summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2019-05-18 16:39:33 +0000
committerintrigeri <intrigeri@boum.org>2019-05-18 16:39:33 +0000
commitf45317d04b11fb26ac2e86ded3bb0ecde36f8b18 (patch)
treee189fae2d00dbd159e42ee5dc032878fe6cc3fc4
parentbd8ecd326b91efc018339adf55a744c2a252043a (diff)
parent4c54166bd5a468c2e9e521aad61ade635322c9f1 (diff)
Merge branch 'stable' into devel
-rw-r--r--config/APT_overlays.d/bugfix-16708-linux-4.19.37-force-all-tests0
-rw-r--r--config/amnesia4
-rw-r--r--config/chroot_apt/preferences11
-rw-r--r--config/chroot_local-packageslists/tails-common.list2
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn11
5 files changed, 21 insertions, 7 deletions
diff --git a/config/APT_overlays.d/bugfix-16708-linux-4.19.37-force-all-tests b/config/APT_overlays.d/bugfix-16708-linux-4.19.37-force-all-tests
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config/APT_overlays.d/bugfix-16708-linux-4.19.37-force-all-tests
diff --git a/config/amnesia b/config/amnesia
index e9ff4d1..7ddc6ee 100644
--- a/config/amnesia
+++ b/config/amnesia
@@ -17,7 +17,7 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
# Base for the string that will be passed to "lb config --bootappend-live"
# FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
# need to set block.events_dfl_poll_msecs
-AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs"
+AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 mds=full,nosmt union=aufs"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
-KERNEL_VERSION='4.19.0-4'
+KERNEL_VERSION='4.19.0-5'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
diff --git a/config/chroot_apt/preferences b/config/chroot_apt/preferences
index 4b181c6..1128442 100644
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -10,9 +10,9 @@ Package: b43-fwcutter
Pin: release o=Debian,n=sid
Pin-Priority: 999
-Explanation: unavailable in stretch and stretch-backports
+Explanation: unavailable in stretch and stretch-backports, version in sid is intentionally broken (Debian#928518)
Package: electrum python3-electrum
-Pin: release o=Debian,n=sid
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: Electrum dependencies
@@ -37,10 +37,15 @@ Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:firmware-nonfree
-Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
+Package: firmware-linux firmware-linux-nonfree firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Pin: release o=Debian,n=sid
Pin-Priority: 990
+Explanation: Exception to src:firmware-nonfree pinning due to Debian#928631
+Package: firmware-amd-graphics
+Pin: release o=Debian,n=stretch-backports
+Pin-Priority: 990
+
Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index 893e75b..9b690a3 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -249,9 +249,7 @@ firmware-intel-sound
firmware-ipw2x00
firmware-iwlwifi
firmware-libertas
-firmware-linux
firmware-linux-free
-firmware-linux-nonfree
firmware-misc-nonfree
firmware-realtek
firmware-ti-connectivity
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 38132a9..c683a3b 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
+
+### `mds=full,nosmt`
+
+As per
+<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
+if the CPU is vulnerable, this:
+
+1. enables "all available mitigations for the MDS vulnerability, CPU
+ buffer clearing on exit to userspace";
+2. disables SMT which is another avenue for exploiting this class
+ of attacks.