New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update grsecurity kernels to 4.4.162 #3913

Merged
merged 5 commits into from Nov 26, 2018

Conversation

Projects
None yet
4 participants
@emkll
Copy link
Contributor

emkll commented Oct 31, 2018

Status

Ready for review

4.4.162 kernel packages have already been uploaded to apt-test.freedom.press. Fixes #3838

Description of Changes

  • Bump kernels to 4.4.162 (linux-image and linux-firmware-image)
  • Adds intel-microcode package
  • Add linux-firmware-image for hardware compatibility
  • Remove 3.14.79 and 4.4.115 kernels.

Testing

  • Ensure apt-test.freedom.press is in apt-sources.
  • If using staging VMs, just vagrant up /staging/, and testinfra tests pass
  • Else, add apt-test.freedom.press to apt sources and run cron-apt -i -s, and reboot
  • The server comes back up, and uname -r returns 4.4.162-grsec
  • paxtest blackhat kills all the things

Hardware-specific testing

I have tested this in VMs, NUCs and Mac Minis, and seem to work properly. If you have any other hardware

Deployment

Packages are live on apt-test.freedom.press for testing.

For the 0.11.0 release, kernel debs (both the securedrop-grsec metapackage and linux-image-4.4.162-grsec_4.4.162-grsec-1_amd64 need to be uploaded to the apt server).

If the instances fail to boot, instructions in https://docs.securedrop.org/en/stable/upgrade/0.5.x_to_0.6.html are still valid.

Checklist

If you made changes to the system configuration:

@conorsch

This comment has been minimized.

Copy link
Contributor

conorsch commented Nov 2, 2018

Flagging that these changes cause tests to fail in #3909, which introduces grsec tests in staging. 🎉 Will prioritize review of this PR, so that #3909 can be rebased on top of it.

@conorsch

This comment has been minimized.

Copy link
Contributor

conorsch commented Nov 2, 2018

  • Ensure apt-test.freedom.press is in apt-sources.
  • 🔴 If using staging VMs, just vagrant up /staging/, and testinfra tests pass (see #3916; let's not block merge)
  • The server comes back up, and uname -r returns 4.4.162-grsec
  • paxtest blackhat kills all the things
@conorsch
Copy link
Contributor

conorsch left a comment

Added a few more tests. Only tested in VMs, not on hardware yet. So far, so good. Let's get this in so it can bake during the current development cycle.

@msheiny

This comment has been minimized.

Copy link
Contributor

msheiny commented Nov 2, 2018

hah this is breaking my PR #3909 .. thanks CSO!! Some cherry picking is in order.

@conorsch

This comment has been minimized.

Copy link
Contributor

conorsch commented Nov 2, 2018

@msheiny Now that #3921 is in, we can rebase this on that, then we should be good for merge. Rebase incoming...

Example build failure, showing it's requests: https://circleci.com/gh/freedomofpress/securedrop/19199

@msheiny

This comment has been minimized.

Copy link
Contributor

msheiny commented Nov 2, 2018

@conorsch im rebasing... and fixing stuff

@msheiny

This comment has been minimized.

Copy link
Contributor

msheiny commented Nov 2, 2018

actually i just want to cherry pick here..

@msheiny

This comment has been minimized.

Copy link
Contributor

msheiny commented Nov 2, 2018

disregard! i was confused! rebase away

@conorsch conorsch force-pushed the 3838-bump-kernels-to-4.4.162 branch from 9cd2900 to bb708cb Nov 2, 2018

emkll and others added some commits Oct 24, 2018

Remove 3.14 series kernels
Now that all users have reported a smooth transition to the 4.4 series
kernels, let's remove these old, unmaintained and end-of-life kernel
series.
Add intel-microcode package
Provides microcode updates to addres various Intel cpu-based
vulnerabilities.
Bump kernels to 4.4.162
Remove 4.4.135 kernels
Adds config tests for kernel-related packages
The microcode package was just added, so let's test for it. Also updated
the kernel version to be a constant, so we can reuse it inside package
names, notable the firmware image (for additional hardware support).

