fixing Linux Mint 18.3 for Meltdown and Spectre

[Pjotr]

How did you first try to remove the 4.8 kernel? By some other means than by the kernel tool in Update Manager (which is the official way)?

Anyway, there are two options for you now:

1. Launch Synaptic, hunt for installed traces of the 4.8 kernel, and remove them all. If that doesn't work for you:

2. Make the jump forward to the latest kernel of the 4.13 series (needless to say: by means of the kernel tool in Update Manager). That's the quick-and-dirty solution.

[norm.h]

Silly me, I edited my previous post so didn't notice your. Sorry..........

Anyway, yes I used the tool in Update Manager [twice].
Will now do as you suggest and resort to Synaptic [see my previous edits]

Watch this space

Tried to uninstall the two lines and got the same error, and the lines are still there [in RED]

Code: Select all

E: linux-image-extra-4.8.0-53-generic: subprocess installed post-removal script returned error exit status 1
E: linux-image-4.8.0-53-generic: subprocess installed post-removal script returned error exit status 1

[norm.h]

This is just weird.........
Intending to go back to Square One with the intention of starting over, I reloaded 4.8.0.53 from Synaptic and enabled it in GRUB
Then went to Update Manager to remove 4.4 and ended up with the same 2 errors as detailed above.
Went to Synaptic to check what is and what isn't installed and the two RED lines are still there but this time for 4.4
Synaptic refuses to uninstall them

Code: Select all

E: linux-image-extra-4.4.0-104-generic: subprocess installed post-removal script returned error exit status 1
E: linux-image-4.4.0-104-generic: subprocess installed post-removal script returned error exit status 1

They are prohibiting [with the same error message] an update to Skype advised in Update Manager, and preventing the installation of 4.13 [as suggested above].

I get error relating to "trying to recover from package failure" - went to Synaptic to fix broken packages [twice] but that didn't help.
Who would have thought that changing a kernel would cause so much trouble?

[ClixTrix]

Did you run the run the following command after you edited Grub file (from link you posted where Grub was edited)?

Code: Select all

sudo update-grub

When you manually make Grub changes, it's always necessary to do that command. If you don't recall, run it again, and use mine for the copy and paste to Terminal.

I'm thinking the post-processor error is Grub related and could be an error stemming from that change.

[norm.h]

Yes, I definitely ran that command.

My concern now is that until I can get rid of those two "rogue" bits of 4.4 I won't be able to update anything, as trying to update Skype showed earlier.

I've googled for "subprocess installed post-removal script returned error exit status 1" and found lots of posts, that are very [for me] complicated, and years old anyway so I'm extremely reluctant try any of them.

Been at this all day and wish I'd never started it. I'm at a a complete loss as to know what to do next.

Help.PLEASE.

[norm.h]

Can anyone confirm if this might work please - before I get into any more of a mess..........

https://ubuntuforums.org/showthread.php ... 575&page=2

[ClixTrix]

Can anyone confirm if this might work please - before I get into any more of a mess..........

https://ubuntuforums.org/showthread.php ... 575&page=2

Well, it does suggest my suspicion on Grub as the problem is valid and perhaps that change as the origin. Going with off-script does lead to tangles.

Honestly, I would start a separate discussion in the Grub section of the forum to continue (get you untangled),as this problem is getting waaaay off topic here. And, no, that's not meant to be unsympathetic to the problem. Just don't want to irritate the admins. That post is relevant, but depends on your configuration, e.g. I have grub for efi and amd on my sig system, not common. Checking grub install via Software Manager or Synaptic is a head start for a post on the problem.

[norm.h]

Yes, thanks for that - I've gone way off topic, all because I took advice in this thread to change my kernel to avert Meltdown / Spectre.

My profuse apologies.

[ClixTrix]

Yes, thanks for that - I've gone way off topic, all because I took advice in this thread to change my kernel to avert Meltdown / Spectre.

My profuse apologies.

I don't think an apology is necessary. I think posting the problem where you can get the best help on the problem is best, i.e. to where someone that is deep into Grub help can give it the best advise. Obviously, the chat boards aren't. It's the post where you unhide the grub boot that got me thinking, that and not using the Update Manager to install and uninstall kernels. Something got twisted.

[tovian]

Suggestion:

Go HERE

Download and Install GRUB-CUSTOMIZER

Use this (GUI) utility to modify GRUB to suit your needs.

[Pjotr]

@norm.h: please do *not* use Grub Customizer. It's superfluous and it'll irreversibly add a thick layer of complexity to your bootloader.

Try this instead:
https://ubuntuforums.org/showthread.php ... st11044403

[ClixTrix]

Well, there was a reason I came here this morning. Looks like the MS fix was a problem for AMD K8.

https://www.theverge.com/2018/1/9/16867 ... pcs-issues

[norm.h]

@Pjotr
Please see my new thread in Installation & Boot

[wpshooter]

I noticed that there was a kernel update today (01-09-2017) - version 4.4.0-108.

Is that update to the kernel supposed to fix the Meltdown and Spectre processor security problems ?

Thanks.

[Sir Charles]

Yes it is! Have a look at karlchen's post here:
viewtopic.php?f=58&t=261280

[wpshooter]

Yes it is! Have a look here:
viewtopic.php?f=58&t=261280

Thanks for your reply.

Here is why I ask.

A couple of days ago I ran the Intel Detection Tool and it said that my processor
was VULNERABLE to the Meltdown and Spectre problems.

But after I installed today's kernel update, the Intel Detection Tool STILL says that
my processor is VULNERABLE to the problems. Should the installation of the new
kernel prevent the Intel tool from giving a positive result or is the tool just saying
that the processor is subject to the problems and is "basically" unaware as to whether the
problem has been mitigated or not ?

Thanks.

[Sir Charles]

Based on what I have read about Windows fix, the kernel patches are only one part of the solution. Apparently there is a need for uefi/bios update as well. If you want you can read this article in How-to Geek:
https://www.howtogeek.com/338801/how-to ... d-spectre/

It's about Windows, but it might shed some light on the subject:

Warning: Even if you’ve installed patches from Windows Update, your PC may not completely protected from the Meltdown and Spectre CPU flaws. Here’s how to check if you’re fully protected, and what to do if you aren’t.

To fully protect against Meltdown and Spectre, you’ll need to install a UEFI or BIOS update from your PC’s manufacturer as well as the various software patches. These UEFI updates contain new Intel processor microcode that adds additional protection against these attacks. Unfortunately, they aren’t distributed via Windows Update—unless you’re using a Microsoft Surface device—so they must be downloaded from your manufacturer’s website and installed manually.

(source: the link above)

This might apply to Linux kernels' patches as well and that is maybe why the tool still flags your cpu as being vulnerable.

For making sure that KPTI feature is enabled for the kernel, you can run this:

Code: Select all

dmesg | grep 'page tables isolation'

and you should get this:

Code: Select all

 Kernel/User page tables isolation: enabled

[Sir Charles]

@Pjotr

You wrote higher up:

@norm.h: please do *not* use Grub Customizer. It's superfluous and it'll irreversibly add a thick layer of complexity to your bootloader.

Would you please elaborate on that? I thought Grub Customizer was a tool intended for editing the grub.cfg file without you "getting your hands dirty". It just probes the system for all the boot options available and you just decide in what order they appear on the grub menu and it takes care of that. I am not sure if I understand how it adds " a thick layer of complexity to your bootloader".
regards

[smurphos]

But after I installed today's kernel update, the Intel Detection Tool STILL says that
my processor is VULNERABLE to the problems. Should the installation of the new
kernel prevent the Intel tool from giving a positive result or is the tool just saying
that the processor is subject to the problems and is "basically" unaware as to whether the
problem has been mitigated or not ?

Thanks.

The current round of kernel updates from Ubuntu only address Meltdown, not Spectre.

Spectre fixes to follow at a later date.

https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

[scjet45]

"...The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel. " ???

I'm on LM 18.3 (Mate):

Code: Select all

uname -a
Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP[/b] Mon Dec 4 15:57:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ok, so do I stay with latest 4.10.0-42, or go to latest 4.13.* ?

Thx ahead.