Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16
We shipped 4.19.37-4 in 3.15. Since then, there was a security update for Buster (4.19.37-5+deb10u2) that mitigates the new Spectre v1 swapgs variant (CVE-2019-1125).
Install Linux kernel from the Buster security repository (refs: #16970)
The new Spectre v1 swapgs variant (CVE-2019-1125), which was fixed in sid
via 5.2.x, which is a too big change for the Tails 3.16 bugfix release.
Let's instead track Buster (+ security) for the time being.
Merge branch 'bugfix/16970-spectre-v1-swapgs+force-all-tests' into stable (Fix-committed: #16970)
Really install Linux kernel from the Buster security repository (refs: #16970)
Fixup against 06f5305bcd0ff18e836c23f1392e481d083ad518, where I added
the Buster security APT source, but failed to add the pinning needed
so src:linux binary packages can be installed from there.
Will this be provided through an emergency release? This is a very severe vulnerability.
At this point, I'm not sure about the cost/benefit ratio.
I note that the Red Hat advisory reads "based on industry feedback, we are not aware of any known way to exploit this vulnerability on Linux kernel-based systems" and rates it as Moderate. I guess that's because as the mitigation patch says, there's no known instance of the needed gadget. But of course it also reads "it's entirely possible that it exists somewhere (or could be introduced in the future). Without tooling to analyze all such code paths, consider it vulnerable."
Following our doc:
- Full test suite passed locally except I've seen #15321 (well understood failure mode).
- Changes: in 3.15 we shipped 4.19.37-4; as expected, the changelog for a Debian stable security update includes only security fixes and one important bugfix
- Regarding bugs:
- Most reported regressions are against Stretch's 4.9 kernel: lots of people upgraded to Buster; there's little chance they've been introduced between 4.19.37-4 and 4.19.37-5+deb10u2 though so I'll ignore those ones.
- regression on Radeon RX 580 that seems caused by firmware installed in the wrong directory, probably due to some local weirdness on the reporter's system: the same firmware is installed in the correct place on my sid system and in a build from this topic branch
Last thing to do before this is ready for QA: test on bare metal hardware.
- Status changed from In Progress to Needs Validation
- Assignee changed from intrigeri to anonym
@anonym, please test on some hardware with NVIDIA graphics (all mine has Intel) and merge into stable if happy.
I'll wait with merging this branch until I deal with #16942 tomorrow as I'm not sure how this branch alone will work on
4.19.37-5+deb10u2 is now correctly installed on the branch, which was the whole purpose of the operation.
Boots fine, Wi-Fi & emergency shutdown work on Elitebook 840G1 and ThinkPad X200.
Given the "code" change is trivial and the idea behind it was reviewed already, I'll dare merging this myself if Jenkins is happy enough.