Project

General

Profile

Bug #17117

Upgrade to Linux 5.3

Added by intrigeri 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
feature/17117-linux-5.3+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

5.3.2-1~exp1 is going to land is experimental in the next few days. I doubt it'll be in sid in time for 4.0~rc1, but if we ship 4.0~rc1 with 5.2, we'll have a very difficult decision to make regarding 4.0 final: taking the risk of upgrading to 5.3 vs. not getting the security fixes that come with 5.3.

One option, suggested by hefee, would be to ship 5.3 from experimental in 4.0~rc1: it's a bit more risky for 4.0~rc1 but allows us to ship 5.3 in 4.0 final with a lower risk of regressions, which is good.


Related issues

Related to Tails - Bug #17104: "Erasure of memory freed by killed userspace processes" test scenario regression caused by the ugprade to Linux 5.2.0-3 Resolved
Related to Tails - Bug #17124: Install Linux 5.3 from sid Resolved
Related to Tails - Bug #17236: Enable the init_on_alloc=1 and init_on_free=1 Linux options Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocks Tails - Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix" Resolved

Associated revisions

Revision 031cf21c (diff)
Added by intrigeri 5 months ago

Upgrade Linux to 5.3.0-rc5 from Debian experimental (refs: #17117)

And accordingly:

- Upgrade the aufs kernel module source to aufs5.3 20190923
- Have our aufs build hook support Linux release candidates. For example,
linux-source-5.3 currently ships /usr/src/linux-source-5.3-rc5.tar.xz

Revision af41c02f (diff)
Added by intrigeri 5 months ago

Upgrade Linux to 5.3.0-trunk, currently at 5.3.2-1~exp1 (refs: #17117)

This requires re-introducing the fake linux-compiler-gcc package dance.

Revision 5703cbdf
Added by segfault 5 months ago

Merge branch 'feature/17117-linux-5.3+force-all-tests' into devel (Closes: #17117, #17024)

History

#1 Updated by intrigeri 5 months ago

#2 Updated by intrigeri 5 months ago

  • Related to Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix" added

#3 Updated by intrigeri 5 months ago

  • Assignee set to intrigeri

I'll give it a try, mainly to see if #17104 magically disappears.

#4 Updated by intrigeri 5 months ago

  • Related to Bug #17104: "Erasure of memory freed by killed userspace processes" test scenario regression caused by the ugprade to Linux 5.2.0-3 added

#5 Updated by intrigeri 5 months ago

  • Description updated (diff)
  • Status changed from Confirmed to In Progress
  • Feature Branch set to feature/17117-linux-5.3+force-all-tests

#6 Updated by intrigeri 5 months ago

5.3.2-1 is currently building once that's done, dak has run, the mirror sync is over, and our time-based snapshots have picked it up, I'll update our branch to install it instead of 5.3.0-rc5.

#7 Updated by intrigeri 5 months ago

  • Related to deleted (Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix")

#8 Updated by intrigeri 5 months ago

  • Blocks Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix" added

#9 Updated by intrigeri 5 months ago

Full test suite passed locally except:

  • Booting Tails from a USB drive in UEFI mode: stuck in the bootloader command line editor
  • a couple Additional software scenarios that are rather fragile these days (I should file bugs and tag them as such at some point)

Let's see how it goes on Jenkins.

#10 Updated by intrigeri 5 months ago

Full test suite passed locally except:

  • Booting Tails from a USB drive in UEFI mode: stuck in the bootloader command line editor
  • a couple Additional software scenarios that are rather fragile these days (I should file bugs and tag them as such at some point)

Let's see how it goes on Jenkins.

https://jenkins.tails.boum.org/job/test_Tails_ISO_feature-17117-linux-5.3-force-all-tests/1/ passed except some keyserver-related well-known fragility + the same UEFI problem.

I can reproduce the UEFI issue in a UEFI VM on my sid system. If I replace quiet with nosplash debug on the kernel command line, I see:

Loading /live/vmlinuz... ok
Loading /live/initrd.img... ok

… and nothing else happens, except QEMU keeps using a full CPU core. Same in troubleshooting mode. Uh oh.

I don't know if it's a matter of "the graphics transition between syslinux and Linux fails" or anything else.

Next steps:

  1. upgrade Linux from 5.3-rc5 to 5.3.2
  2. retry with an image that has Linux 5.3 + GRUB (the branch from #6560), to see if it's purely a Linux problem or if the bootloader is involved
  3. disable all syslinux graphics settings that may interfere

#11 Updated by intrigeri 5 months ago

5.3.2-1 is currently building once that's done, dak has run, the mirror sync is over, and our time-based snapshots have picked it up, I'll update our branch to install it instead of 5.3.0-rc5.

Done.

The good news is that this updated kernel fixes the UEFI boot issue that I saw with 5.3-rc5 :)

#12 Updated by intrigeri 5 months ago

Test suite runs look good enough so I'll seriously consider the option suggested by hefee (see ticket description). Next steps:

#13 Updated by intrigeri 5 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)

Next steps:

  • test on bare metal

Works fine on HP EliteBook 840G1 and ThinkPad X200: boots, Wi-Fi connects, Tor Browser starts, unplugging the boot device triggers emergency shutdown.

Done. Of course, this version is only in experimental so it's impossible to draw conclusions from the lack of regression reports on the Debian BTS.

My conclusion as of today: arguably there are very few reasons to upgrade to 5.3 right now (#17024 being one of them). But if we don't do this upgrade in 4.0~rc1, there's a high chance we end up in a bad place between 4.0~rc1 and 4.0, when likely some security fixes we'll want are available only by upgrading to 5.3 from sid once it's uploaded there. So I think we should bite this bullet, take the risk of hardware support regressions in 4.0~rc1, and go ahead.

#14 Updated by segfault 5 months ago

  • Assignee set to segfault

#15 Updated by segfault 5 months ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

#16 Updated by segfault 5 months ago

  • Related to Bug #17124: Install Linux 5.3 from sid added

#17 Updated by intrigeri 3 months ago

  • Related to Bug #17236: Enable the init_on_alloc=1 and init_on_free=1 Linux options added

Also available in: Atom PDF