@emkll emkll force-pushed the 3838-bump-kernels-to-4.4.162 branch from bb708cb to dfabb1c Nov 19, 2018

@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Nov 20, 2018

I've been seeing some errors in syslog, in qubes staging, I will see if i can reproduce in other environments:

Nov 20 12:24:08 sd-app kernel: [  183.663203] init: hvc0 main process (1630) terminated with status 1
Nov 20 12:24:08 sd-app kernel: [  183.663213] init: hvc0 main process ended, respawning
Nov 20 12:24:18 sd-app kernel: [  193.668237] init: hvc0 main process (1632) terminated with status 1
Nov 20 12:24:18 sd-app kernel: [  193.668248] init: hvc0 main process ended, respawning
Nov 20 12:24:28 sd-app kernel: [  203.680099] init: hvc0 main process (1634) terminated with status 1
Nov 20 12:24:28 sd-app kernel: [  203.680109] init: hvc0 main process ended, respawning
Nov 20 12:24:38 sd-app kernel: [  213.682809] init: hvc0 main process (1636) terminated with status 1
Nov 20 12:24:38 sd-app kernel: [  213.682819] init: hvc0 main process ended, respawning
Nov 20 12:24:48 sd-app kernel: [  223.690815] init: hvc0 main process (1638) terminated with status 1
Nov 20 12:24:48 sd-app kernel: [  223.690825] init: hvc0 main process ended, respawning
Nov 20 12:24:58 sd-app kernel: [  233.693838] init: hvc0 main process (1640) terminated with status 1
Nov 20 12:24:58 sd-app kernel: [  233.693848] init: hvc0 main process ended, respawning
Nov 20 12:25:08 sd-app kernel: [  243.698088] init: hvc0 main process (1642) terminated with status 1
Nov 20 12:25:08 sd-app kernel: [  243.698099] init: hvc0 main process ended, respawning
Nov 20 12:25:18 sd-app kernel: [  253.703098] init: hvc0 main process (1644) terminated with status 1
Nov 20 12:25:18 sd-app kernel: [  253.703108] init: hvc0 main process ended, respawning
Nov 20 12:25:28 sd-app kernel: [  263.706533] init: hvc0 main process (1646) terminated with status 1
Nov 20 12:25:28 sd-app kernel: [  263.706543] init: hvc0 main process ended, respawning
Nov 20 12:25:38 sd-app kernel: [  273.709408] init: hvc0 main process (1648) terminated with status 1
Nov 20 12:25:38 sd-app kernel: [  273.709419] init: hvc0 main process ended, respawning
Nov 20 12:25:48 sd-app kernel: [  283.712697] init: hvc0 main process (1650) terminated with status 1
Nov 20 12:25:48 sd-app kernel: [  283.712709] init: hvc0 main process ended, respawning
@redshiftzero
Copy link
Member

redshiftzero left a comment

apt-test.freedom.press in apt sources for both app and mon
after reboot, both app and mon running 4.4.162
testinfra tests pass - I did not test due to #3938
paxtest blackhat kills all the things

I did not see any odd messages in syslog like you report @emkll. Minor nit inline, else if you're happy with this, feel free to merge

@@ -3,6 +3,9 @@
import re


KERNEL_VERSION = "4.4.162"

This comment has been minimized.

@redshiftzero

redshiftzero Nov 22, 2018

Member

Nit: in the spirit of DRY, can we use pytest.securedrop_test_vars.grsec_version here?

@emkll emkll force-pushed the 3838-bump-kernels-to-4.4.162 branch from b383733 to 9234c32 Nov 22, 2018

@redshiftzero
Copy link
Member

redshiftzero left a comment

restamping after my requested change was implemented

@conorsch

This comment has been minimized.

Copy link
Contributor

conorsch commented Nov 26, 2018

No concerns, changes look good. Will rebase #3909 on top of latest develop post-merge to re-run CI over there.

@conorsch conorsch merged commit 36cbb21 into develop Nov 26, 2018

5 checks passed

ci/circleci: admin-tests Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: staging-test-with-rebase Your tests passed on CircleCI!
Details
ci/circleci: tests Your tests passed on CircleCI!
Details
ci/circleci: updater-gui-tests Your tests passed on CircleCI!
Details

@redshiftzero redshiftzero deleted the 3838-bump-kernels-to-4.4.162 branch Nov 28, 2018

@emkll emkll referenced this pull request Nov 30, 2018

Closed

Release SecureDrop 0.11.0 #3946

27 of 27 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment