Bug #16970
Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16
100%
Description
We shipped 4.19.37-4 in 3.15. Since then, there was a security update for Buster (4.19.37-5+deb10u2) that mitigates the new Spectre v1 swapgs variant (CVE-2019-1125).
Subtasks
Related issues
|
Related to Tails - |
Resolved | ||
| Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed | ||
|
Blocked by Tails - |
Resolved |
History
#1 Updated by intrigeri 2019-08-11 09:23:46
- blocks Feature #16209: Core work: Foundations Team added
#2 Updated by intrigeri 2019-08-11 09:23:51
- blocked by
Bug #16728: Upgrade firmware-amd-graphics (and the rest of firmware-nonfree) added
#3 Updated by intrigeri 2019-08-12 09:36:42
- Status changed from Confirmed to Fix committed
- % Done changed from 0 to 100
Applied in changeset commit:tails|6b0fbd32d01692786f2e9359a2c1f78f72a01aaa.
#4 Updated by intrigeri 2019-08-13 07:38:42
- Subject changed from Upgrade to Linux 4.19 with the latest security fixes in Tails 3.16 to Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16
- Description updated
- Status changed from Fix committed to Confirmed
#5 Updated by cypherpunks 2019-08-14 00:46:29
Will this be provided through an emergency release? This is a very severe vulnerability.
#6 Updated by intrigeri 2019-08-14 06:38:10
> Will this be provided through an emergency release? This is a very severe vulnerability.
At this point, I’m not sure about the cost/benefit ratio.
I note that the Red Hat advisory reads “based on industry feedback, we are not aware of any known way to exploit this vulnerability on Linux kernel-based systems” and rates it as Moderate. I guess that’s because as the mitigation patch says, there’s no known instance of the needed gadget. But of course it also reads “it’s entirely possible that it exists somewhere (or could be introduced in the future). Without tooling to analyze all such code paths, consider it vulnerable.”
#7 Updated by cypherpunks 2019-08-14 22:25:06
I was under the impression that a PoC for hypervisors was already released. Where does it say that it requires a gadget which is not in the Linux kernel? I didn’t see that in any of the patch notes. I could have missed it.
#8 Updated by intrigeri 2019-08-15 18:01:36
- Assignee set to intrigeri
#9 Updated by intrigeri 2019-08-15 18:02:00
- Status changed from Confirmed to In Progress
- Feature Branch set to bugfix/16970-spectre-v1-swapgs+force-all-tests
#10 Updated by intrigeri 2019-08-15 20:32:19
- related to
Feature #16942: Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2 added
#11 Updated by intrigeri 2019-08-16 06:30:27
Following our doc:
- Full test suite passed locally except I’ve seen
Bug #15321(well understood failure mode). - Changes: in 3.15 we shipped 4.19.37-4; as expected, the changelog for a Debian stable security update includes only security fixes and one important bugfix
- Regarding bugs:
- Most reported regressions are against Stretch’s 4.9 kernel: lots of people upgraded to Buster; there’s little chance they’ve been introduced between 4.19.37-4 and 4.19.37-5+deb10u2 though so I’ll ignore those ones.
- regression on Radeon RX 580 that seems caused by firmware installed in the wrong directory, probably due to some local weirdness on the reporter’s system: the same firmware is installed in the correct place on my sid system and in a build from this topic branch
Last thing to do before this is ready for QA: test on bare metal hardware.
#12 Updated by intrigeri 2019-08-16 15:01:29
- Status changed from In Progress to Needs Validation
- Assignee changed from intrigeri to anonym
intrigeri wrote:
@anonym, please test on some hardware with NVIDIA graphics (all mine has Intel) and merge into stable if happy.
Works fine!
I’ll wait with merging this branch until I deal with Feature #16942 tomorrow as I’m not sure how this branch alone will work on devel.
#13 Updated by intrigeri 2019-08-16 15:16:35
- Status changed from Needs Validation to In Progress
Applied in changeset commit:tails|26a3b009b8f63ad39e435b1032f302408dfc12cb.
#14 Updated by intrigeri 2019-08-16 15:21:52
- Status changed from In Progress to Needs Validation
#15 Updated by intrigeri 2019-08-23 15:40:38
- Assignee deleted (
anonym)
(Any FT member can review this, and actually I’d rather see anonym focus his review time on branches that he’s much better placed than others to look at :)
#16 Updated by segfault 2019-08-24 20:29:00
LGTM
#17 Updated by segfault 2019-08-24 20:30:18
- Status changed from Needs Validation to Fix committed
Applied in changeset commit:tails|b887265aa3d5514809202a92cbeb872db9af67dc.
#18 Updated by intrigeri 2019-08-29 18:27:46
- Status changed from Fix committed to In Progress
- Assignee set to intrigeri
I see 4.19.37-5 on stable, while Buster security has 4.19.37-5+deb10u2.
#19 Updated by intrigeri 2019-08-30 08:29:16
4.19.37-5+deb10u2 is now correctly installed on the branch, which was the whole purpose of the operation.
Boots fine, Wi-Fi & emergency shutdown work on Elitebook 840G1 and ThinkPad X200.
Given the “code” change is trivial and the idea behind it was reviewed already, I’ll dare merging this myself if Jenkins is happy enough.
#20 Updated by intrigeri 2019-08-30 08:30:33
- Status changed from In Progress to Needs Validation
#21 Updated by intrigeri 2019-08-30 18:33:45
Full test suite passed on Jenkins during 1st run. Impressive.
#22 Updated by intrigeri 2019-08-30 18:34:05
- Status changed from Needs Validation to Fix committed
Applied in changeset commit:tails|9a6891655ca454e7aa5eb61c3cfb94cf79efbab2.
#23 Updated by CyrilBrulebois 2019-09-05 00:03:40
- Status changed from Fix committed to Resolved