Update grsecurity kernels to 4.4.162 #3913
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
conorsch
previously approved these changes
Nov 2, 2018
|
hah this is breaking my PR #3909 .. thanks CSO!! Some cherry picking is in order. |
|
@msheiny Now that #3921 is in, we can rebase this on that, then we should be good for merge. Rebase incoming... Example build failure, showing it's requests: https://circleci.com/gh/freedomofpress/securedrop/19199 |
|
@conorsch im rebasing... and fixing stuff |
|
actually i just want to cherry pick here.. |
|
disregard! i was confused! rebase away |
conorsch
force-pushed
the
3838-bump-kernels-to-4.4.162
branch
from
9cd2900 to
bb708cb
Compare
Now that all users have reported a smooth transition to the 4.4 series kernels, let's remove these old, unmaintained and end-of-life kernel series.
Provides microcode updates to addres various Intel cpu-based vulnerabilities.
Remove 4.4.135 kernels
The microcode package was just added, so let's test for it. Also updated the kernel version to be a constant, so we can reuse it inside package names, notable the firmware image (for additional hardware support).
emkll
force-pushed
the
3838-bump-kernels-to-4.4.162
branch
from
bb708cb to
dfabb1c
Compare
|
I've been seeing some errors in syslog, in qubes staging, I will see if i can reproduce in other environments: |
redshiftzero
previously approved these changes
Nov 22, 2018
There was a problem hiding this comment.
✅ apt-test.freedom.press in apt sources for both app and mon
✅ after reboot, both app and mon running 4.4.162
❔ testinfra tests pass - I did not test due to #3938
✅ paxtest blackhat kills all the things
I did not see any odd messages in syslog like you report @emkll. Minor nit inline, else if you're happy with this, feel free to merge
| @@ -3,6 +3,9 @@ | |||
| import re | |||
|
|
|||
|
|
|||
| KERNEL_VERSION = "4.4.162" | |||
There was a problem hiding this comment.
Nit: in the spirit of DRY, can we use pytest.securedrop_test_vars.grsec_version here?
emkll
force-pushed
the
3838-bump-kernels-to-4.4.162
branch
from
b383733 to
9234c32
Compare
redshiftzero
approved these changes
Nov 26, 2018
|
No concerns, changes look good. Will rebase #3909 on top of latest develop post-merge to re-run CI over there. |
This was referenced Nov 28, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
4.4.162 kernel packages have already been uploaded to apt-test.freedom.press. Fixes #3838
Description of Changes
Testing
apt-test.freedom.pressis in apt-sources.vagrant up /staging/, and testinfra tests passcron-apt -i -s, and rebootuname -rreturns4.4.162-grsecpaxtest blackhatkills all the thingsHardware-specific testing
I have tested this in VMs, NUCs and Mac Minis, and seem to work properly. If you have any other hardware
Deployment
Packages are live on apt-test.freedom.press for testing.
For the 0.11.0 release, kernel debs (both the
securedrop-grsecmetapackage andlinux-image-4.4.162-grsec_4.4.162-grsec-1_amd64need to be uploaded to the apt server).If the instances fail to boot, instructions in https://docs.securedrop.org/en/stable/upgrade/0.5.x_to_0.6.html are still valid.
Checklist
If you made changes to the system configuration: