How to update your kernel for Meltdown and Spectre

[ICIT2]

Being a newbie I find this all a bit confusing to be honest I am running 18.3 and currently my kernel is 4.10.0-38 and the latest kernel is in the list of available updates and given that I am getting dire warnings about wrecking my system I am just wondering what to do.

If in the event that the system crashes is the worst thing that can happen is that I have to reinstall because to be honest I don't have any worries about doing that except that I have to set up all my programs and sites again I could I suppose clone the drive and do the kernel on the clone and see what happens but it seems a lot of mucking around if I don't need to do that.

Any advice really appreciated.

[Arch_Enemy]

Some changes are being worked on for Update Manager so below instructions are temporary. However if you want to upgrade your kernel right now to fix Meltdown (variant 3), these are the general instructions. The patches for Spectre (variant 1 and 2) aren't available yet.

Make sure you have also updated your web browser and you're running Firefox version 57.0.4 or newer, as that has mitigation that makes it impossible for JavaScript on websites to exploit these bugs. Average home users only run untrusted code in their web browser so this mitigation is key to being safe from these bugs.

For more information also see Security notice: Meltdown and Spectre

NOTE: It's recommended you use Timeshift and take a system snapshot before upgrading the kernel. That way you have the option to roll back if needed. Timeshift has been made available on all Linux Mint versions and can be installed through Software Manager.

Instructions for Linux Mint 17.x (any release):

• Open Update Manager
• From its View menu open Linux kernels
• Scroll to the end and from there back up till you see 4.4.0-109 and install that version (on Linux Mint 17 or 17.1, that use the kernel 3.13.0 series, you could instead use 3.13.0-139).
• Reboot your system
• If it booted fine you can remove other kernels from View > Linux kernels menu and if it didn't boot fine you can boot your previous kernel from GRUB

Already done, my friend! Been watching for kernel updates daily.
But, nice write up!

[ICIT2]

Ok well I am going to take a chance with the kernel update as I can see right now that if the worst comes to the worst I shall have to reinstall.

[AZgl1800]

I just upgraded to Kernal 4.13 successfully,

then ran Timeshift.... a bit too late, but at least I have a copy now.

What I am wondering about now, are these two errors.
Are they important, and how do I get rid of them?

------------------------------------------------------------------------------
0 > 2018-01-11_21-47-37 O

john@john-TP500LA ~ $ sudo timeshift --list

(process:8607): Gtk-CRITICAL **: gtk_icon_theme_get_for_screen: assertion 'GDK_IS_SCREEN (screen)' failed

(process:8607): Gtk-CRITICAL **: gtk_icon_theme_append_search_path: assertion 'GTK_IS_ICON_THEME (icon_theme)' failed
Device : /dev/sda1
UUID : 2366e397-979a-4520-a83c-741ef1fe9990
Path : /
Mode : RSYNC
Device is OK
1 snapshots, 462.4 GB free

Num Name Tags Description
------------------------------------------------------------------------------

[Spearmint2]

Ok well I am going to take a chance with the kernel update as I can see right now that if the worst comes to the worst I shall have to reinstall.

Unless you uninstall the old kernel, it would still be there at bootup screen in another section like "Previous ......" to boot from it instead, then you can remove the problem kernel.

[michael louwe]

@ jazz.h, .......

Hello xenopeek!
My config is:

Code: Select all

System:    Host: dk-MATE Kernel: 3.19.0-32-generic x86_64 (64 bit) Desktop: MATE 1.12.0
           Distro: Linux Mint 17.3 Rosa

but the highest in my list of kernels in mint update is 4.4.0-98 and 3.19.0-80.
What should I do?

.
If you have a computer that is less than 5 years old, you should install the Level 5 update for Linux kernel 4.4 lts. Otherwise, go to >Update Manager >View >Linux kernels >Install kernel 3.13.xxx. Reboot.
... Ensure that your computer system remains stable. If not, revert to previous kernel 3.19.32 by rebooting, >Grub menu >Advanced options. Then go back to >Update Manager >View >Linux kernels >Remove the unstable kernel. Better to stay unpatched than to have an unstable system.

Refresh Update Manager(= update Ubuntu repos) = the Meltdown/KPTI patch for the kernel should then be available for install.

Again, go to >Update Manager >View >Linux kernels, and install kernel 4.4.108 / .109 / .110 or 3.13.139/.140. Reboot. Ensure that system remains stable. If not revert and remove, and wait for the release of a newer patched kernel, eg 4.4.111 or 3.13.141.

[Sinnis250]

I tried the suggestion of installing 4.4.0-109 for my version of Linux Mint 17.3 [Cinnamon Rosa 3.19.0-32 generic (x86_64) 64bit AMD processor].

What happened was "Cinnamon has crashed and is running in fallback mode".

Back to 3.19.0-32 generic (x86_64) for the time being.



I suppose I should wait this out until a stable patched kernel is available?

[Cosmo.]

You can try to use the latest release of kernel 3.13; this series is still supported and will be during during the life time of Mint 17.x

There is a small problem with it: Linux systems boot by default always the newest installed kernel. To boot with 3.13 you have to do this - at least once - manually. You press and hold the shift key immediately after powering in and select from th upcoming grub menu the kernel 3.13. If this works for you you can uninstall from update manager -> Linux kernel the newer kernel, so that 3.13 boots automatically.

[kc1di]

Kernel updates go well here

[Sinnis250]

You can try to use the latest release of kernel 3.13; this series is still supported and will be during during the life time of Mint 17.x

There is a small problem with it: Linux systems boot by default always the newest installed kernel. To boot with 3.13 you have to do this - at least once - manually. You press and hold the shift key immediately after powering in and select from th upcoming grub menu the kernel 3.13. If this works for you you can uninstall from update manager -> Linux kernel the newer kernel, so that 3.13 boots automatically.

Thank you Cosmo.

Installing Kernel v 3.13.0-139 has worked sweetly.

Appreciate your help as always.............

Cheers!

[Neil Edmond]

Installing 3.13.0-139 went without issue. Thanks for the direction on which kernel to go to based on currently installed kernel.

[buffest_overflow]

Do you think NoScript is necessary if I use FF inside Firejail sandbox ?

You should do what makes you comfortable. Your browser is already immune on its own to JavaScript attacks that would use these bugs.
(If you don't use Flash, Java or other such unsafe plugins.)

I don't even know man. I feel reluctant feeling that anything is safe these days.
There was this thing recently about bad cpows in Firefox; the whole "cliqz" affair. I checked out these entries in about:config:

Code: Select all

dom.ipc.cpows.allow-cpows-in-compat-addons
media.getusermedia.screensharing.allowed_domains

They both contained long lists of identities with hash values, I don't know if they were hashes assigned to me or hashes identifying them. Most were familiar to me, but that doesn't mean I want them doing whatever they're doing. Some of them I definitely did not want around me, and some were completely unknown. I run noscript, EFF's Badger and HTTPS, and uBlock. I consider myself pretty vigilant in these things, but things slip between the cracks. Nobody knows anything. This is maybe off topic, but I just wanted to point out what I have learned from personal experience, that there's always something new and unknown. "Safe" websites aren't even safe, necessarily. I hope everyone is ok.

Cisco Annual Security Reports:
https://www.cisco.com/c/en/us/products/ ... ports.html
I will guarantee that the worst sites in terms of malware listed in these reports are not what most people will be expecting.


Official (polite) explanation of what cliqz is for.
https://www.mozilla.org/en-US/privacy/firefox-cliqz/

[Spearmint2]

Have you done the simplest which is go into about:config and changing settings you don't want in there. You can find a lot of dom stuff there too. Search o nthings like telemetry, onboard, video, http, newtab, and so forth.

[davester]

im a total newbie... there is a nice gui for the kernels... called UKUU
its a kernel update utility with a gui, very handy for beginners.
it also has newer kernels wich are not availible throught the package manager if u dont install them through the bash..
this programm works like a charm...
im on 4.14.13 now..

http://www.teejeetech.in/p/ukuu-kernel- ... ility.html

(sorry if somebody already mentioned it, i didnt read through all posts)
greetz

[Fr@nK]

Thanks Xenoppek for the tuto and advices.
I'm running LM18.3 with i5-4460 CPU and my actual kernel is 4.10.0-42.
I was waiting few days before to upgrade.
So, before to do that, I would like to be sure of the procedure.
I was heard that the intel-microcode should be upgraded before. Do you confirm ?
After that, I should upgrade the kernel to 4.13.0-26-29 using update manger then reboot. Right ?
Then, if things are OK, I will have to delete older kernel's, eventually keeping 4.4.0-109 if issues raise. Is it still OK ?
If not, the procedure consists of booting with the 2nd line in grub choosing a previous kernel. Still right ?

Thanks in advance for confirmation.

Cheers

P.S. English is not my native language, so my apologizes for mistakes.

[Moem]

im a total newbie... there is a nice gui for the kernels... called UKUU
its a kernel update utility with a gui, very handy for beginners.
it also has newer kernels wich are not availible throught the package manager if u dont install them manual..

Please keep in mind that these are not guaranteed to work with Mint. There's usually a reason why they're not available through the Mint tools.

[davester]

Please keep in mind that these are not guaranteed to work with Mint. There's usually a reason why they're not available through the Mint tools.

LOL i personally think NOTHING is guaranteed to work if u play with the kernels yourself

im not sure but they are third party why should they be availible inside of the mint basic tools?
it says clear it is for Ubuntu-based Distributions (Ubuntu, Linux Mint, etc)

they worked perfect for me and a ton of other users on 4.14.
if the kernels werent for mint they shouldnt work at all i think.

like i said i had no problems so far and im on 4.14.14 at the moment.
there are also several linux mint blogs where users are using this tool without any problems on MINT.

i suggest u try it out yourself, if the kernel dont work (wich i dont think) u can always deinstall it and use the grub to go back to the kernel u was before..

[Cosmo.]

i know another "nice gui for the kernels", it is called Update Manager -> Linux Kernels. It is already installed on every Mint system.

[Termy]

Yeah, for Linux Mint, I have to agree that using mintupdate for kernel changes is best, if you don't wind up using the terminal. That other program sounds handy for other distributions, however.

[I2k4]

As a quarter-century Windows user and Ubuntu / Mint user since 10.04 LTS, I haven't seen any security issue like this one, ever. There are no reported exploits. The vulnerability is recently discovered, goes to the very foundation of how hardware chips are designed, and the patches are of doubtful quality. The developers themselves all repeatedly refer to the possibility that current performance impacts are likely, and are likely to be resolved in future improvements - both to the patches and eventually to new hardware chips.

My suspicion is that on my machines the OS patch "cures" being released have a very high probability of damaging their performance, while the exploit "disease" still has a microscopic probability of affecting me at all. That of course might change any day now, as some global villain exploits unpatched PCs, and we get something like WannaCry affecting thousands - I took that seriously. On a similarly credible threat, I'll reconsider what I'm doing now. But it hasn't happened yet, and in the meantime I've made my mind up to disable both Windows and Mint Linux updates to the OS. (I've updated browsers and other related software as released.)

Obviously it's a situation worth attention, but not worth jumping at a media-driven hair-on-fire "emergency" that just isn't. (For a little grim humor, I'd compare this to an asymptomatic prostate diagnosis: "watchful waiting" rather than an intrusive surgery with serious risk of side effects.)