Project

General

Profile

Bug #16970

Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16

Added by intrigeri about 1 month ago. Updated 18 days ago.

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16970-spectre-v1-swapgs+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We shipped 4.19.37-4 in 3.15. Since then, there was a security update for Buster (4.19.37-5+deb10u2) that mitigates the new Spectre v1 swapgs variant (CVE-2019-1125).

#16728 gave us 4.19.37-6 for free but it does not fix that security issue: sid instead got the fix via 5.2.7-1 (#16942), which is probably too much of a change for our 3.16 bugfix release.


Related issues

Related to Tails - Feature #16942: Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2 Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocked by Tails - Bug #16728: Upgrade firmware-amd-graphics (and the rest of firmware-nonfree) Resolved

Associated revisions

Revision 6b0fbd32
Added by intrigeri about 1 month ago

Merge remote-tracking branch 'origin/bugfix/16728-upgrade-firmware-amd-graphics' into stable (Fix-committed: #16728, #16970)

Revision 26a3b009 (diff)
Added by intrigeri about 1 month ago

Add Buster security APT sources (refs: #16970)

Revision 06f5305b (diff)
Added by intrigeri about 1 month ago

Install Linux kernel from the Buster security repository (refs: #16970)

The new Spectre v1 swapgs variant (CVE-2019-1125), which was fixed in sid
via 5.2.x, which is a too big change for the Tails 3.16 bugfix release.
Let's instead track Buster (+ security) for the time being.

Revision b887265a
Added by segfault 29 days ago

Merge branch 'bugfix/16970-spectre-v1-swapgs+force-all-tests' into stable (Fix-committed: #16970)

Revision 3265a931 (diff)
Added by intrigeri 23 days ago

Really install Linux kernel from the Buster security repository (refs: #16970)

Fixup against 06f5305bcd0ff18e836c23f1392e481d083ad518, where I added
the Buster security APT source, but failed to add the pinning needed
so src:linux binary packages can be installed from there.

Revision 9a689165
Added by intrigeri 23 days ago

Merge branch 'bugfix/16970-spectre-v1-swapgs+force-all-tests' into stable

Fix-committed: #16970

History

#1 Updated by intrigeri about 1 month ago

#2 Updated by intrigeri about 1 month ago

  • Blocked by Bug #16728: Upgrade firmware-amd-graphics (and the rest of firmware-nonfree) added

#3 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to Fix committed
  • % Done changed from 0 to 100

#4 Updated by intrigeri about 1 month ago

  • Subject changed from Upgrade to Linux 4.19 with the latest security fixes in Tails 3.16 to Upgrade to Linux 4.19 with the Spectre v1 swapgs mitigations in Tails 3.16
  • Description updated (diff)
  • Status changed from Fix committed to Confirmed

#5 Updated by cypherpunks about 1 month ago

Will this be provided through an emergency release? This is a very severe vulnerability.

#6 Updated by intrigeri about 1 month ago

Will this be provided through an emergency release? This is a very severe vulnerability.

At this point, I'm not sure about the cost/benefit ratio.

I note that the Red Hat advisory reads "based on industry feedback, we are not aware of any known way to exploit this vulnerability on Linux kernel-based systems" and rates it as Moderate. I guess that's because as the mitigation patch says, there's no known instance of the needed gadget. But of course it also reads "it's entirely possible that it exists somewhere (or could be introduced in the future). Without tooling to analyze all such code paths, consider it vulnerable."

#7 Updated by cypherpunks about 1 month ago

I was under the impression that a PoC for hypervisors was already released. Where does it say that it requires a gadget which is not in the Linux kernel? I didn't see that in any of the patch notes. I could have missed it.

#8 Updated by intrigeri about 1 month ago

  • Assignee set to intrigeri

#9 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to In Progress
  • Feature Branch set to bugfix/16970-spectre-v1-swapgs+force-all-tests

#10 Updated by intrigeri about 1 month ago

  • Related to Feature #16942: Upgrade to Linux 5.2+ with the Spectre v1 swapgs mitigations in Tails 4.0~beta2 added

#11 Updated by intrigeri about 1 month ago

Following our doc:

  • Full test suite passed locally except I've seen #15321 (well understood failure mode).
  • Changes: in 3.15 we shipped 4.19.37-4; as expected, the changelog for a Debian stable security update includes only security fixes and one important bugfix
  • Regarding bugs:
    • Most reported regressions are against Stretch's 4.9 kernel: lots of people upgraded to Buster; there's little chance they've been introduced between 4.19.37-4 and 4.19.37-5+deb10u2 though so I'll ignore those ones.
    • regression on Radeon RX 580 that seems caused by firmware installed in the wrong directory, probably due to some local weirdness on the reporter's system: the same firmware is installed in the correct place on my sid system and in a build from this topic branch

Last thing to do before this is ready for QA: test on bare metal hardware.

#12 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Needs Validation
  • Assignee changed from intrigeri to anonym

intrigeri wrote:
@anonym, please test on some hardware with NVIDIA graphics (all mine has Intel) and merge into stable if happy.

Works fine!

I'll wait with merging this branch until I deal with #16942 tomorrow as I'm not sure how this branch alone will work on devel.

#13 Updated by intrigeri about 1 month ago

  • Status changed from Needs Validation to In Progress

#14 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Needs Validation

#15 Updated by intrigeri about 1 month ago

  • Assignee deleted (anonym)

(Any FT member can review this, and actually I'd rather see anonym focus his review time on branches that he's much better placed than others to look at :)

#16 Updated by segfault 29 days ago

LGTM

#17 Updated by segfault 29 days ago

  • Status changed from Needs Validation to Fix committed

#18 Updated by intrigeri 24 days ago

  • Status changed from Fix committed to In Progress
  • Assignee set to intrigeri

I see 4.19.37-5 on stable, while Buster security has 4.19.37-5+deb10u2.

#19 Updated by intrigeri 23 days ago

4.19.37-5+deb10u2 is now correctly installed on the branch, which was the whole purpose of the operation.
Boots fine, Wi-Fi & emergency shutdown work on Elitebook 840G1 and ThinkPad X200.

Given the "code" change is trivial and the idea behind it was reviewed already, I'll dare merging this myself if Jenkins is happy enough.

#20 Updated by intrigeri 23 days ago

  • Status changed from In Progress to Needs Validation

#21 Updated by intrigeri 23 days ago

Full test suite passed on Jenkins during 1st run. Impressive.

#22 Updated by intrigeri 23 days ago

  • Status changed from Needs Validation to Fix committed

#23 Updated by CyrilBrulebois 18 days ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF