Page 1 of 1
MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Mon Oct 26, 2020 1:53 pm
by entropyagent
Greetings, MXers
Is there any conventional wisdom about what kernel my MX-18 rig should be using, from the perspective of staying up to date with all security patches? I have the idea that my Core2 Duo does not need anything that more modern kernels provide.
Code: Select all
System: Host: brain Kernel: 4.13.0-1-amd64 x86_64 bits: 64 compiler: gcc v: 6.3.0
Desktop: Xfce 4.12.3 Distro: MX-18.3_x64 Continuum December 15 2017
base: Debian GNU/Linux 9 (stretch)
CPU: Topology: Dual Core model: Intel Core2 Duo E7500 bits: 64 type: MCP arch: Penryn
rev: A L2 cache: 3072 KiB
My existing setup: I don't recall when I installed, or what version, but I have a vague memory of it being 17-and-a-bit. I see that "Update will be automatic through the normal update process. " is mentioned in the migration information for some versions of 17 up to 18. I see this in the "Migration" page:
Code: Select all
From MX-17 Final, MX-17.1 or MX-18 RC1 to MX-18
Update will be automatic through the normal update process. Optional steps:
The new 4.19 kernel will not be installed automatically. If you want the
kernel, there is an entry under
MX-Package Installer > Popular Apps > Kernels > MX 4.19
My question is really: It's nice to be offered a choice, but where do find the information I need, to know if I do, in fact, "want the kernel"? I have searched my feelings, and they just look at me blankly and insist "Need Input!"
I am trusting MX Linux to keep me as safe as an ignorant person gambolling unconcernedly through the Valley Of Death (a.k.a the Internet) can be, and it seems to be working "So far, so good.". But is it really keeping this kernel up-to-date?
I did run spectre-meltdown-checker --explain, but I suspect I lack the wit to understand the mix of Vulnerable and Not Vulnerable judgements. It's probably reasonable to suspect that comments like this are trying to tell me something:
Code: Select all
> How to fix: Your kernel is too old to have the mitigation for Variant 1, you should
upgrade to a newer kernel. If you're using a Linux distro and didn't compile the
kernel yourself, you should upgrade your distro to get a newer kernel.
Recommendations?
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Mon Oct 26, 2020 2:24 pm
by entropyfoe
Look here at anticapitalista's updated kernels. All patched.
https://antixlinux.com/fixed-bluez-secu ... available/
I don't see a 4.13, so maybe the latest 4.9 or 4.19. These are LTS kernels, so get many many bug fixes and updates.
Looks like our user names are in conflict !
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Mon Oct 26, 2020 4:21 pm
by entropyagent
I have sworn to defend entropy from all foes, foreign and domestic, but...perhaps I can overlook that, for now.
I do feel that MX could be a bit more informative about what kernels are recommended. Perhaps the fact that they are offered in the MX Package Installer means they are all appropriate from a security perspective, and the choice revolves around hardware compatibility or new features?
I have the wishful thought that there is an update train, which you get on when you install for the first time, and you ride it, with occasional patches and updates, until your distribution gets tired of supporting your freeloading. Maybe with the 17.x to 18.x migrations, I fell off the train? If so, that possibly implies that 4.19, mentioned on the Migration page, would get me back on board?
At present, this is my /boot folder
Code: Select all
$ ls -ort /boot/
total 61484
-rw-r--r-- 1 root 184840 Jun 25 2015 memtest86+_multiboot.bin
-rw-r--r-- 1 root 182704 Jun 25 2015 memtest86+.bin
-rw-r--r-- 1 root 4454160 Nov 18 2017 vmlinuz-4.13.0-1-amd64
-rw-r--r-- 1 root 2998167 Nov 18 2017 System.map-4.13.0-1-amd64
-rw-r--r-- 1 root 196565 Nov 18 2017 config-4.13.0-1-amd64
-rw-r--r-- 1 root 25609521 Dec 26 2018 initrd.img-4.13.0-1-amd64.old-dkms
drwxr-xr-x 5 root 4096 Mar 21 2020 grub
-rw-r--r-- 1 root 29317147 Oct 16 03:22 initrd.img-4.13.0-1-amd64
What would it look like on a regularly-updated MX-18.x that was installed from MX-18 media? That is, someone who has been on the update train all along?
Anyway, thanks for the encouragement. I will try to work up the courage to try 4.19 from MXPI. If I don't return, perhaps my machine will have succumbed to...that thing we don't talk about.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Mon Oct 26, 2020 4:54 pm
by entropyfoe
Get the gumption.
The MXPI works well.
When you install a new kernel, then update grub, and reboot. At the grub you should see all the available kernels...you might have to arrow down to the advanced options to see the new kernel. [I am not in front of my MX machine, so I can't check now.] Select it and hit enter, and off you go booting.
If there is a problem, like it does not boot, you can repeat that process and select the old kernel that was working. Your old working kernel is not removed, it remains as your back-up.
There are some
real kernel experts here, so if you have questions, an expert can really give the details. One aspect is if you need nvidia kernel modules, there can be some subtleties to sort that out. You might want to post your system information so the experts can assist with those details.
Anticapitalista is really great at packaging and patching up the kernels, MX is blessed with many kernel options.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Mon Oct 26, 2020 9:58 pm
by asqwerth
To help the helpers help you, please post the output of your full Quick System Info so they can see the full details of your hardware and system. That will help with any suggestions of what kernel to install and use.
It would be best to use a kernel series that still receives updates for security so it's probably best to move from the current 4.13.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Tue Oct 27, 2020 2:44 am
by Stevo
We recommend that MX 18.3 users keep the backported 4.19 Debian kernels it uses as default updated to the latest 4.19 security updates we continue to backport to main from the Buster repository. Currently, that's the 4.19.0-12 (4.19.152) kernel.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Fri Oct 30, 2020 3:01 pm
by entropyagent
Hi MXers
Thanks for info and tips. Using the kernel numbers specified by Stevo, my search turned up 2 candidates.
Code: Select all
linux-image-4.19.152-antix.1-amd64-smp - Linux kernel, version 4.19.152-antix.1-amd64-smp
linux-image-4.19.0-12-amd64-unsigned - Linux 4.19 for 64-bit PCs
I used aptitude to install "linux-image-4.19.0-12-amd64-unsigned", and then "linux-headers-4.19.0-12-amd64" (which pulled in linux-headers-4.19.0-12-common{a} linux-kbuild-4.19{a} as well)
So, now the uname report is:
Code: Select all
$ uname -a
Linux brain 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1~mx17+1 (2020-10-20) x86_64 GNU/Linux
which seems to satisfy both numbers quoted by Stevo. It's been working "So far, so good." for +-2 days now.
There is a bit of a concern and a question, though. MXPI mentions a 4.19 but with an older patch level?:
Code: Select all
MX 4.19 kernel Meltdown and Spectre patched, 64 bit.
Packages to be installed: linux-image-4.19.0-11-amd64-unsigned
linux-headers-4.19.0-11-amd64
If I had installed from MXPI, would the next aptitude update have pulled in 4.19.0-12 to replace 4.19.0-11 ? Is this current kernel in line be updated when new patches arrive? Or would I be in the same position as after the migration from 17.x, which looks a bit like being left for years with an never-updated old kernel? Because that is a little disappointing.
I should perhaps mention that my sysadmin impersonation basically consists of entering "sudo aptitude update; sudo aptitude full-upgrade" whenever the mood takes me. Yes, I did once uninstall Kodi by blindly accepting the defaults and wondering why the mediaplayer stopped mediaplaying. Now I pay attention to the suggestions, at least.
Also, is it possible that there are others, who upgraded from MX17.x (There are dozens of us, I say! Dozens!), who are in a similar backwater?
Is there anything else I need to pull in? I notice that spectre-meltdown-checker mentions CPU microcode quite a bit. My current level seems to have received at update recently, which is encouraging:
Code: Select all
$ sudo dpkg-query -l *microcode*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==============-==============-===========================================
ii amd64-microcode 3.20181128.1~m amd64 Processor microcode firmware for AMD CPUs
ii intel-microcode 3.20200616.1~d amd64 Processor microcode firmware for Intel CPUs
un microcode.ctl <none> <none> (no description available)
$ ls -ort /var/cache/apt/archives/*microcode*
-rw-r--r-- 1 root 2548116 Jun 11 14:55 /var/cache/apt/archives/intel-microcode_3.20200609.2~deb9u1_amd64.deb
-rw-r--r-- 1 root 2476256 Jul 6 04:53 /var/cache/apt/archives/intel-microcode_3.20200616.1~deb9u1_amd64.deb
Thanks and Regards
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Fri Oct 30, 2020 3:31 pm
by tony37
If you update mx-packageinstaller-pkglist to the latest version, you'd see that 'MX 4.19' now provides the 4.19.0-12 kernel.
In MX 19, having the 4.19 kernel automatically updated is very easy, but in MX 18 all the available metapackages seem to lag behind... (maybe the best one is linux-image-4.19-amd64)
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Sun Nov 01, 2020 3:24 pm
by entropyagent
tony37 wrote: ↑Fri Oct 30, 2020 3:31 pm
If you update mx-packageinstaller-pkglist to the latest version, you'd see that 'MX 4.19' now provides the 4.19.0-12 kernel.
In MX 19, having the 4.19 kernel automatically updated is very easy, but in MX 18 all the available metapackages seem to lag behind... (maybe the best one is linux-image-4.19-amd64)
Great, thanks. I updated it, and suddenly MXPI refers to 'MX 4.19' now provides the 4.19.0-12 kernel.
And it's greyed out, too. So am I now back on the upgrade train?
Could there be others, among the massed hordes of MX17.1 upgraders? I heard Christmas could be cancelled this year - perhaps Santa's sleigh might be available to visit them all personally for the upgrade.
Thanks again.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Sun Nov 01, 2020 3:53 pm
by tony37
entropyagent wrote: ↑Sun Nov 01, 2020 3:24 pm
And it's greyed out, too. So am I now back on the upgrade train?
As I said about the metapackages, there is no ideal 'train' in MX18 for the 4.19 kernel. You can install linux-image-4.19-amd64 and linux-headers-4.19-amd64 but those use the Debian kernel packages, not the MX ones, and the MX kernels tend to be a bit faster. But there's no real 'train' for them. If you'd really want your kernel updated as quickly as possible, you could do a package request for a metapackage for the MX 4.19 kernel on MX 18. (I could propose such a thing too, but if there's no real demand for it, and I don't need it myself, then there might not be much enthusiasm for it). But if you can wait a few days (maybe a week) on your kernel updates, I'd just install the above-mentioned packages.
If you want to see what kernel you are using:
list of installed kernels:
Code: Select all
aptitude search 'linux-image ?installed'
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Tue Nov 03, 2020 9:15 am
by entropyagent
My kernel is now
Code: Select all
$ uname -a
Linux brain 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1~mx17+1 (2020-10-20) x86_64 GNU/Linux
$ aptitude search 'linux-image ?installed'
i linux-image-4.13.0-1-amd64 - Linux 4.13 for 64-bit PCs
i linux-image-4.19.0-12-amd64-unsigned - Linux 4.19 for 64-bit PCs
and I will be paying more attention to see if I get updates. Thinking back over the last 10 years or so, I think this is the first time that my 'aptitude full-upgrades' did not bring me an updated kernel several times a year.
Regarding the microcode issue, I see MXPI tells me I have a greyed out iucode-tool 2.1.1-1 from Stable Repo, but Debian Backports is tempting me with iucode-tool 2.3.1-1-bpo9+1. Can I safely experiment with this update to see if it changes performance/stability/reported vulnerabilities, without exploding my Intel Core2 Duo E7500 (which does not actually seem to be HyperThreading capable, according to Intel) ?
Thanks for the guidance.
P.S. Is MXPI just casually opening a temporary portal into other repositories so I can browse them, without actually making permanent changes that might bite me if I forget them? That is seriously cool.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Tue Nov 03, 2020 10:03 am
by tony37
What is it about the microcode you are worried about?
I think iucode-tool is not the microcode itself, just a simple tool ("man iucode-tool" for more explanation)
You can use MXPI to have a look at the MX Test repo and at the Debian Backports repo without permanently enabling said repos.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Tue Nov 03, 2020 10:16 am
by Huckleberry Finn
entropyagent wrote: ↑Fri Oct 30, 2020 3:01 pm...mentions CPU microcode quite a bit. My current level seems to have received at update recently, which is encouraging ...
Code: Select all
$ cat /etc/modprobe.d/intel-microcode-blacklist.conf
# The microcode module attempts to apply a microcode update when
# it autoloads. This is not always safe, so we block it by default.
blacklist microcode
:)
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 7:37 am
by Stevo
4.19.152 is the current Buster security updated version we backported to MX 17/18.
You're good.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 9:01 am
by entropyagent
tony37 wrote: ↑Tue Nov 03, 2020 10:03 am
What is it about the microcode you are worried about?
I developed this interest after discovering that my meticulous updating regimen of an occasional "aptitude update;aptitude full-upgrade" had left me on the same kernel for +-3 years, which rocked my naively trusting worldview. Now I am wondering what else has been neglected. At around the same time I heard of spectre-meltdown-checker, which, while it might be a little obsessively focused, did help to alert me to the outdated-kernel issue. With a lot of help from the forum MXers, I now have a more recent kernel, which I hope will receive ongoing updates.
However, spectre-meltdown-checker seems not entirely satisfied with this, and offers such encouraging comments as:
STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
and
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.
Sadly, I lack the wit to make much sense of these helpful hints, but my wishfulthinkotron translates that last comment "The microcode update is enough, there is no additional OS, kernel or software change needed." as "Clever, competent people will fix the problem for me, without me having to do anything" which, you must admit, is a cheering straw to clutch at.
On this subject, I commented out the blacklist for "microcode", so I hope this means my boot is trying to load it?
Code: Select all
$ cat /etc/modprobe.d/intel-microcode-blacklist.conf
# The microcode module attempts to apply a microcode update when
# it autoloads. This is not always safe, so we block it by default.
##blacklist microcode
I tried a boot with each kernel, but the results were not positive - what am I doing wrong?
Code: Select all
$ aptitude search 'ucode ?installed' 'microcode ?installed'
i amd64-microcode - Processor microcode firmware for AMD CPUs
i intel-microcode - Processor microcode firmware for Intel CPUs
i iucode-tool - Intel processor microcode tool
$ uname -a
Linux brain 4.13.0-1-amd64 #1 SMP Debian 4.13.13-1mx17 (2017-11-18) x86_64 GNU/Linux
yyy@zzz:~
$ lsmod | grep -i micro
yyy@zzz:~
$ sudo modprobe -v microcode
modprobe: FATAL: Module microcode not found in directory /lib/modules/4.13.0-1-amd64
yyy@zzz:~
$
$ uname -a
Linux brain 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1~mx17+1 (2020-10-20) x86_64 GNU/Linux
yyy@zzz:~
$ lsmod | grep -i micro
yyy@zzz:~
$ sudo modprobe -v microcode
[sudo] password for paul:
modprobe: FATAL: Module microcode not found in directory /lib/modules/4.19.0-12-amd64
So, questions:
1) Is there anything more I need to do to get my system up to date so that it stays up to date? One suggestion seems to be "update the microcode", but
1a) Is this possible?
1b) Is this necessary?
1c) How?
Thinking outside the box:
A fresh install of MX19 is an option - I have one ready and waiting - but I kinda like ecryptfs, which is not (yet) available there.
A fresh install of MX18.1 is an option (I have the media at hand) - would this neatly overcome the concern about what updates have been neglected? The Migration page says
Code: Select all
From MX-18 to MX-18.3
Update will be automatic through the normal update process.
but then again, it said something "similar" about migration from 17 to 18
Admittedly, it's basically laziness that has stopped this. And pride....I hoped I had left "Just reinstall" behind. And I would still have to fight with getting abcde to work with converting my CDs (another thread planned). And I am learning quite a bit, though it will probably all be forgotten within days.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 9:41 am
by tony37
entropyagent wrote: ↑Wed Nov 04, 2020 9:01 am
With a lot of help from the forum MXers, I now have a more recent kernel, which I hope will receive ongoing updates.
It won't, I explained this in post 10. Best solution at the moment is:
Code: Select all
sudo apt install linux-image-4.19-amd64 linux-headers-4.19-amd64
For the microcode, what does this say?
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 10:14 am
by asqwerth
MX17 and 18 are both based on Debian Stretch. Why would you need to do a fresh update of MX18 over MX17? Just keep MX17 fully updated and install the latest MX 4.19 kernel from MXPI Popular apps tab. If you're going to fresh install, then you might as well fresh install MX19 and preserve /home.
MX18.3 is essentially just MX17 with all the updates rolled up, except for the kernel, because kernels only auto-update within its own series (and except for the MX18 collection of wallpapers, which you can get from MXPI popular apps tab as well). Since MX17 was released with 4.13 kernel, it won't suddenly jump to installing 4.19 series kernel (which the MX18 iso was released with), but that's why we have the MXPI tool.
I have 2 installs of MX17 still running. I never bothered to install MX18 over it. The distro release file reads it as MX18, just with an earlier (MX17's) release date. I just made sure to install newer kernels (either liquorix 5+ series or the MX 4.19 series, again using MXPI Popular apps tab).
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 6:09 pm
by Stevo
What version of intel-microcode do you have installed? Debian Stretch and Buster both have the current release. If you still have the microcode problem, that means that Intel didn't update the microcode for your particular CPU. It's Intel's closed firmware, so you're stuck with what they decided.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 6:13 pm
by entropyagent
Maybe it's worth separating the kernel story from the microcode story.
I see a possible contradiction between these Stevo statements:
Stevo wrote: ↑Tue Oct 27, 2020 2:44 am
We recommend that MX 18.3 users keep the backported 4.19 Debian kernels it uses as default updated to the latest 4.19 security updates we continue to backport to main from the Buster repository. Currently, that's the 4.19.0-12 (4.19.152) kernel.
+
Stevo wrote: ↑Wed Nov 04, 2020 7:37 am
4.19.152 is the current Buster security updated version we backported to MX 17/18.
You're good.
and this tony37 contribution:
tony37 wrote: ↑Wed Nov 04, 2020 9:41 am
entropyagent wrote: ↑Wed Nov 04, 2020 9:01 am
With a lot of help from the forum MXers, I now have a more recent kernel, which I hope will receive ongoing updates.
It won't, I explained this in post 10. Best solution at the moment is:
Code: Select all
sudo apt install linux-image-4.19-amd64 linux-headers-4.19-amd64
Are they addressing the same topic? I would like both
1) an up-to-date kernel and
2] to be automagically kept up to date with security patches, with no more effort on my part than an
occasional "aptitude full-upgrade". Goal no. 2 is what I mean by "on the train".
Stevo seems to be saying I have achieved goal number 1) with my current kernel
"linux-image-4.19.0-12-amd64-unsigned" (Thanks) But what about goal no. 2) ? Is that included in "You're good."?
Stevo, can you please clarify this point?
tony37 seems to be saying I have definitely not achieved goal no. 2), and the best way to achieve both 1) and 2) is by installing "linux-image-4.19-amd64 linux-headers-4.19-amd64", which, at present, will pull in
linux-headers-4.19.0-0.bpo.12-amd64
linux-headers-4.19.0-0.bpo.12-common
linux-image-4.19.0-0.bpo.12-amd64
and
<will> be kept up-to-date automagically by an occasional "aptitude full-upgrade"
Did I understand that correctly?
Thanks for the feedback so far.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 6:16 pm
by Stevo
My statement applies to MX 17/18 only. Tony's is for MX 19, which uses Debian's 4.19 kernel by default.
Apples and oranges.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Wed Nov 04, 2020 6:34 pm
by tony37
I am very much talking about MX18 and I think if you want to have a 4.19 kernel that is automatically updated (with some delay possibly), then best* choice is installing linux-image-4.19-amd64
* or rather: only choice, because the other meta-packages are not maintained
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Thu Nov 05, 2020 12:26 am
by asqwerth
Tony is asking you to install the 4.19 metapackages for kernel and kernel header because that will automatically update you to the latest 4.19 kernel version when you use
sudo apt full-upgrade
when there are updates.
I don't use aptitude at all.
Re: MX17.x migrated to MX18.3 : What kernel should I be on?
Posted: Thu Nov 05, 2020 9:00 am
by entropyagent
Is this my question that has arisen to shake the towers and counsels of the Great?
viewtopic.php?f=97&t=61278
Or maybe this newer one from a_freed_man? (A bit too new and not the same question, perhaps, but Greg Kroah-Hartman's recommendation to use "Supported kernel from your favorite Linux distribution" tugs at my heartstrings.
viewtopic.php?f=94&t=61315
Perhaps I can park my kernel question until this is resolved. I do have a nice shiny new kernel for the moment.