How to update your kernel for Meltdown and Spectre

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

How to update your kernel for Meltdown and Spectre

Post by xenopeek »

If you're not yet familiar with these processor bugs (affecting processors from Intel, AMD [not Meltdown] and ARM) please read our earlier announcement: Security notice: Meltdown and Spectre. It's is important that you upgrade your Linux kernel to one that has fixes for Meltdown and Spectre to keep your system safe.

In short, Linux Mint 18.x users should be using kernel 4.4.0-116 or 4.13.0-36 or newer and NOT continue to use any 4.8.x, 4.10.x or 4.11.x kernels (those are no longer updated and unsafe). Linux Mint 17.x users should be using kernel 3.13.0-142 or 4.4.0-116 and NOT continue to use any 3.16.x, 3.19.x or 4.2.x kernels (those are also no longer updated and unsafe).

Need to know
You can view the latest status of the kernel mitigations against the Meltdown and Spectre processor bugs here: https://wiki.ubuntu.com/SecurityTeam/Kn ... itigations.

Also update your web browser: For Spectre there are 2 variants, where variant 1 is fixed in the kernel but variant 2 also requires a processor microcode update. Many systems will not yet have such a microcode update and remain vulnerable to variant 2 (and for 32-bit installations of Linux Mint there is no kernel upgrade yet that includes Spectre variant 2 patch). As such it is critical that you have also updated your web browser. Firefox version 57.0.4 (or newer) and Google Chrome version 64 (or newer) both have mitigation in place that makes it impossible for JavaScript on websites to exploit any of these bugs. Note that Chromium has not been patched yet! (If you use another web browser, check your version is safe from Meltdown and Spectre.) The kernel fixes on their own are not sufficient to keep your system safe.

32-bit system remain vulnerable to Meltdown: There are no patches (yet) for Meltdown on 32-bit Linux distros running on Intel or ARM processors (AMD processors are not affected by Meltdown). That means if you have Intel processor and are using Linux Mint 32-bit you should replace it with Linux Mint 64-bit if you're concerned about Meltdown.

VirtualBox hosts: If you're using Linux Mint 18.x as a VirtualBox host you should stick with the 4.4 kernel series or add the Oracle VirtualBox repository to your system. The version of VirtualBox on Linux Mint 18.x is not (yet) compatible with 4.13 kernel series. If you need 4.13 kernel series (e.g., you're using Intel Kaby Lake or AMD Ryzen processor) choose the latter option. An example of the steps to add Oracle VirtualBox repository to your system are found here: https://askubuntu.com/a/995096

Before you proceed !!!
Before you do anything, we recommended you use Timeshift and take a system snapshot. That way if any of the updates cause problems you have the option to roll them back. Timeshift has been made available on all Linux Mint versions and can be installed through Software Manager.

Upgrading your kernel
If you don't know your Linux Mint version open the terminal from your menu and run this command:
inxi -S

Instructions for Linux Mint 18.3 and 18.2:
  • From Update Manager's View menu open Linux kernels, select 4.13 in the left sidebar and at the right you should see version 4.13.0-36 or newer (a higher number than 36 at the end). That should show as installed and in the top of the window it should be shown as currently used. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.4.0-116 or newer (a number higher than 116 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you may see level 4 security upgrades for linux-libc-dev (it may be for a lower version number than your kernel, which is fine and as expected). You should install all security updates.
Instructions for Linux Mint 18.1 and 18:
  • From Update Manager's View menu open Linux kernels, select 4.4 in the left sidebar and scroll down till you see version 4.4.0-116 or newer (a higher number than 116 at the end). The list may be sorted a bit strange. That should show as installed and in the top of the window it should be shown as currently used. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.13.0-36 or newer (a number higher than 36 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you may see level 5 security upgrades for linux or Linux kernel 4.some version (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Instructions for Linux Mint 17.3 and 17.2:
  • From Update Manager's View menu open Linux kernels and scroll up from the end (it's sorted a bit strange) till you see version 4.4.0-116 or newer (a higher number than 116 at the end). That should show as installed and loaded. If not, install it and reboot your system to load the new kernel. As an alternative you may use 3.13.0-142 or newer (a number higher than 142 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you should also see (or have already installed) a level 5 security upgrade for linux-kernel to version 4.4.0-lts1. You may see level 5 security upgrades for linux (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Instructions for Linux Mint 17.1 and 17:
  • From Update Manager's View menu open Linux kernels and scroll down till you see version 3.13.0-142 or newer (a higher number than 142 at the end). It should be near the beginning of the list (it's sorted a bit strange). That should show as installed and loaded. If not, install it and reboot your system to load the new kernel. As an alternative you may use 4.4.0-116 or newer (a number higher than 116 at the end).
  • If it booted fine and everything seems to work you can remove other kernels from View > Linux kernels menu. If it didn't boot fine you can boot your previous kernel through GRUB boot menu (hold down shift key during boot if GRUB menu is not shown during boot).
  • In the list of available updates you should also see (or have already installed) a level 5 security upgrade for linux-kernel to version 3.13.0-lts1. You may see level 5 security upgrades for linux (it may be for a lower version number than your kernel, which is fine and as expected if the upgrade contains the package linux-libc-dev). You should install all security updates.
Check the patch status of your system
You can use https://github.com/speed47/spectre-meltdown-checker to test the patch status of your system. It tests both hardware, microcode and kernel. Download the zip, extract the .sh file from it and open a terminal on the directory where you have extracted the .sh file. Then run this command to run the tests:
sudo sh spectre-meltdown-checker.sh
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 8 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Image
minitux

Re: How to update your kernel for Meltdown

Post by minitux »

Good, I have remove now my 4.10.x kernels for 4.13.0-25 kernel , all work properly.

Thanks.
slavko
Level 2
Level 2
Posts: 53
Joined: Thu Mar 24, 2016 4:15 pm

Re: How to update your kernel for Meltdown

Post by slavko »

Can you clarify this to me - why have you suggested installing kernel 4.13.* on latest LM?

Linux Mint 18.* is based on Ubuntu Xenial (16.04 LTS) which came with kernel 4.4.*, right?
Ubuntu suggests 4.4 kernel for Xenial, and patches 4.4 for that reason. So why put non-LTS kernel on LTS Linux system?

Am I missing something? (Obviously 'yes', but what?)
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: How to update your kernel for Meltdown

Post by xenopeek »

Linux Mint 18.2 shipped with 4.8 kernel. 18.3 shipped with 4.10 kernel. Hence I suggest to upgrade to 4.13 and not downgrade.

These are the hwe kernels from Ubuntu and Update Manager provides you with the new hwe kernel once your current hwe kernel goes out of support. For 4.8 that happened in August 2017. For 4.10 that will happen in February 2018. Ultimo August 2018 the hwe kernel will upgrade to 4.15. 4.4 and 4.15 will be supported for the remainder of the lifetime of the release. See https://wiki.ubuntu.com/Kernel/LTSEnabl ... el_Support
Image
norm.h
Level 5
Level 5
Posts: 690
Joined: Tue Mar 23, 2010 11:45 am
Location: Oxfordshire, UK

Re: How to update your kernel for Meltdown

Post by norm.h »

I have Mint 18.2 and with help from others, have managed to get 4.4 installed and running
Based on the advice here, I just tried to install 4.13 and got these errors which are similar to errors I was getting when trying to get 4.4 up and running

Code: Select all

E: linux-image-4.13.0-26-generic: subprocess installed post-installation script returned error exit status 2
E: linux-image-extra-4.13.0-26-generic: dependency problems - leaving unconfigured
The Kernel section on Update Manager and Synaptic are telling me 4.13 is installed, but it's not listed in GRUB when I reboot, although 4.8 is, even though it's fully removed.
Last edited by norm.h on Wed Jan 10, 2018 9:07 am, edited 3 times in total.
Minterator

Re: How to update your kernel for Meltdown

Post by Minterator »

Thank you. So no patches will be installed automatically by Update Manager? i.e. one has to manually install the kernel you specified above?

If one does not wish to install patches for the time being, they don't have to do anything?
stepan2013
Level 1
Level 1
Posts: 13
Joined: Wed Jan 10, 2018 8:58 am

Re: How to update your kernel for Meltdown

Post by stepan2013 »

Trying to install 4.13.0-26, but there is an error:

Code: Select all

Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/ndiswrapper/1.60/build/make.log for more information.
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.102/build/make.log for more information.
And, of course, no booting with this kernel.

My spec:

Code: Select all

CPU~Quad core Intel Core i5-2320 (-MCP-) speed/max~1599/3300 MHz Kernel~4.10.0-42-generic x86_64 Up~1 min Mem~581.7/3866.2MB HDD~1128.2GB(3.4% used) Procs~205 Client~Shell inxi~2.2.35 
looren
Level 2
Level 2
Posts: 78
Joined: Fri Apr 14, 2017 4:03 am

Re: How to update your kernel for Meltdown

Post by looren »

Hey !

I'm running 18.3, installed 4.13.0-26 (latest), rebooted, but my computer keeps going into reboot over and over again until I revert back to 4.1.
Whats the issue here? Anyone know?
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: How to update your kernel for Meltdown

Post by catweazel »

looren wrote:Hey !

I'm running 18.3, installed 4.13.0-26 (latest), rebooted, but my computer keeps going into reboot over and over again until I revert back to 4.1.
Whats the issue here? Anyone know?
Please start a new thread for your issue.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Sir Charles

Re: How to update your kernel for Meltdown

Post by Sir Charles »

Minterator wrote: If one does not wish to install patches for the time being, they don't have to do anything?
Correct! Just make sure not to choose update level 4 and 5 for these recent changes.
User avatar
LamphunLumyai
Level 3
Level 3
Posts: 181
Joined: Tue Mar 24, 2015 9:20 am

Re: How to update your kernel for Meltdown

Post by LamphunLumyai »

Just as an FYI, today I got a Mint Update Manager update level 1, followed by a Level 5 kernel update. That update was to the patched 4.4.0-109-generic (or I assume it's patched from what I've read - still a Newbie in many ways).

From:
Kernel: 3.13.0-100-generic x86_64 (64 bit)
Desktop: Cinnamon 2.8.8 Distro: Linux Mint 17.3 Rosa

To:
Kernel: 4.4.0-109-generic x86_64 (64 bit)
Desktop: Cinnamon 2.8.8 Distro: Linux Mint 17.3 Rosa

No glaring problems with the firmware upgrade that I can see. But if I do, I'll update this post.

Code: Select all

$ lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                2
On-line CPU(s) list:   0,1
Thread(s) per core:    1
Core(s) per socket:    2
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 42
Stepping:              7
CPU MHz:               808.230
BogoMIPS:              3392.31
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              2048K
slavko
Level 2
Level 2
Posts: 53
Joined: Thu Mar 24, 2016 4:15 pm

Re: How to update your kernel for Meltdown

Post by slavko »

I have installed 4.4.0-109, then I found this: https://github.com/speed47/spectre-meltdown-checker. According to it, only Meltdown issue was addressed in this update, and Spectre variants 1 & 2 are not even touched.

So don't relax too early, people, we are still far from the final solution.
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: How to update your kernel for Meltdown

Post by xenopeek »

As stated, you should use a web browser that has mitigation built in against exploiting these bugs. Like Firefox 57.0.4+. What other programs do you have on your computer that run untrusted code? Or do you randomly download programs from shady/obscure websites and run them blindly on your system :wink:
Image
User avatar
Flemur
Level 20
Level 20
Posts: 10097
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: How to update your kernel for Meltdown

Post by Flemur »

More info on kernels and timetable here:
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mattyboy

Re: How to update your kernel for Meltdown

Post by Mattyboy »

All good here

Code: Select all

System:    Host: mintman-To-be-filled-by-O-E-M Kernel: 4.13.0-26-generic x86_64 (64 bit gcc: 5.4.0)
           Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
           Distro: Linux Mint 18.3 Sylvia
Machine:   System: Gigabyte product: N/A
           Mobo: Gigabyte model: G1.SNIPER B7-CF v: x.x
           Bios: American Megatrends v: F4 date: 11/02/2015
CPU:       Dual core Intel Core i3-6100 (-HT-MCP-) cache: 3072 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 14784
           clock speeds: max: 3700 MHz 1: 3700 MHz 2: 3700 MHz 3: 3700 MHz
           4: 3700 MHz
Graphics:  Card: NVIDIA Device 1c03 bus-ID: 01:00.0
           Display Server: X.Org 1.18.4 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.00hz
           GLX Renderer: GeForce GTX 1060 6GB/PCIe/SSE2
           GLX Version: 4.5.0 NVIDIA 384.111 Direct Rendering: Yes


On the blog posted by 'Linux Mint' "Also please note that 4.10 is vulnerable to Meltdown/Spectre. Only 4.13 and 4.4 are patched against it.".... so I guess if 4.13 ain't working 4.4 it is.... time to remove my 4.10 Kernels :lol:
Last edited by Mattyboy on Wed Jan 10, 2018 6:48 pm, edited 1 time in total.
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown

Post by Spearmint2 »

Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

sudo update-grub
before rebooting????
Last edited by Spearmint2 on Wed Jan 10, 2018 1:52 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
slavko
Level 2
Level 2
Posts: 53
Joined: Thu Mar 24, 2016 4:15 pm

Re: How to update your kernel for Meltdown

Post by slavko »

xenopeek wrote:As stated, you should use a web browser that has mitigation built in against exploiting these bugs. Like Firefox 57.0.4+. What other programs do you have on your computer that run untrusted code? Or do you randomly download programs from shady/obscure websites and run them blindly on your system :wink:
"shady websites"? "run blindly"? I wouldn't say so. I do consider myself as a fairly paranoid person. :wink:

But I do need more then a web browser. I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.

And I don't think we can trust ANY site as 100% safe. As we here know, even the most reputable sites are hackable.

So I don't think patching Meltdown and Firefox make me safe. Less vulnerable - yes, but not safe.
slavko
Level 2
Level 2
Posts: 53
Joined: Thu Mar 24, 2016 4:15 pm

Re: How to update your kernel for Meltdown

Post by slavko »

Spearmint2 wrote:Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

update-grub
before rebooting????
Are we supposed to do so? Shouldn't Update Manager take care of that?

I never had to do this till now, and never had problems before 4.13.
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: How to update your kernel for Meltdown

Post by xenopeek »

slavko wrote:I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.
I didn't say that. But it is your responsibly to look into who and what you trust (and why). No amount of microcode updates and kernel patches will help if you install some program that has been designed to also steal all your personal files for example. Assuming you did your research a bit on what you're about to install, the only untrusted code your likely to run is in your web browser. Hence focus on getting a web browser that has the mitigation in place already.
Image
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown

Post by Spearmint2 »

slavko wrote:
Spearmint2 wrote:Did those above having problems with not seeing the kernel change in their GRUB first run

Code: Select all

update-grub
before rebooting????
Are we supposed to do so? Shouldn't Update Manager take care of that?

I never had to do this till now, and never had problems before 4.13.
May not be necessary. Not sure. Doesn't hurt though.

As an aside, I was looking for the kernel update, but it didn't appear till I changed my Update Manager preferences to make 4 & 5 updates at least visible, but left them set as "not safe". So, if you have them set as "not visible" then will need to change that to have them available for install. If computer won't boot to it from GRUB, then remember, the older kernel should be in "Previous Versions" section to choose for boot.
But I do need more then a web browser. I do need some programs which do not exist in official repositories (or repo versions are so outdated that are next to useless). So, what should I do? Stop using all these programs? Then I can stop using computers at all.
No older program will have such exploits in them, since knowledge of such capability wasn't know when they were published. It's the newer programs since this knowledge became available that might present a problem.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Locked

Return to “Beginner Questions”