot project, with Bootlin CTO Thomas Petazzoni acting as a co-maintainer of this project. We contributed 431 commits to Buildroot in 2018, but more importantly as a co-maintainer, Thomas reviewed and merged close to 3000 patches in 2018. Thomas also participated to the Buildroot Developers Meeting after FOSDEM, the Buildroot Hackathon, and the Buildroot Developers meeting before ELCE.
• We contributed to the Intel GPU Tools project, adding support for testing more pixel formats, to test the display pipeline of the RaspberryPi, in combination with the Chamelium testing hardware. See our blog post and intel-gpu-tools commits
• As part of using the Linux Test Project for one of our customers, we contributed a small number of fixes, and we have more to contribute in 2019.
• We made our Elixir Cross Referencer project easier to customize, so that contributors can add support for a new source code repository through a single plugin file, instead of having to modify the main source files. Thanks to this, we currently index 8 projects on https://elixir.bootlin.com/.

Other engineering projects

While many of our engineering projects are directly related to upstream contributions, which have been described above, some are not always leading to direct contributions. Here is a small selection of other interesting projects we worked on in 2018:

• For a German customer in the healthcare industry, wrote a complete U-Boot, Linux and Buildroot BSP for a custom NXP i.MX6 platform.
• For an international company in the TV/set-top box industry, worked on adding support for top-level parallel build to Buildroot.
• For a Netherlands based customer in the gaming industry, wrote a complete U-Boot, Linux and Buildrot BSP for a custom Allwinner A33 platform, with significant boot time optimization to quickly boot up to a Qt5 OpenGL application.
• For a Spanish customer, brought up a PCM1789 audio codec connected to a NXP i.MX6 processor, and for an Italian customer, brought up a CS4272 audio codec connected to an Allwinner A20 processor. Under Linux, of course!
• We continued working for a major US customer, delivering an i.MX6 and SPEAr600 Linux BSP based on Yocto. Our work in 2018 was mainly focused on supporting secure boot on i.MX6 (see our talk at ELC on this topic) and porting a modern version of U-Boot on the SPEAr600 platform.
• For a customer in Chile, we worked on supporting a OV5640 camera sensor connected over CSI to an Allwinner H3 platform. Thanks to this, we made a significant number of improvements to the OV5640 driver.
• We have continued to maintain toolchains.bootlin.com, by keeping the toolchains reguarly updated, and adding support for the RISC-V 64 bit architecture. See our blog posts.

Conferences

In 2018, Bootlin was at a large number of conferences and events:

• At FOSDEM, where Miquèl Raynal gave a talk Drive your NAND within Linux, forget the word “nightmare”. See our blog post
• At Embedded Linux Conference, where we gave 5 talks, 2 tutorials and 1 BoF. Talks were related to secure boot, I3C, NAND support, Buildroot and switchdev driver. Tutorials on kernel driver development and Buildroot, and the BoF on system size. See the blog post about our talks and the blog post with our selection of talks from other speakers
• At Kernel Recipes, Grégory Clement gave a talk about MMC support in Linux. See our blog post about this event.
• At Alpine Linux Persistence and Storage Summit, where Miquèl Raynal and Boris Brezillon gave a talk about their work to bring SPI NAND support to Linux. See our blog post.
• Maxime Ripard attended the X.org Developers Conference, see his report from the event.
• A large part of the team attended the Embedded Linux Conference Europe, where we gave three talks (support for stateless video codecs in Linux, networking from the MAC to the link partner, SPI memory support in U-Boot and Linux), 2 tutorials (introduction to kernel driver development, introduction to Buildroot) and 2 demonstrations (Allwinner VPU work, and switchdev driver for Microsemi platforms). See our report from the event and our selection of talks from other speakers.
• Right next to the Embedded Linux Conference Europe, Maxime Ripard attended the Media Summit to discuss the V4L Linux subsystem, see his report, while Maxime Chevallier attended the Real-Time Summit, see his report.
• Antoine Ténart attended the Linux Plumbers conference, see also his report.

Training

In 2018, we gave our Embedded Linux, Linux kernel, Yocto Project and Buildroot training courses on-site in the United States, Portugal, Belgium, Germany, France, Spain, Serbia, Greece, Bosnia, Finland and Switzerland. As you can see, we travel all around the world to teach our training courses.

Of course, we continued our public training sessions organized in Avignon (France), given in English by Bootlin founder and CEO Michael Opdenacker.

In 2018, we made 217 commits to our training materials Git repository, showing our continuous work to keep them updated. Our training materials remain all freely available under a Creative Commons CC-BY-SA license, as they have been since Bootlin creation fifteen years ago.

Office expansion

In 2018, we expanded both our Toulouse and Lyon offices:

• We moved our office in Toulouse mid-2018 from a 100m² surface to a 180m² one, offering more room for the existing team, and room to expand the team in the coming years. As of January 1, 2019, we have a team of 8 engineers working in Toulouse.
• We moved our office in Lyon end of 2018 from a small one room office of 30m² to a full office of 100m², here as well to expand the team in the coming years. As of January 1, 2019, the team in Lyon has 2 engineers, but we hope to increase this number soon (see Recruiting below).

Recruiting

In terms of recruiting:

• Maxime Chevallier joined us in February 2018, and has since then been mostly working on networking topics on Marvell platforms, but also a few other engineering projects.
• Paul Kocialkowski joined us in March 2018 for an internship focused on the Allwinner VPU development and then was hired as a full-time engineer starting November 2018.
• Thanks to our office expansion in Lyon, we have an open position for a Embedded Linux and Kernel engineer with existing experience in Lyon. See our blog post (in French) for more details.
• We have openings for several internships in 2019, on Linux, U-Boot, Buildroot and Elixir related topics. See our blog post (in French).

Financial support

In 2018, we continued to support organizations and events who promote and defend Free Software:

Donating 1,024 EUR to Framasoft, an organization whose goal (in addition to supporting Free Software) is to decentralize Internet services. For example, they made a huge effort to release PeerTube in 2018, a peer-to-peer and of course Free Software alternative to centralized video hosting solutions.

Donating 1,024 EUR to Wikimedia France, to support free knowledge sharing through projects such as Wikipedia and Wikimedia Commons.

Donating 1,024 EUR to April, a French organization doing terrific work to promote Free Software, to follow the evolution of national and European law, and to animate campaigns to keep our political representatives aware of the needs of Free Software developers and users.

We also sponsored the Capitole du Libre 2018 (250 EUR) and Buildroot Developers Meeting 2018 in Edinburgh (250 EUR) events.

And of course, we support the LWN.net on-line weekly column through a corporate subscription (810 USD).

Last words

We have plenty of ideas for 2019, so stay tuned for more news. We hope that 2019 will be a great year for you too, with many contributions of all kinds to the lives of others.