MX17.x migrated to MX18.3 : What kernel should I be on?

[entropyagent]

Greetings, MXers

Is there any conventional wisdom about what kernel my MX-18 rig should be using, from the perspective of staying up to date with all security patches? I have the idea that my Core2 Duo does not need anything that more modern kernels provide.

Code: Select all

System:    Host: brain Kernel: 4.13.0-1-amd64 x86_64 bits: 64 compiler: gcc v: 6.3.0 
           Desktop: Xfce 4.12.3 Distro: MX-18.3_x64 Continuum December 15  2017 
           base: Debian GNU/Linux 9 (stretch) 
           CPU:       Topology: Dual Core model: Intel Core2 Duo E7500 bits: 64 type: MCP arch: Penryn 
           rev: A L2 cache: 3072 KiB 

My existing setup: I don't recall when I installed, or what version, but I have a vague memory of it being 17-and-a-bit. I see that "Update will be automatic through the normal update process. " is mentioned in the migration information for some versions of 17 up to 18. I see this in the "Migration" page:

Code: Select all

From MX-17 Final, MX-17.1 or MX-18 RC1 to MX-18

Update will be automatic through the normal update process. Optional steps:

    The new 4.19 kernel will not be installed automatically. If you want the 
    kernel, there is an entry under 
    MX-Package Installer > Popular Apps > Kernels > MX 4.19

My question is really: It's nice to be offered a choice, but where do find the information I need, to know if I do, in fact, "want the kernel"? I have searched my feelings, and they just look at me blankly and insist "Need Input!"

I am trusting MX Linux to keep me as safe as an ignorant person gambolling unconcernedly through the Valley Of Death (a.k.a the Internet) can be, and it seems to be working "So far, so good.". But is it really keeping this kernel up-to-date?

I did run spectre-meltdown-checker --explain, but I suspect I lack the wit to understand the mix of Vulnerable and Not Vulnerable judgements. It's probably reasonable to suspect that comments like this are trying to tell me something:

Code: Select all

> How to fix: Your kernel is too old to have the mitigation for Variant 1, you should 
upgrade to a newer kernel. If you're using a Linux distro and didn't compile the 
kernel yourself, you should upgrade your distro to get a newer kernel.

Recommendations?

[entropyfoe]

Look here at anticapitalista's updated kernels. All patched.

https://antixlinux.com/fixed-bluez-secu ... available/

I don't see a 4.13, so maybe the latest 4.9 or 4.19. These are LTS kernels, so get many many bug fixes and updates.

Looks like our user names are in conflict !

[entropyagent]

I have sworn to defend entropy from all foes, foreign and domestic, but...perhaps I can overlook that, for now.

I do feel that MX could be a bit more informative about what kernels are recommended. Perhaps the fact that they are offered in the MX Package Installer means they are all appropriate from a security perspective, and the choice revolves around hardware compatibility or new features?

I have the wishful thought that there is an update train, which you get on when you install for the first time, and you ride it, with occasional patches and updates, until your distribution gets tired of supporting your freeloading. Maybe with the 17.x to 18.x migrations, I fell off the train? If so, that possibly implies that 4.19, mentioned on the Migration page, would get me back on board?

At present, this is my /boot folder

Code: Select all

$ ls -ort /boot/
total 61484
-rw-r--r-- 1 root   184840 Jun 25  2015 memtest86+_multiboot.bin
-rw-r--r-- 1 root   182704 Jun 25  2015 memtest86+.bin
-rw-r--r-- 1 root  4454160 Nov 18  2017 vmlinuz-4.13.0-1-amd64
-rw-r--r-- 1 root  2998167 Nov 18  2017 System.map-4.13.0-1-amd64
-rw-r--r-- 1 root   196565 Nov 18  2017 config-4.13.0-1-amd64
-rw-r--r-- 1 root 25609521 Dec 26  2018 initrd.img-4.13.0-1-amd64.old-dkms
drwxr-xr-x 5 root     4096 Mar 21  2020 grub
-rw-r--r-- 1 root 29317147 Oct 16 03:22 initrd.img-4.13.0-1-amd64

What would it look like on a regularly-updated MX-18.x that was installed from MX-18 media? That is, someone who has been on the update train all along?

Anyway, thanks for the encouragement. I will try to work up the courage to try 4.19 from MXPI. If I don't return, perhaps my machine will have succumbed to...that thing we don't talk about.

[entropyfoe]

Get the gumption.
The MXPI works well.

When you install a new kernel, then update grub, and reboot. At the grub you should see all the available kernels...you might have to arrow down to the advanced options to see the new kernel. [I am not in front of my MX machine, so I can't check now.] Select it and hit enter, and off you go booting.

If there is a problem, like it does not boot, you can repeat that process and select the old kernel that was working. Your old working kernel is not removed, it remains as your back-up.

There are some real kernel experts here, so if you have questions, an expert can really give the details. One aspect is if you need nvidia kernel modules, there can be some subtleties to sort that out. You might want to post your system information so the experts can assist with those details.

Anticapitalista is really great at packaging and patching up the kernels, MX is blessed with many kernel options.

[asqwerth]

To help the helpers help you, please post the output of your full Quick System Info so they can see the full details of your hardware and system. That will help with any suggestions of what kernel to install and use.

It would be best to use a kernel series that still receives updates for security so it's probably best to move from the current 4.13.

[Stevo]

We recommend that MX 18.3 users keep the backported 4.19 Debian kernels it uses as default updated to the latest 4.19 security updates we continue to backport to main from the Buster repository. Currently, that's the 4.19.0-12 (4.19.152) kernel.

[entropyagent]

Hi MXers

Thanks for info and tips. Using the kernel numbers specified by Stevo, my search turned up 2 candidates.

Code: Select all

linux-image-4.19.152-antix.1-amd64-smp - Linux kernel, version 4.19.152-antix.1-amd64-smp
linux-image-4.19.0-12-amd64-unsigned      - Linux 4.19 for 64-bit PCs

I used aptitude to install "linux-image-4.19.0-12-amd64-unsigned", and then "linux-headers-4.19.0-12-amd64" (which pulled in linux-headers-4.19.0-12-common{a} linux-kbuild-4.19{a} as well)

So, now the uname report is:

Code: Select all

$ uname -a
Linux brain 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1~mx17+1 (2020-10-20) x86_64 GNU/Linux

which seems to satisfy both numbers quoted by Stevo. It's been working "So far, so good." for +-2 days now.


There is a bit of a concern and a question, though. MXPI mentions a 4.19 but with an older patch level?:

Code: Select all

MX 4.19 kernel Meltdown and Spectre patched, 64 bit.
Packages to be installed: linux-image-4.19.0-11-amd64-unsigned
linux-headers-4.19.0-11-amd64

If I had installed from MXPI, would the next aptitude update have pulled in 4.19.0-12 to replace 4.19.0-11 ? Is this current kernel in line be updated when new patches arrive? Or would I be in the same position as after the migration from 17.x, which looks a bit like being left for years with an never-updated old kernel? Because that is a little disappointing.

I should perhaps mention that my sysadmin impersonation basically consists of entering "sudo aptitude update; sudo aptitude full-upgrade" whenever the mood takes me. Yes, I did once uninstall Kodi by blindly accepting the defaults and wondering why the mediaplayer stopped mediaplaying. Now I pay attention to the suggestions, at least.


Also, is it possible that there are others, who upgraded from MX17.x (There are dozens of us, I say! Dozens!), who are in a similar backwater?


Is there anything else I need to pull in? I notice that spectre-meltdown-checker mentions CPU microcode quite a bit. My current level seems to have received at update recently, which is encouraging:

Code: Select all

$ sudo dpkg-query -l *microcode*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version        Architecture   Description
+++-===================-==============-==============-===========================================
ii  amd64-microcode     3.20181128.1~m amd64          Processor microcode firmware for AMD CPUs
ii  intel-microcode     3.20200616.1~d amd64          Processor microcode firmware for Intel CPUs
un  microcode.ctl       <none>         <none>         (no description available)

$ ls -ort /var/cache/apt/archives/*microcode*
-rw-r--r-- 1 root 2548116 Jun 11 14:55 /var/cache/apt/archives/intel-microcode_3.20200609.2~deb9u1_amd64.deb
-rw-r--r-- 1 root 2476256 Jul  6 04:53 /var/cache/apt/archives/intel-microcode_3.20200616.1~deb9u1_amd64.deb

Thanks and Regards

[tony37]

If you update mx-packageinstaller-pkglist to the latest version, you'd see that 'MX 4.19' now provides the 4.19.0-12 kernel.
In MX 19, having the 4.19 kernel automatically updated is very easy, but in MX 18 all the available metapackages seem to lag behind... (maybe the best one is linux-image-4.19-amd64)

[entropyagent]

If you update mx-packageinstaller-pkglist to the latest version, you'd see that 'MX 4.19' now provides the 4.19.0-12 kernel.
In MX 19, having the 4.19 kernel automatically updated is very easy, but in MX 18 all the available metapackages seem to lag behind... (maybe the best one is linux-image-4.19-amd64)

Great, thanks. I updated it, and suddenly MXPI refers to 'MX 4.19' now provides the 4.19.0-12 kernel.
And it's greyed out, too. So am I now back on the upgrade train?

Could there be others, among the massed hordes of MX17.1 upgraders? I heard Christmas could be cancelled this year - perhaps Santa's sleigh might be available to visit them all personally for the upgrade.

Thanks again.

[tony37]

And it's greyed out, too. So am I now back on the upgrade train?

As I said about the metapackages, there is no ideal 'train' in MX18 for the 4.19 kernel. You can install linux-image-4.19-amd64 and linux-headers-4.19-amd64 but those use the Debian kernel packages, not the MX ones, and the MX kernels tend to be a bit faster. But there's no real 'train' for them. If you'd really want your kernel updated as quickly as possible, you could do a package request for a metapackage for the MX 4.19 kernel on MX 18. (I could propose such a thing too, but if there's no real demand for it, and I don't need it myself, then there might not be much enthusiasm for it). But if you can wait a few days (maybe a week) on your kernel updates, I'd just install the above-mentioned packages.
If you want to see what kernel you are using:

Code: Select all

uname -r

list of installed kernels:

Code: Select all

aptitude search 'linux-image ?installed'