Page 1 of 11

How to update your kernel for Meltdown and Spectre

Posted: Wed Jan 10, 2018 6:24 am
by xenopeek
If you're not yet familiar with these processor bugs (affecting processors from Intel, AMD [not Meltdown] and ARM) please read our earlier announcement: Security notice: Meltdown and Spectre. It's is important that you upgrade your Linux kernel to one that has fixes for Meltdown and Spectre to keep your system safe.

In short, Linux Mint 18.x users should be using kernel 4.4.0-116 or 4.13.0-36 or newer and NOT continue to use any 4.8.x, 4.10.x or 4.11.x kernels (those are no longer updated and unsafe). Linux Mint 17.x users should be using kernel 3.13.0-142 or 4.4.0-116 and NOT continue to use any 3.16.x, 3.19.x or 4.2.x kernels (those are also no longer updated and unsafe).

Need to know
You can view the latest status of the kernel mitigations against the Meltdown and Spectre processor bugs here: https://wiki.ubuntu.com/SecurityTeam/Kn ... itigations.

Also update your web browser: For Spectre there are 2 variants, where variant 1 is fixed in the kernel but variant 2 also requires a processor microcode update. Many systems will not yet have such a microcode update and remain vulnerable to variant 2 (and for 32-bit installations of Linux Mint there is no kernel upgrade yet that includes Spectre variant 2 patch). As such it is critical that you have also updated your web browser. Firefox version 57.0.4 (or newer) and Google Chrome version 64 (or newer) both have mitigation in place that makes it impossible for JavaScript on websites to exploit any of these bugs. Note that Chromium has not been patched yet! (If you use another web browser, check your version is safe from Meltdown and Spectre.) The kernel fixes on their own are not sufficient to keep your system safe.

32-bit system remain vulnerable to Meltdown: There are no patches (yet) for Meltdown on 32-bit Linux distros running on Intel or ARM processors (AMD processors are not affected by Meltdown). That means if you have Intel processor and are using Linux Mint 32-bit you should replace it with Linux Mint 64-bit if you're concerned about Meltdown.

VirtualBox hosts: If you're using Linux Mint 18.x as a VirtualBox host you should stick with the 4.4 kernel series or add the Oracle VirtualBox repository to your system. The version of VirtualBox on Linux Mint 18.x is not (yet) compatible with 4.13 kernel series. If you need 4.13 kernel series (e.g., you're using Intel Kaby Lake or AMD Ryzen processor) choose the latter option. An example of the steps to add Oracle VirtualBox repository to your system are found here: https://askubuntu.com/a/995096

Before you proceed !!!
Before you do anything, we recommended you use Timeshift and take a system snapshot. That way if any of the updates cause problems you have the option to roll them back. Timeshift has been made available on all Linux Mint versions and can be installed through Software Manager.

Upgrading your kernel
If you don't know your Linux Mint version open the terminal from your menu and run this command:
inxi -S

Instructions for Linux Mint 18.3 and 18.2:
  • From Update Manager's View menu open Linux kernels, select 4.13 in the left sidebar and at the right you should see version 4.13.0-36 or newer (a higher number than 36 at the end). That should show as installed and in the top of the window it should be shown as currently used. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.4.0-116 or newer (a number higher than 116 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you may see level 4 security upgrades for linux-libc-dev (it may be for a lower version number than your kernel, which is fine and as expected). You should install all security updates.
Instructions for Linux Mint 18.1 and 18:
  • From Update Manager's View menu open Linux kernels, select 4.4 in the left sidebar and scroll down till you see version 4.4.0-116 or newer (a higher number than 116 at the end). The list may be sorted a bit strange. That should show as installed and in the top of the window it should be shown as currently used. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.13.0-36 or newer (a number higher than 36 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you may see level 5 security upgrades for linux or Linux kernel 4.some version (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Instructions for Linux Mint 17.3 and 17.2:
  • From Update Manager's View menu open Linux kernels and scroll up from the end (it's sorted a bit strange) till you see version 4.4.0-116 or newer (a higher number than 116 at the end). That should show as installed and loaded. If not, install it and reboot your system to load the new kernel. As an alternative you may use 3.13.0-142 or newer (a number higher than 142 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you should also see (or have already installed) a level 5 security upgrade for linux-kernel to version 4.4.0-lts1. You may see level 5 security upgrades for linux (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Instructions for Linux Mint 17.1 and 17:
  • From Update Manager's View menu open Linux kernels and scroll down till you see version 3.13.0-142 or newer (a higher number than 142 at the end). It should be near the beginning of the list (it's sorted a bit strange). That should show as installed and loaded. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.4.0-116 or newer (a number higher than 116 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you should also see (or have already installed) a level 5 security upgrade for linux-kernel to version 3.13.0-lts1. You may see level 5 security upgrades for linux (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Check the patch status of your system
You can use https://github.com/speed47/spectre-meltdown-checker to test the patch status of your system. It tests both hardware, microcode and kernel. Download the zip, extract the .sh file from it and open a terminal on the directory where you have extracted the .sh file. Then run this command to run the tests:
sudo sh spectre-meltdown-checker.sh

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 6:49 am
by minitux
Good, I have remove now my 4.10.x kernels for 4.13.0-25 kernel , all work properly.

Thanks.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 7:57 am
by slavko
Can you clarify this to me - why have you suggested installing kernel 4.13.* on latest LM?

Linux Mint 18.* is based on Ubuntu Xenial (16.04 LTS) which came with kernel 4.4.*, right?
Ubuntu suggests 4.4 kernel for Xenial, and patches 4.4 for that reason. So why put non-LTS kernel on LTS Linux system?

Am I missing something? (Obviously 'yes', but what?)

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 8:01 am
by xenopeek
Linux Mint 18.2 shipped with 4.8 kernel. 18.3 shipped with 4.10 kernel. Hence I suggest to upgrade to 4.13 and not downgrade.

These are the hwe kernels from Ubuntu and Update Manager provides you with the new hwe kernel once your current hwe kernel goes out of support. For 4.8 that happened in August 2017. For 4.10 that will happen in February 2018. Ultimo August 2018 the hwe kernel will upgrade to 4.15. 4.4 and 4.15 will be supported for the remainder of the lifetime of the release. See https://wiki.ubuntu.com/Kernel/LTSEnabl ... el_Support

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 8:39 am
by norm.h
I have Mint 18.2 and with help from others, have managed to get 4.4 installed and running
Based on the advice here, I just tried to install 4.13 and got these errors which are similar to errors I was getting when trying to get 4.4 up and running

Code: Select all

E: linux-image-4.13.0-26-generic: subprocess installed post-installation script returned error exit status 2
E: linux-image-extra-4.13.0-26-generic: dependency problems - leaving unconfigured
The Kernel section on Update Manager and Synaptic are telling me 4.13 is installed, but it's not listed in GRUB when I reboot, although 4.8 is, even though it's fully removed.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 8:43 am
by Minterator
Thank you. So no patches will be installed automatically by Update Manager? i.e. one has to manually install the kernel you specified above?

If one does not wish to install patches for the time being, they don't have to do anything?

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 9:10 am
by stepan2013
Trying to install 4.13.0-26, but there is an error:

Code: Select all

Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/ndiswrapper/1.60/build/make.log for more information.
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.102/build/make.log for more information.
And, of course, no booting with this kernel.

My spec:

Code: Select all

CPU~Quad core Intel Core i5-2320 (-MCP-) speed/max~1599/3300 MHz Kernel~4.10.0-42-generic x86_64 Up~1 min Mem~581.7/3866.2MB HDD~1128.2GB(3.4% used) Procs~205 Client~Shell inxi~2.2.35 

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 9:10 am
by looren
Hey !

I'm running 18.3, installed 4.13.0-26 (latest), rebooted, but my computer keeps going into reboot over and over again until I revert back to 4.1.
Whats the issue here? Anyone know?

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 9:12 am
by catweazel
looren wrote:Hey !

I'm running 18.3, installed 4.13.0-26 (latest), rebooted, but my computer keeps going into reboot over and over again until I revert back to 4.1.
Whats the issue here? Anyone know?
Please start a new thread for your issue.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 9:13 am
by Sir Charles
Minterator wrote: If one does not wish to install patches for the time being, they don't have to do anything?
Correct! Just make sure not to choose update level 4 and 5 for these recent changes.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 9:37 am
by LamphunLumyai
Just as an FYI, today I got a Mint Update Manager update level 1, followed by a Level 5 kernel update. That update was to the patched 4.4.0-109-generic (or I assume it's patched from what I've read - still a Newbie in many ways).

From:
Kernel: 3.13.0-100-generic x86_64 (64 bit)
Desktop: Cinnamon 2.8.8 Distro: Linux Mint 17.3 Rosa

To:
Kernel: 4.4.0-109-generic x86_64 (64 bit)
Desktop: Cinnamon 2.8.8 Distro: Linux Mint 17.3 Rosa

No glaring problems with the firmware upgrade that I can see. But if I do, I'll update this post.

Code: Select all

$ lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                2
On-line CPU(s) list:   0,1
Thread(s) per core:    1
Core(s) per socket:    2
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 42
Stepping:              7
CPU MHz:               808.230
BogoMIPS:              3392.31
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              2048K

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 10:02 am
by slavko
I have installed 4.4.0-109, then I found this: https://github.com/speed47/spectre-meltdown-checker. According to it, only Meltdown issue was addressed in this update, and Spectre variants 1 & 2 are not even touched.

So don't relax too early, people, we are still far from the final solution.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 10:37 am
by xenopeek
As stated, you should use a web browser that has mitigation built in against exploiting these bugs. Like Firefox 57.0.4+. What other programs do you have on your computer that run untrusted code? Or do you randomly download programs from shady/obscure websites and run them blindly on your system :wink:

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 11:44 am
by Flemur
More info on kernels and timetable here:
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 12:01 pm
by Mattyboy
All good here

Code: Select all

System:    Host: mintman-To-be-filled-by-O-E-M Kernel: 4.13.0-26-generic x86_64 (64 bit gcc: 5.4.0)
           Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
           Distro: Linux Mint 18.3 Sylvia
Machine:   System: Gigabyte product: N/A
           Mobo: Gigabyte model: G1.SNIPER B7-CF v: x.x
           Bios: American Megatrends v: F4 date: 11/02/2015
CPU:       Dual core Intel Core i3-6100 (-HT-MCP-) cache: 3072 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 14784
           clock speeds: max: 3700 MHz 1: 3700 MHz 2: 3700 MHz 3: 3700 MHz
           4: 3700 MHz
Graphics:  Card: NVIDIA Device 1c03 bus-ID: 01:00.0
           Display Server: X.Org 1.18.4 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.00hz
           GLX Renderer: GeForce GTX 1060 6GB/PCIe/SSE2
           GLX Version: 4.5.0 NVIDIA 384.111 Direct Rendering: Yes


On the blog posted by 'Linux Mint' "Also please note that 4.10 is vulnerable to Meltdown/Spectre. Only 4.13 and 4.4 are patched against it.".... so I guess if 4.13 ain't working 4.4 it is.... time to remove my 4.10 Kernels :lol:

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 12:58 pm
by Spearmint2
Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

sudo update-grub
before rebooting????

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 1:10 pm
by slavko
xenopeek wrote:As stated, you should use a web browser that has mitigation built in against exploiting these bugs. Like Firefox 57.0.4+. What other programs do you have on your computer that run untrusted code? Or do you randomly download programs from shady/obscure websites and run them blindly on your system :wink:
"shady websites"? "run blindly"? I wouldn't say so. I do consider myself as a fairly paranoid person. :wink:

But I do need more then a web browser. I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.

And I don't think we can trust ANY site as 100% safe. As we here know, even the most reputable sites are hackable.

So I don't think patching Meltdown and Firefox make me safe. Less vulnerable - yes, but not safe.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 1:15 pm
by slavko
Spearmint2 wrote:Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

update-grub
before rebooting????
Are we supposed to do so? Shouldn't Update Manager take care of that?

I never had to do this till now, and never had problems before 4.13.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 1:19 pm
by xenopeek
slavko wrote:I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.
I didn't say that. But it is your responsibly to look into who and what you trust (and why). No amount of microcode updates and kernel patches will help if you install some program that has been designed to also steal all your personal files for example. Assuming you did your research a bit on what you're about to install, the only untrusted code your likely to run is in your web browser. Hence focus on getting a web browser that has the mitigation in place already.

Re: How to update your kernel for Meltdown

Posted: Wed Jan 10, 2018 1:56 pm
by Spearmint2
slavko wrote:
Spearmint2 wrote:Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

update-grub
before rebooting????
Are we supposed to do so? Shouldn't Update Manager take care of that?

I never had to do this till now, and never had problems before 4.13.
May not be necessary. Not sure. Doesn't hurt though.

As an aside, I was looking for the kernel update, but it didn't appear till I changed my Update Manager preferences to make 4 & 5 updates at least visible, but left them set as "not safe". So, if you have them set as "not visible" then will need to change that to have them available for install. If computer won't boot to it from GRUB, then remember, the older kernel should be in "Previous Versions" section to choose for boot.
But I do need more then a web browser. I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.
No older program will have such exploits in them, since knowledge of such capability wasn't know when they were published. It's the newer programs since this knowledge became available that might present a problem.