Project

General

Profile

Bug #16708

Upgrade Linux to 4.19.37

Added by intrigeri 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16708-linux-4.19.37+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Related issues

Related to Tails - Bug #16728: Upgrade firmware-amd-graphics (and the rest of firmware-nonfree) Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocks Tails - Bug #16720: Update kernel to mitigate new MDS attacks Resolved

Associated revisions

Revision f54cb57e (diff)
Added by segfault 6 months ago

Upgrade Linux to 4.19.0-4 from sid, currently at 4.19.37-1 (refs: #16708)

Revision bdb4b8b0 (diff)
Added by segfault 6 months ago

Bump APT snapshot of the 'debian' archive to 2019051001 (refs: #16708)

Revision 4f1665e0 (diff)
Added by segfault 6 months ago

Upgrade Linux to 4.19.0-5 from sid, currently at 4.19.37-1 (refs: #16708)

Revision 5be52ea3 (diff)
Added by segfault 6 months ago

Bump APT snapshot of the 'debian' archive to 2019051001 (refs: #16708)

Revision 581176c4 (diff)
Added by anonym 6 months ago

Bump APT snapshot of the 'debian' archive to 2019051601.

We need mitigations for the Microarchitectural Data Sampling (MDS)
attacks that just were made public. These are present in 4.19.37-2.

Refs: #16708, #16720

Revision 2d9f9303 (diff)
Added by intrigeri 6 months ago

Enable the bugfix-16708-linux-4.19.37-force-all-tests APT overlay (refs: #16708).

Revision 4fbcc2a1 (diff)
Added by intrigeri 6 months ago

Install firmware-amd-graphics from stretch-backports (refs: #16708)

… i.e. currently 20190114-1~bpo9+2, which is similar to 20190114-1
that we've shipped in Tails 3.13.2.

Rationale: avoid shipping the https://bugs.debian.org/928631 regression.

Revision c97b0f9c (diff)
Added by intrigeri 6 months ago

Install Electrum 3.2.3-1 from our custom APT repository (refs: #16708)

The version in sid now displays a warning and exits, while 3.2.3-1 is still
usable, in the rare cases when it manages to connect to the network, despite
being affected by problematic phishing attacks which will only be solved once
the package in Debian is updated to a newer upstream version.

Revision 1ffd91d1 (diff)
Added by intrigeri 6 months ago

Don't install the firmware-linux-nonfree metapackage (refs: #16708).

Its only purpose is to depend on firmware-misc-nonfree and
firmware-amd-graphics, and to recommend intel-microcode and amd64-microcode.
We explicitly install all these packages already. The dependency is versioned
which breaks our build at the moment, since we want to ship a different
version of firmware-amd-graphics (4fbcc2a1013f8eff16de5a933932634aed4da042).

Revision 575ee712 (diff)
Added by intrigeri 6 months ago

Don't install the firmware-linux metapackage (refs: #16708).

Its only purpose is to depend on firmware-linux-free and firmware-linux-nonfree,
which we explicitly install all these packages already. As per the previous
commit, we can't install firmware-linux-nonfree at the moment, so in turn we
can't install firmware-linux.

Revision 4c54166b
Added by intrigeri 6 months ago

Merge branch 'bugfix/16720-linux-4.19.37-nosmt+force-all-tests' into stable (Fix-committed: #16720, #16708)

History

#1 Updated by intrigeri 6 months ago

#2 Updated by intrigeri 6 months ago

Let's see if we want to do that in 3.14.

#4 Updated by intrigeri 6 months ago

And beware of https://bugs.debian.org/928518 when bumping the APT snapshots.

#5 Updated by segfault 6 months ago

  • Assignee set to segfault

#6 Updated by segfault 6 months ago

  • Feature Branch set to bugfix/16708-linux-4.19.37+force-all-tests

#7 Updated by segfault 6 months ago

  • Status changed from Confirmed to In Progress

#8 Updated by segfault 6 months ago

Builds without issues, boots fine in my VM.

#9 Updated by segfault 6 months ago

intrigeri wrote:

And beware of https://bugs.debian.org/928518 when bumping the APT snapshots.

Ah, so electrum doesn't start anymore and instead displays a warning

#10 Updated by segfault 6 months ago

segfault wrote:

Builds without issues, boots fine in my VM.

One thing that's odd is that "Resize to VM" doesn't work on this VM in virt-manager. Not sure it's actually related to the new kernel though.

#11 Updated by segfault 6 months ago

segfault wrote:

One thing that's odd is that "Resize to VM" doesn't work on this VM in virt-manager. Not sure it's actually related to the new kernel though.

It's unrelated, sorry for the noise

#12 Updated by segfault 6 months ago

I would like to fix that devel FTBFS because of the missing linux-image-4.19.0-4-amd64 package, but I don't know whether I should just upgrade it to 4.19.37 or use 4.19.0-0.bpo.4 from stretch-backports instead.

#13 Updated by intrigeri 6 months ago

I would like to fix that devel FTBFS because of the missing linux-image-4.19.0-4-amd64 package, but I don't know whether I should just upgrade it to 4.19.37 or use 4.19.0-0.bpo.4 from stretch-backports instead.

I'd say 4.19.37-1 so we get as much data as we can in order to decide whether we want to ship this update in 3.14.

#14 Updated by anonym 6 months ago

  • Priority changed from Normal to High

Due to #16720 we definitely need linux 4.19.37-2 in Tails 3.14.

#15 Updated by anonym 6 months ago

  • % Done changed from 0 to 30
  • Type of work changed from Research to Code

I have bumped the snapshots so we get linux 4.19.37-2 with the mitigations.

#16 Updated by anonym 6 months ago

Package diff vs 3.13.2:

--- wiki/src/torrents/files/tails-amd64-3.13.2.packages    2019-05-14 13:37:53.440047323 +0200
+++ tails-amd64-bugfix_16708-linux-4.19.37+force-all-tests-3.14-20190516T0740Z-581176c472.packages    2019-05-16 10:10:50.556773124 +0200
@@ -29,7 +29,7 @@
 bc    1.06.95-9+b3
 bilibop-common    0.5.2.1
 bilibop-udev    0.5.2.1
-bind9-host    1:9.10.3.dfsg.P4-12.3+deb9u4
+bind9-host    1:9.10.3.dfsg.P4-12.3+deb9u5
 binutils    2.28-5
 blt    2.5.3+dfsg-3
 bookletimposer    0.2-5
@@ -70,8 +70,8 @@
 cups-common    2.2.1-8+deb9u3
 cups-core-drivers    2.2.1-8+deb9u3
 cups-daemon    2.2.1-8+deb9u3
-cups-filters    1.11.6-3
-cups-filters-core-drivers    1.11.6-3
+cups-filters    1.11.6-3+deb9u1
+cups-filters-core-drivers    1.11.6-3+deb9u1
 cups-pk-helper    0.2.6-1+b1
 cups-ppdc    2.2.1-8+deb9u3
 cups-server-common    2.2.1-8+deb9u3
@@ -101,13 +101,14 @@
 dmidecode    3.0-4
 dmsetup    2:1.02.137-2
 dmz-cursor-theme    0.4.4
+dnsutils    1:9.10.3.dfsg.P4-12.3+deb9u5
 dosfstools    4.1-1
 dpkg    1.18.25
 e2fslibs:amd64    1.43.4-2
 e2fsprogs    1.43.4-2
 efibootmgr    14-2
 eject    2.1.5+deb1+cvs20081104-13.2
-electrum    3.2.3-1
+electrum    3.2.3-1.1
 emacsen-common    2.0.8
 enigmail    2:2.0.8-5~deb9u1
 eog    3.20.5-1+b1
@@ -126,21 +127,21 @@
 file-roller    3.22.3-1
 findutils    4.6.0+git+20161106-2
 firefox    60.6.1+fake1
-firmware-amd-graphics    20190114-1
-firmware-atheros    20190114-1
+firmware-amd-graphics    20190502-1
+firmware-atheros    20190502-1
 firmware-b43-installer    1:019-4
 firmware-b43legacy-installer    1:019-4
-firmware-brcm80211    20190114-1
-firmware-intel-sound    20190114-1
-firmware-ipw2x00    20190114-1
-firmware-iwlwifi    20190114-1
-firmware-libertas    20190114-1
-firmware-linux    20190114-1
+firmware-brcm80211    20190502-1
+firmware-intel-sound    20190502-1
+firmware-ipw2x00    20190502-1
+firmware-iwlwifi    20190502-1
+firmware-libertas    20190502-1
+firmware-linux    20190502-1
 firmware-linux-free    3.4
-firmware-linux-nonfree    20190114-1
-firmware-misc-nonfree    20190114-1
-firmware-realtek    20190114-1
-firmware-ti-connectivity    20190114-1
+firmware-linux-nonfree    20190502-1
+firmware-misc-nonfree    20190502-1
+firmware-realtek    20190502-1
+firmware-ti-connectivity    20190502-1
 firmware-zd1211    1:1.5-6
 fontconfig    2.11.0-6.7.0tails4
 fontconfig-config    2.11.0-6.7.0tails4
@@ -170,7 +171,7 @@
 geoip-database    20170512-1
 gettext    0.19.8.1-2
 gettext-base    0.19.8.1-2
-ghostscript    9.26a~dfsg-0+deb9u2
+ghostscript    9.26a~dfsg-0+deb9u3
 gimp    2.8.18-1+deb9u1
 gimp-data    2.8.18-1+deb9u1
 gir1.2-accountsservice-1.0    0.6.43-1
@@ -294,6 +295,7 @@
 hdparm    9.51+ds-1+deb9u1
 hicolor-icon-theme    0.15-1
 hopenpgp-tools    0.19.4-3
+host    1:9.10.3.dfsg.P4-12.3+deb9u5
 hostname    3.18+b1
 hpijs-ppds    3.16.11+repack0-3
 hplip    3.16.11+repack0-3
@@ -329,7 +331,7 @@
 initramfs-tools-core    0.130.0tails1
 inkscape    0.92.1-1
 inotify-tools    3.14-2
-intel-microcode    3.20190312.1~bpo9+1
+intel-microcode    3.20190514.1~deb9u1
 iproute2    4.9.0-1+deb9u1
 iptables    1.6.0+snapshot20161117-6
 iputils-ping    3:20161105-1
@@ -399,7 +401,7 @@
 libb-hooks-endofscope-perl    0.21-1
 libb-hooks-op-check-perl    0.19-3+b1
 libbabl-0.1-0:amd64    0.1.18-1
-libbind9-140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
+libbind9-140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
 libblas-common    3.7.0-2
 libblas3    3.7.0-2
 libblkid1:amd64    2.29.2-1+deb9u1
@@ -500,7 +502,7 @@
 libcrystalhd3:amd64    1:0.0~git20110715.fdd2f19-12
 libcups2:amd64    2.2.1-8+deb9u3
 libcupscgi1:amd64    2.2.1-8+deb9u3
-libcupsfilters1:amd64    1.11.6-3
+libcupsfilters1:amd64    1.11.6-3+deb9u1
 libcupsimage2:amd64    2.2.1-8+deb9u3
 libcupsmime1:amd64    2.2.1-8+deb9u3
 libcupsppdc1:amd64    2.2.1-8+deb9u3
@@ -537,8 +539,8 @@
 libdjvulibre-text    3.5.27.1-7
 libdjvulibre21:amd64    3.5.27.1-7
 libdmapsharing-3.0-2:amd64    2.9.37-1
-libdns-export162    1:9.10.3.dfsg.P4-12.3+deb9u4
-libdns162:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
+libdns-export162    1:9.10.3.dfsg.P4-12.3+deb9u5
+libdns162:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
 libdotconf0:amd64    1.3-0.2
 libdouble-conversion1:amd64    2.0.1-4
 libdpkg-perl    1.18.25
@@ -615,7 +617,7 @@
 libflite1:amd64    2.0.0-release-3+b1
 libfluidsynth1:amd64    1.1.6-4
 libfontconfig1:amd64    2.11.0-6.7.0tails4
-libfontembed1:amd64    1.11.6-3
+libfontembed1:amd64    1.11.6-3+deb9u1
 libfontenc1:amd64    1:1.1.3-1+b2
 libfreehand-0.1-1    0.1.1-2
 libfreetype6:amd64    2.6.3-3.2
@@ -701,8 +703,8 @@
 libgpm2:amd64    1.20.4-6.2+b1
 libgraphite2-3:amd64    1.3.10-1
 libgrilo-0.3-0:amd64    0.3.2-2
-libgs9:amd64    9.26a~dfsg-0+deb9u2
-libgs9-common    9.26a~dfsg-0+deb9u2
+libgs9:amd64    9.26a~dfsg-0+deb9u3
+libgs9-common    9.26a~dfsg-0+deb9u3
 libgsasl7    1.8.0-8+b2
 libgsecuredelete0    0.3-1
 libgsl2:amd64    2.3+dfsg-1
@@ -788,10 +790,10 @@
 libipc-system-simple-perl    1.25-3
 libiptc0:amd64    1.6.0+snapshot20161117-6
 libiptcdata0    1.0.4-6+b1
-libisc-export160    1:9.10.3.dfsg.P4-12.3+deb9u4
-libisc160:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
-libisccc140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
-libisccfg140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
+libisc-export160    1:9.10.3.dfsg.P4-12.3+deb9u5
+libisc160:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
+libisccc140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
+libisccfg140:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
 libisl15:amd64    0.18-1
 libisofs6:amd64    1.4.6-1
 libiw30:amd64    30~pre9-12+b1
@@ -850,7 +852,7 @@
 liblwp-mediatypes-perl    6.02-1
 liblwp-protocol-https-perl    6.06-2
 liblwp-protocol-socks-perl    1.7-1
-liblwres141:amd64    1:9.10.3.dfsg.P4-12.3+deb9u4
+liblwres141:amd64    1:9.10.3.dfsg.P4-12.3+deb9u5
 liblz4-1:amd64    0.0~r131-2+b1
 liblzma5:amd64    5.2.2-1.2+b1
 liblzo2-2:amd64    2.08-1.2+b2
@@ -1147,7 +1149,7 @@
 libslang2:amd64    2.3.1-5
 libsm6:amd64    2:1.2.2-1+b3
 libsmartcols1:amd64    2.29.2-1+deb9u1
-libsmbclient:amd64    2:4.5.16+dfsg-1+deb9u1
+libsmbclient:amd64    2:4.5.16+dfsg-1+deb9u2
 libsnappy1v5:amd64    1.1.3-3
 libsndfile1:amd64    1.0.27-3
 libsndio6.1:amd64    1.1.0-3
@@ -1273,7 +1275,7 @@
 libwayland-egl1:amd64    1.16.0-1~bpo9+1
 libwayland-egl1-mesa:amd64    18.2.8-2~bpo9+1
 libwayland-server0:amd64    1.16.0-1~bpo9+1
-libwbclient0:amd64    2:4.5.16+dfsg-1+deb9u1
+libwbclient0:amd64    2:4.5.16+dfsg-1+deb9u2
 libwebkit2gtk-4.0-37:amd64    2.18.6-1~deb9u1
 libwebp6:amd64    0.5.2-1
 libwebpdemux2:amd64    0.5.2-1
@@ -1381,7 +1383,7 @@
 libzvbi-common    0.2.35-13
 libzvbi0:amd64    0.2.35-13
 linux-base    4.5
-linux-image-4.19.0-4-amd64    4.19.28-2
+linux-image-4.19.0-5-amd64    4.19.37-2
 live-boot    1:20170112
 live-boot-initramfs-tools    1:20170112
 live-config    5.20170112+deb9u1
@@ -1536,7 +1538,7 @@
 python3-dbus    1.2.4-1+b1
 python3-dnspython    1.15.0-1+deb9u1
 python3-ecdsa    0.13-2
-python3-electrum    3.2.3-1
+python3-electrum    3.2.3-1.1
 python3-flask    0.12.1-1
 python3-gi    3.22.0-2
 python3-gi-cairo    3.22.0-2
@@ -1595,7 +1597,7 @@
 rfkill    0.5-1+b1
 rng-tools    2-unofficial-mt.14-1+b2
 rsync    3.1.2-1+deb9u2
-samba-libs:amd64    2:4.5.16+dfsg-1+deb9u1
+samba-libs:amd64    2:4.5.16+dfsg-1+deb9u2
 sane-utils    1.0.25-4.1
 scdaemon    2.1.18-8~deb9u4
 scribus    1.4.6+dfsg-4

So we also get intel-microcode 3.20190514.1~deb9u1 for #16720.

Also, the problems intrigeri predicted are present above:
  • electrum 3.2.3-1.1: no clue what to do here. :/
  • firmware-amd-graphics 20190502-1: our safest best us to downgrade to 20190114-1 which still is in testing, or 20190114-1~bpo9+2.

#18 Updated by anonym 6 months ago

Warning! For #16720 I have pushed a branch with a very similar name to this ticket's:

bugfix/16720-linux-4.19.37-nosmt+force-all-tests
          ^^              ^^^^^^

#19 Updated by segfault 6 months ago

anonym wrote:

Also, the problems intrigeri predicted are present above:
  • electrum 3.2.3-1.1: no clue what to do here. :/

What options do we have? I see three:

1. Package the current electrum version ourselves, and upload it to our custom APT repo
2. Upload the last working electrum Debian package (3.2.3-1) to our custom APT repo
3. Stop shipping a (working) electrum package

I could spend some hours on 1. until the end of the weekend.

#20 Updated by segfault 6 months ago

#21 Updated by intrigeri 6 months ago

  • Assignee changed from segfault to intrigeri

Thanks everyone who moved this forward!

I'll take this (and #16720) for now and will coordinate with segfault once he shows up.

  • firmware-amd-graphics 20190502-1: our safest best us to downgrade to 20190114-1 which still is in testing, or 20190114-1~bpo9+2.

Agreed, let's stick to the version we shipped in 3.13.2. I'll do that.

#22 Updated by intrigeri 6 months ago

segfault wrote:

anonym wrote:

  • electrum 3.2.3-1.1: no clue what to do here. :/

What options do we have? I see three:

1. Package the current electrum version ourselves, and upload it to our custom APT repo

I'd rather not to. This seems 1. probably too much work for 3.14 given the timing; 2. somewhat in contradiction with the strategy we've decided wrt. Electrum (if s7r doesn't find anyone to help co-maintain Electrum, we'll step up, but diving into this right now increases the chances we become the de facto only maintainers, which I'd rather avoid if we can).

2. Upload the last working electrum Debian package (3.2.3-1) to our custom APT repo

I'll go with this option.

3. Stop shipping a (working) electrum package

FTR we don't really ship a working Electrum ATM: it rarely manages to connect to the network. But let's at least not make things worse.

#23 Updated by intrigeri 6 months ago

anonym wrote:

I have bumped the snapshots so we get linux 4.19.37-2 with the mitigations.

… and I've bumped the expiry date of the debian 2019051601 snapshot accordingly.

#24 Updated by intrigeri 6 months ago

  • firmware-amd-graphics 20190502-1: our safest best us to downgrade to 20190114-1 which still is in testing, or 20190114-1~bpo9+2.

Agreed, let's stick to the version we shipped in 3.13.2. I'll do that.

2. Upload the last working electrum Debian package (3.2.3-1) to our custom APT repo

I'll go with this option.

Both done on the topic branch, that I'll use as a basis to disable SMT on #16720.

#25 Updated by intrigeri 6 months ago

  • Blocks Bug #16720: Update kernel to mitigate new MDS attacks added

#26 Updated by intrigeri 6 months ago

I've looked at the src:linux recent regressions reported in Debian and the only important one I've spotted is https://bugs.debian.org/929098 (Radeon Vega 1.0, amdgpu). IMO that's a risk we have to take in order to fix #16720 :/

#27 Updated by intrigeri 6 months ago

  • Related to Bug #16728: Upgrade firmware-amd-graphics (and the rest of firmware-nonfree) added

#28 Updated by intrigeri 6 months ago

Note to reviewer: I had to do some nasty changes but 1. they should be entirely harmless; 2. I've filed #16728 so we don't forget to revert them once we can.

#29 Updated by segfault 6 months ago

Reviewed up to 575ee712cfab9c4863e6c549788b604320fa372b, LGTM

#30 Updated by intrigeri 6 months ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 30 to 100

#31 Updated by intrigeri 6 months ago

#32 Updated by intrigeri 6 months ago

  • Assignee deleted (intrigeri)
  • QA Check set to Pass

I've seen all tests pass locally, except the OpenPGP applet and Electrum ones, as expected.

#33 Updated by CyrilBrulebois 6 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF