Feature #16942: Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2

Feature #16942

Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2

Added by intrigeri 2019-08-07 08:40:15 . Updated 2019-08-27 08:58:21 .

Status:

Resolved

Priority:

Elevated

Assignee:

intrigeri

Category:

Target version:

Tails_4.0

Start date:

Due date:

% Done:

100%

Feature Branch:

bugfix/16942-spectre-v1-swapgs+force-all-tests

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

It’s now in sid.

Upgrade doc: https://tails.boum.org/contribute/Linux_kernel/

Subtasks

Related issues

Related to Tails - ~~Bug #16970~~: Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16	Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team	Confirmed
Blocks Tails - ~~Bug #16764~~: Low resolution or no X.Org at all with NVidia NV160 (Turing)	Resolved

History

#1 Updated by intrigeri 2019-08-07 08:40:27

blocks Feature #16209: Core work: Foundations Team added

#2 Updated by intrigeri 2019-08-07 11:57:19

Target version changed from Tails_3.17 to Tails_4.0

If 3.17 is released, it’ll be a bugfix release.

#3 Updated by intrigeri 2019-08-07 11:59:02

blocks ~~Bug #16764~~: Low resolution or no X.Org at all with NVidia NV160 (Turing) added

#4 Updated by intrigeri 2019-08-15 07:35:17

Subject changed from Upgrade to Linux 5.2+ to Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2
Priority changed from Normal to Elevated

#5 Updated by intrigeri 2019-08-15 18:01:44

Assignee set to intrigeri

#6 Updated by intrigeri 2019-08-15 18:04:38

Status changed from Confirmed to In Progress
Feature Branch set to bugfix/16942-spectre-v1-swapgs+force-all-tests

#7 Updated by intrigeri 2019-08-15 20:31:23

Currently FTBFS due to https://bugs.debian.org/934483. Upgrading to 5.2 is probably not worth dropping VirtualBox guest support, so let’s go with the Buster security kernel (~~Bug #16970~~) as the fallback plan for now, and reconsider if that bug is fixed early enough for 4.0~beta2.

#8 Updated by intrigeri 2019-08-15 20:32:19

related to ~~Bug #16970~~: Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16 added

#9 Updated by intrigeri 2019-08-16 14:04:09

intrigeri wrote:
> Currently FTBFS due to https://bugs.debian.org/934483. Upgrading to 5.2 is probably not worth dropping VirtualBox guest support, so let’s go with the Buster security kernel (~~Bug #16970~~) as the fallback plan for now, and reconsider if that bug is fixed early enough for 4.0~beta2.

Found a way around this!

Following our doc (skipping what’s irrelevant here):

test suite: every scenario passed at least once locally across 2 runs (the only failures on the 1st run were caused by temporary upstream Internet issues)
Changes: well, we’re fast-forwarding 4 major Linux releases so of course tons of stuff has changed (including tons of hardware enablement improvements). 4.0 final is still quite far ahead so I don’t think going through all these changes is useful to do a risk/benefit analysis here. Nevertheless, I scanned the Debian changelog and the KernelNewbie changes pages and noticed only good news :)
Regarding bugs: TBH, 5.2 has made it into sid only a week ago or so, so it’s a bit early to draw conclusions here; but I’m confident things will stabilize by the time we release 4.0 final.
new security features: these days I read Kees’ blog posts as they’re published and file a ticket whenever there’s something we should do / a Debian bug report whenever it’s something that needs to be enabled at kernel build time, so I’m pretty sure we’re good here this time

Last thing to do before this is ready for QA: test on bare metal hardware.

#10 Updated by intrigeri 2019-08-16 14:57:35

Status changed from In Progress to Needs Validation
Assignee changed from intrigeri to anonym

intrigeri wrote:
> Last thing to do before this is ready for QA: test on bare metal hardware.

Works fine (as in: boots, connects to Wi-Fi, tor bootstraps, system powers off after unplugging the boot USB stick) on:

ThinkPad X200
HP EliteBook 840G1
ThinkPad X1 carbon 6th gen

@anonym, please test on some hardware with NVIDIA graphics (all mine has Intel) and merge into devel if happy.

#11 Updated by intrigeri 2019-08-22 06:42:29

Wrt. the loss of VirtualBox shared folders functionality, note that it’s on its way to Linux mainline (corresponding patch series already shipped in Arch and Fedora).

#12 Updated by intrigeri 2019-08-23 15:40:49

Assignee deleted (~~anonym~~)

(Any FT member can review this, and actually I’d rather see anonym focus his review time on branches that he’s much better placed than others to look at :)

#13 Updated by segfault 2019-08-24 20:47:00

Assignee set to segfault

#14 Updated by segfault 2019-08-25 11:56:01

https://bugs.debian.org/934483 was fixed and the branch builds fine when I revert commit:0c000cf8bcd859fc7bfef4f5b0a16bd8dc3f9204. @intrigeri, is there still any need to use the VirtualBox guest modules from mainline Linux? I think losing the shared folders feature would break workflows for users, so I would like to avoid that if there is no need for it.

#15 Updated by segfault 2019-08-25 11:56:36

Status changed from Needs Validation to In Progress
Assignee changed from segfault to intrigeri

#16 Updated by intrigeri 2019-08-25 15:18:26

Status changed from In Progress to Needs Validation
Assignee changed from intrigeri to segfault

> https://bugs.debian.org/934483 was fixed and the branch builds fine when I revert 0c000cf8bcd859fc7bfef4f5b0a16bd8dc3f9204. intrigeri, is there still any need to use the VirtualBox guest modules from mainline Linux? I think losing the shared folders feature would break workflows for users, so I would like to avoid that if there is no need for it.

Feel free to revert that commit now that the immediate reason for it is gone.
We can (re)discuss later our longer-term strategy :)

#17 Updated by segfault 2019-08-26 21:06:38

Status changed from Needs Validation to In Progress

Applied in changeset commit:tails|528f8aaab30b4dea9b92ecef4706f20ae97e7d7f.

#18 Updated by segfault 2019-08-26 21:11:51

intrigeri wrote:
> > https://bugs.debian.org/934483 was fixed and the branch builds fine when I revert 0c000cf8bcd859fc7bfef4f5b0a16bd8dc3f9204. intrigeri, is there still any need to use the VirtualBox guest modules from mainline Linux? I think losing the shared folders feature would break workflows for users, so I would like to avoid that if there is no need for it.
>
> Feel free to revert that commit now that the immediate reason for it is gone.
> We can (re)discuss later our longer-term strategy :)

Done. As I said, the build worked locally, so I’m not sure whether I should just merge this or wait for the Jenkins results.

#19 Updated by intrigeri 2019-08-27 07:15:52

Status changed from In Progress to Needs Validation
Assignee changed from segfault to intrigeri

> Done. As I said, the build worked locally, so I’m not sure whether I should just merge this or wait for the Jenkins results.

I’ll wait for https://jenkins.tails.boum.org/view/Tails_ISO/job/test_Tails_ISO_bugfix-16942-spectre-v1-swapgs-force-all-tests/14/ to be done, to be on the safe side, and then I’ll merge :)

#20 Updated by intrigeri 2019-08-27 08:58:21

Status changed from Needs Validation to Resolved
% Done changed from 0 to 100

Applied in changeset commit:tails|c036fc091816f198120f9c6ec603fecfd67e7dd0.