Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16
We shipped 4.19.37-4 in 3.15. Since then, there was a security update for Buster (4.19.37-5+deb10u2) that mitigates the new Spectre v1 swapgs variant (CVE-2019-1125).
Related to Tails -
|Blocks Tails - Feature #16209: Core work: Foundations Team||Confirmed|
Blocked by Tails -
#6 Updated by intrigeri 2019-08-14 06:38:10
> Will this be provided through an emergency release? This is a very severe vulnerability.
At this point, I’m not sure about the cost/benefit ratio.
I note that the Red Hat advisory reads “based on industry feedback, we are not aware of any known way to exploit this vulnerability on Linux kernel-based systems” and rates it as Moderate. I guess that’s because as the mitigation patch says, there’s no known instance of the needed gadget. But of course it also reads “it’s entirely possible that it exists somewhere (or could be introduced in the future). Without tooling to analyze all such code paths, consider it vulnerable.”
#11 Updated by intrigeri 2019-08-16 06:30:27
Following our doc:
- Full test suite passed locally except I’ve seen
Bug #15321(well understood failure mode).
- Changes: in 3.15 we shipped 4.19.37-4; as expected, the changelog for a Debian stable security update includes only security fixes and one important bugfix
- Regarding bugs:
- Most reported regressions are against Stretch’s 4.9 kernel: lots of people upgraded to Buster; there’s little chance they’ve been introduced between 4.19.37-4 and 4.19.37-5+deb10u2 though so I’ll ignore those ones.
- regression on Radeon RX 580 that seems caused by firmware installed in the wrong directory, probably due to some local weirdness on the reporter’s system: the same firmware is installed in the correct place on my sid system and in a build from this topic branch
Last thing to do before this is ready for QA: test on bare metal hardware.
#12 Updated by intrigeri 2019-08-16 15:01:29
- Status changed from In Progress to Needs Validation
- Assignee changed from intrigeri to anonym
@anonym, please test on some hardware with NVIDIA graphics (all mine has Intel) and merge into stable if happy.
I’ll wait with merging this branch until I deal with
Feature #16942 tomorrow as I’m not sure how this branch alone will work on
#19 Updated by intrigeri 2019-08-30 08:29:16
4.19.37-5+deb10u2 is now correctly installed on the branch, which was the whole purpose of the operation.
Boots fine, Wi-Fi & emergency shutdown work on Elitebook 840G1 and ThinkPad X200.
Given the “code” change is trivial and the idea behind it was reviewed already, I’ll dare merging this myself if Jenkins is happy enough.