Project

General

Profile

Bug #17124

Install Linux 5.3 from sid

Added by segfault about 1 month ago. Updated 2 days ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/17124-17161-linux-5.3-from-sid+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We install it from experimental for 4.0~rc1, but we shouldn't ship a kernel from experimental in 4.0.

The relevant commit is 031cf21cc898693476bad209db4815805c05aded.


Related issues

Related to Tails - Bug #17117: Upgrade to Linux 5.3 Resolved
Related to Tails - Feature #17202: Upgrade to Buster 10.2 Confirmed
Related to Tails - Bug #17154: Improve entropy gathering Confirmed
Related to Tails - Bug #17236: Consider enabling the init_on_alloc=1 and init_on_free=1 Linux options Confirmed
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocks Tails - Bug #17161: devel branch FTBFS since virtualbox 6.0.14-dfsg-1 was uploaded to sid and linux-image-5.3.0-trunk-amd64 is not in experimental anymore Resolved

Associated revisions

Revision 306fc1ff (diff)
Added by intrigeri 7 days ago

Bump APT snapshot of the Debian archive to 2019110902 (refs: #17124)

Revision d4b316eb (diff)
Added by intrigeri 7 days ago

Upgrade Linux to 5.3.0-1 from sid (refs: #17124)

And accordingly:

- Upgrade aufs to 5.3-20191021
- Drop the experimental APT source, which was added only for Linux 5.3

Revision 4e378e52 (diff)
Added by intrigeri 7 days ago

Install virtualbox 6.0.12-dfsg-1 from our custom APT repository (refs: #17124, #17161).

sid now has 6.0.14-dfsg-1, and virtualbox-guest-x11 6.0.14-dfsg-1 depends on
a newer libc6 than the one we have in Buster. So for now, let's stick
to an older version, which seems preferable than fully removing this package.

A cleaner solution would be to maintain a custom backport of src:virtualbox.
Last time anonym and I discussed how much resources we wanted to spend into
VirtualBox support, we decided to do it on a best effort basis, i.e. to install
it from sid when it's possible, and to drop it when it's not possible anymore.
I'm already doing a bit more than that here, so maintaining a custom backport
seems unreasonably expensive to me.

We shall reconsider once we add Secure Boot support (the dkms module won't
be loadable anymore) or when VirtualBox has a severe security issue.

Revision 40289177 (diff)
Added by intrigeri 5 days ago

Upgrade Linux to 5.3.9-1 (refs: #17124, #17161)

Revision 6a00e904
Added by segfault 2 days ago

Merge branch 'bugfix/17124-17161-linux-5.3-from-sid+force-all-tests' into stable (Closes: #17161, #17124)

History

#1 Updated by segfault about 1 month ago

#2 Updated by segfault about 1 month ago

  • Related to Bug #17117: Upgrade to Linux 5.3 added

#3 Updated by segfault about 1 month ago

  • Description updated (diff)

#4 Updated by intrigeri 29 days ago

I've just asked carnil about their planned timing wrt. uploading 5.3 to sid (or a newer 5.3.x to experimental).

#5 Updated by intrigeri 27 days ago

  • Assignee set to intrigeri

https://salsa.debian.org/kernel-team/linux/tree/sid has 5.3.7-1 but it was not uploaded yet. I'll keep an eye on it today but the chances we can upgrade the kernel in 4.0 final start to look pretty slim.

#6 Updated by intrigeri 26 days ago

  • Assignee deleted (intrigeri)
  • Priority changed from Normal to Elevated
  • Target version changed from Tails_4.0 to Tails_4.1
  • Type of work changed from Code to Wait

OK, even if a newer Linux landed in sid right now, factoring in the time it takes to update our APT snapshots, it's too late to give it sufficient QA ⇒ postponing. But we should really do this for 4.1 so bumping priority a bit.

#7 Updated by intrigeri 16 days ago

#8 Updated by intrigeri 7 days ago

  • Related to Bug #17161: devel branch FTBFS since virtualbox 6.0.14-dfsg-1 was uploaded to sid and linux-image-5.3.0-trunk-amd64 is not in experimental anymore added

#9 Updated by intrigeri 7 days ago

  • Assignee set to intrigeri
  • Type of work changed from Wait to Code

#10 Updated by intrigeri 7 days ago

  • Feature Branch set to bugfix/17124-17161-linux-5.3-from-sid+force-all-tests

#11 Updated by intrigeri 7 days ago

  • Status changed from Confirmed to In Progress

#12 Updated by intrigeri 6 days ago

Full test suite passed on my local Jenkins with 5.3.7-1. Next steps:

#13 Updated by intrigeri 5 days ago

The first full test suite run on lizard with 5.3.9-1 has only one failure, which is a known test suite bug (#17102).

The only failure on my local Jenkins (some VeraCrypt scenario) looks like a Dogtail / test suite bug: the screenshot shows the expected successful outcome.

#14 Updated by intrigeri 5 days ago

  • Related to Bug #17154: Improve entropy gathering added

#15 Updated by intrigeri 5 days ago

Changes:

  • Tons of bugfixes. I bet the hardware support ones, especially GPU-related, will be welcome. This kernel update fixes sound support on lots of machines.
  • One jitter entropy commit was backported. That's related to #17154. As far as this kernel update is concerned, I think that's fine: as long as we ship haveged, we already have essentially the same mechanism in place, so so even if we have doubts about the quality of the generated entropy, that change should not be a regression. I'd love @segfault to confirm though. I see no way to disable this without compiling our own kernel, which I'd rather avoid.

Security:

  • Included security fixes potentially relevant to Tails since 5.3.2-1~exp1 (shipped in Tails 4.0) are mostly in the Wi-Fi stack: CVE-2019-17133, CVE-2019-16746, CVE-2019-17075, CVE-2019-15098.
  • https://security-tracker.debian.org/tracker/source-package/linux shows a bunch of issues that are not fixed in this new version yet. Chances are that we'll have to upgrade again before our 4.1 release, but IMO this should not block this first iteration, especially since it'll fix #17161.

I see no severe regression reported so far to the Debian BTS.

The diff between the .packages files (stable vs. this branch) looks entirely sane. Apart of the kernel upgrade, only changes are:

  • amd64-microcode 3.20181128.1 → 3.20191021.1
  • firmware-zd1211 1:1.5-6 → 1:1.5-7

https://outflux.net/blog/ has no "security things in Linux v5.3" article yet. https://kernelnewbies.org/LinuxChanges#Linux_5.3.Security has nothing new, that would need enabling.

#16 Updated by intrigeri 5 days ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)

Bare metal (ThinkPad X1 Carbon 6th, ThinkPad X200, HP EliteBook 840G1) tests are successful: boots from USB; Wi-Fi, sound, and HTML5 video in Tor Browser all work; unplugging the USB stick triggers emergency shutdown.

So I'm done with the checklist and I think we're now good to go!

#17 Updated by intrigeri 5 days ago

  • Related to deleted (Bug #17161: devel branch FTBFS since virtualbox 6.0.14-dfsg-1 was uploaded to sid and linux-image-5.3.0-trunk-amd64 is not in experimental anymore)

#18 Updated by intrigeri 5 days ago

  • Blocks Bug #17161: devel branch FTBFS since virtualbox 6.0.14-dfsg-1 was uploaded to sid and linux-image-5.3.0-trunk-amd64 is not in experimental anymore added

#19 Updated by intrigeri 3 days ago

Note that 5.3.9-2 was uploaded to sid since, and this branch does not pick it up due to older APT snapshots. We'll get this upgrade via #17202 so I'd rather not block on this and instead get this merged (e.g. because it fixes the almost-1-month-old devel branch FTBFS).

#20 Updated by segfault 2 days ago

intrigeri wrote:

  • One jitter entropy commit was backported. That's related to #17154. As far as this kernel update is concerned, I think that's fine: as long as we ship haveged, we already have essentially the same mechanism in place, so so even if we have doubts about the quality of the generated entropy, that change should not be a regression. I'd love @segfault to confirm though. I see no way to disable this without compiling our own kernel, which I'd rather avoid.

Yes, haveged also uses jitter entropy, and the entropy from the kernel is hopefully not worse, and potentially better than the one from haveged. I don't think we should try to disable the it.

#21 Updated by segfault 2 days ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

#22 Updated by intrigeri about 17 hours ago

  • Related to Bug #17236: Consider enabling the init_on_alloc=1 and init_on_free=1 Linux options added

Also available in: Atom PDF