When will IPFire update to a secure kernel?

Help on building IPFire & Feature Requests
Post Reply
dnl
Posts: 319
Joined: June 28th, 2013, 11:03 am

When will IPFire update to a secure kernel?

Post by dnl » January 7th, 2018, 2:17 am

Hello,
I know the core developers pay attention to the security of core components of IPFire and I really appreciate it about this software. However we've been stuck on a version 3 kernel for a long time now.

Was this because they've wanted to keep the grsecurity patches for as long as possible?
Anyway, is there any news on when IPFire will update to kernel version 4.4 or newer?

I see that in early December, Arne Wrote
Arne.F wrote:
December 5th, 2017, 1:43 pm
Im not able to compile backports higher than the included 4.2.6 for the 3.14.x kernel.
We plan to update the kernel to 4.14 in the near future. I have already build it for x86 and x86_64 but there are known issues (IPCOMP via IPSec is not working) and i have not done the arm config yet.

https://people.ipfire.org/~arne_f/highl ... al/kernel/
But backporting fixes from 4.2.6 is sadly not enough:
LWN quotes maintainer Greg Kroah-Hartman:
"If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first. Also, go yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act."
Despite IPFire being the "distribution supporting us" I understand that he's saying we need backports from no earlier than 4.4 to have all known vulnerabilities (and bugs) patched.

Perhaps a core developer would be kind enough to write a very quick blog post with their plans for the future?
I've not read any news about a planned roadmap for the kernel in IPFire.

Thanks!
Image

ava1ar
Posts: 3
Joined: October 31st, 2017, 4:18 am
Location: New York

Re: When will IPFire update to a secure kernel?

Post by ava1ar » January 12th, 2018, 10:37 pm

Thanks for bringing this into attention! I am joining to your question about the future of the IPFire kernel and already mentioned this is my recent forum post. I personally consider using old unsupported kernel as a biggest problem of IPFire. I like Linux and want to use it, but this issue will potentially force me to switch to pfSense/OPNSense...
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 7935
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: When will IPFire update to a secure kernel?

Post by Arne.F » January 13th, 2018, 11:50 am

I have uploaded 4.14.13 testing kernels but i have some issues yet (bad wlan with some clients, very bad raid throughput) so this are not stable yet. (Also the IPCOMP problem is still present, not only with IPFire config, debian has same problem)

since meltdown/spectre fixes new kernels are very unstable in my tests...
Also Meltdown/Spectre was only addressed in 64bit kernels...

Btw the current bsd kernel of pfsense / opensense has (at my knowledge) no fixes for Meltdown/Spectre yet. And adverting snort rules for this are snakeoil to me ...
Despite IPFire being the "distribution supporting us" I understand that he's saying we need backports from no earlier than 4.4 to have all known vulnerabilities (and bugs) patched.
I not mentioned about security fixes. backports-x.x.x is a common package that contains wlan- and media-drivers backports.
Arne

Support the project on the IPFire whishlist!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5638
Joined: August 11th, 2005, 9:02 am

Re: When will IPFire update to a secure kernel?

Post by MichaelTremer » January 14th, 2018, 3:35 pm

ava1ar wrote:
January 12th, 2018, 10:37 pm
Thanks for bringing this into attention! I am joining to your question about the future of the IPFire kernel and already mentioned this is my recent forum post. I personally consider using old unsupported kernel as a biggest problem of IPFire. I like Linux and want to use it, but this issue will potentially force me to switch to pfSense/OPNSense...
IPFire is based on a supported kernel. Supported by us. I do not think that any pressure or the phrases that Greg put out there actually help anyone, because so far there is just misinformation out there about Meltdown & Spectre.

There is currently no fixes/mitigations against Spectre in kernel 4.14 or newer. Only Meltdown is fixed in 4.14. That's something. But not good enough. On top of all of that, we don't even know how much PTI is affecting the operating systems. Performance is certainly one very important part here. But for the moment, none of the proof-of-concept exploits of meltdown work on IPFire, so there is little value in rushing into rolling out 4.14.

I also wrote a little post about this here: https://planet.ipfire.org/post/meltdown ... otic-story. That however is now a few days old and things have developed a little since then.

dnl
Posts: 319
Joined: June 28th, 2013, 11:03 am

Re: When will IPFire update to a secure kernel?

Post by dnl » January 17th, 2018, 8:20 am

Thank you Michael and Arne for your replies.

I did read your blog post Michael, but suspect ava1ar missed it as he replied after you posted it.
I'm also very disappointed with Intel over this. Some vulnerabilities have been around since 1995!!

Arne.F wrote:
January 13th, 2018, 11:50 am
Despite IPFire being the "distribution supporting us" I understand that he's saying we need backports from no earlier than 4.4 to have all known vulnerabilities (and bugs) patched.
I not mentioned about security fixes. backports-x.x.x is a common package that contains wlan- and media-drivers backports.
I'm sorry that my post was not clearer. I was commenting on what Greg KH said about the 4.4 kernel.
I understood that he was talking generally about security patches, not only for "Meltdown" and "Spectre".


For a laugh:
Image
Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5638
Joined: August 11th, 2005, 9:02 am

Re: When will IPFire update to a secure kernel?

Post by MichaelTremer » January 17th, 2018, 11:48 am

dnl wrote:
January 17th, 2018, 8:20 am
I'm also very disappointed with Intel over this. Some vulnerabilities have been around since 1995!!
Disappointed probably doesn't catch it. That they have this issue alone is already really really really bad.

But that they are now doing nothing about it, especially not releasing information and talking everything down, publishing benchmarks that cut out the bad bits, that is something that is basically unforgivable.

dnl
Posts: 319
Joined: June 28th, 2013, 11:03 am

Re: When will IPFire update to a secure kernel?

Post by dnl » January 18th, 2018, 11:20 am

This post wasn't intended to address Meltdown/Spectre, but the age of the kernel version in IPFire. However, as we are talking about it, you might like to quickly read this Ars Technica article The impromptu Slack war room where ‘Net companies unite to fight Spectre-Meltdown
The early disclosure of Meltdown and Spectre by Google and the fumbled responses by hardware vendors left cloud companies scrambling to react. So they united to fight the dumpster fire of poor communication and bad patches.
The article includes:
Smith noted that there has been a missed communications opportunity: Intel and others could've tried using existing large organizations to share information early—not just to cloud companies but to a much larger set of stakeholders. "We're all members of the Linux Foundation," Smith noted. "Why didn't this disseminate through the Linux Foundation?"

O/T: Michael, if you're reading this, could you please read my PM about wiki access? I can't contribute to IPFire now as I no longer have a working account that can edit the wiki.

Thank you,
dnl
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests