New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update securedrop kernels to 4.4.161+ #3838

Closed
emkll opened this Issue Oct 2, 2018 · 5 comments

Comments

2 participants
@emkll
Copy link
Contributor

emkll commented Oct 2, 2018

Description

Securedrop instances are currently running 4.4.144 kernels.

L1TF and Spectre v4, as well as multiple local privilege escalations vulnerabilities (CVE-2018-0919 and CVE-2018-14634) were fixed after the release of those kernels. While the vulnerabilities above require local code execution to exploit, we should still upgrade the kernel packages.

User Stories

As a securedrop admin, I would like to have the latest kernel for my securedrop instance.

@emkll emkll added this to the 0.10.0 milestone Oct 2, 2018

@emkll emkll self-assigned this Oct 2, 2018

@eloquence eloquence added this to Under Review in SecureDrop Team Board Oct 2, 2018

@eloquence eloquence moved this from Under Review to Near Term Backlog in SecureDrop Team Board Oct 2, 2018

@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Oct 3, 2018

Attempted a build of 4.4.159 kernel, unfortunately it does not boot on a NUC, it hangs on a black screen right after grub. This is likely not a config issue, as there's a 2-line diff in the config from 4.4.144 to 4.4.159. I will wait for 4.4.160 to be released and see if I can reproduce, and debug if necessary.

@conorsch

This comment has been minimized.

Copy link
Contributor

conorsch commented Oct 3, 2018

Drat. Thanks for reporting, @emkll. To be clear, the NUC you used was an older model, currently recommended for SD, not one of the newer models mentioned in #3826, correct?

@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Oct 3, 2018

It's an older model, a NUC5CPYH with a 2nd generation Intel core processor. It's curious, as it boots fine in a VM, and the config is very close to identical. I will be poking around at debugging this.

@eloquence eloquence moved this from Near Term Backlog to Current Sprint Backlog - 10/4 - 10/17 in SecureDrop Team Board Oct 4, 2018

@emkll emkll referenced this issue Oct 9, 2018

Merged

Always force the use latest kernel by default #3857

2 of 5 tasks complete

@eloquence eloquence removed this from Current Sprint Backlog - 10/4 - 10/17 in SecureDrop Team Board Oct 10, 2018

@emkll emkll modified the milestones: 0.10.0, 0.11.0 Oct 19, 2018

@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Oct 19, 2018

I've tested the newly-released kernel/patch version 4.4.161 this morning and it seems to be working quite well, we should consider upgrading the packages on apt-test once 0.10.0 is released.

@emkll emkll changed the title Update securedrop kernels to 4.4.159 Update securedrop kernels to 4.4.161+ Oct 19, 2018

@emkll emkll referenced this issue Oct 31, 2018

Merged

Update grsecurity kernels to 4.4.162 #3913

1 of 6 tasks complete
@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Oct 31, 2018

grsecurity-3.1-4.4.162-201810302257.patch solves the issues I've been experiencing. Kernel images have been uploaded to apt-test, strings bump in #3913 and config is tracked here: freedomofpress/ansible-role-grsecurity-build#41

@eloquence eloquence added this to Near Term Backlog in SecureDrop Team Board Nov 16, 2018

@eloquence eloquence moved this from Near Term Backlog to Current Sprint Backlog - 11/16-11/28 in SecureDrop Team Board Nov 16, 2018

@emkll emkll moved this from Current Sprint Backlog - 11/16-11/28 to In Development in SecureDrop Team Board Nov 19, 2018

@emkll emkll moved this from In Development to Ready for review in SecureDrop Team Board Nov 19, 2018

SecureDrop Team Board automation moved this from Ready for review to Done Nov 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment