{{Header}}
{{Title|title=
Linux Kernel
}}
{{#seo:
|description=Newer Kernel Versions for Better Security Hardening / Kernel Issues
|image=Newerlinux161108640.png
}}
[[File:Newerlinux161108640.png|thumb]]
{{intro|
Newer Kernel Versions for Better Security Hardening / Kernel Issues
}}
= Introduction =
== Kernel Options ==
GNU/Linux provides a wide variety of possible [https://www.kernel.org/ kernel options] for individual users. Active kernel releases fall into several main categories: [https://www.kernel.org/category/releases.html]
* Prepatch (RC) kernels: these "release candidate" kernels are pre-releases of the mainline kernel that are intended for developers and Linux enthusiasts. [These must be compiled from source.] They contain new features and must be tested before they are put into a stable release.
* Mainline: the mainline tree is where all new features are introduced and where new development occurs. Every 2-3 months, a new mainline kernel is released.
* Stable: After a mainline kernel is released, it is classified as stable. Bug fixes for the stable kernel are backported from the mainline tree. On approximately a weekly basis, stable kernel updates are released. Normally only a few bug fix kernel releases are available before the next mainline kernel is released.
* Long-term (LTS): At any time there are usually several "long-term maintenance" kernel releases available. Bug fixes are backported for older kernels, but these are focused on the most important issues and releases are not very frequent (particularly for older trees).
* Distribution kernels: A number of Linux distributions provide long-term maintenance kernels, which are sometimes not based on those maintained by kernel developers. This is the case for Debian upon which {{project_name_long}} is based. [To tell if you are running a distribution kernel, in a terminal run: ]uname -r
. If anything appears after the dash, then a distribution kernel is in use. At the time of writing, Debian is utilizing the [https://packages.debian.org/source/{{Stable project version based on Debian codename}}/linux following distribution kernel]: 4.19.98-1+deb10u1
.
Interested readers can refer to [https://www.kernel.org/ The Linux Kernel Archives] to see the prepatch, mainline, stable and long-term kernels that are currently available.
== Recommended Kernel ==
For the vast majority of {{project_name_short}} users, there is simply no reason to change from the distribution kernel that is in use.
The general expert consensus is that while LTS kernels have less hardening features and not all bug fixes are backported, they have less attack surface and potentially less chance of having new bugs. In comparison, stable kernels have more hardening features and all known bug fixes to date, but a higher attack surface and a greater potential for new bugs. [https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598?page=11] The grsecurity development team has also noted that the majority of Linux kernel vulnerabilities are those that have most recently been introduced (released) in newer versions. [https://www.grsecurity.net/the_truth_about_linux_4_6] [See also: [https://wiki.debian.org/KernelFAQ Debian wiki Kernel FAQ].]
The developer who is responsible for stable Linux kernel releases (Greg Kroah-Hartman), has also confirmed this viewpoint. His recommendation of what kernel should be used (ranked from best to worst) is as follows: [http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/] [He also notes that an unmaintained kernel release should never be used.]
# Supported kernel from your favorite Linux distribution.
# Latest stable release.
# Latest LTS release.
# Older LTS release that is still being maintained.
In Debian's case, it is noted that the distribution kernel is not based on the latest stable upstream kernel release, but they still ensure that any necessary bug fixes are applied on a regular basis.
{{project_name_short}} developers have also noted there is a [[Dev/APT_Pinning#backports_by_default|risk of instability and breakage]] when utilizing kernels from Debian backports. [
https://forums.whonix.org/t/kernel-versions-and-security-debian-backports/5791
] For instance, this had previously resulted in Qubes breakage [
See: https://github.com/QubesOS/qubes-issues/issues/4443
] and caused mismatches in the kernel image versus kernel headers.
One possible exception to the recommendation in this section concerns {{q_project_name_short}} users, since the dom0
kernel applies to all qubes by default. To benefit from a number of recent security developments, the use of [https://github.com/QubesOS/qubes-issues/issues/5212 in-VM kernels] is a prerequisite.
'''TODO:''' This wiki page needs an update due to article: [https://www.zdnet.com/article/are-all-linux-vendor-kernels-insecure-a-new-study-says-yes-but-theres-a-fix/ Are all Linux vendor kernels insecure? A new study says yes, but there's a fix]
* It may not be actionable by users or developers. Stable kernels from kernel.org are not packaged for Debian. Even if they were, they are probably not suitable for installation by default due to issues with [[Dev/maintainability|maintainability]].
== Kernel Parameter ==
* [[Grub#Kernel_Boot_Parameter_Change|Temporary Kernel Boot Parameter Change]]
* [[Grub#Permanent_Configuration_Changes|Permanent Kernel Boot Parameter Configuration Changes]].
== illegal hardware instruction ==
[https://github.com/Kicksecure/security-misc/pull/218 gather_data_sampling=force
- Enable Gather Data Sampling (GDS) mitigation - related to CPU AVX
instruction; More CPU Mitigations and Additional References]
== Kernel Issues ==
Sometimes updated kernel versions can cause issues. This has only been an issue for major kernel upgrades such as when performing instructions below. This has never been an issue when performing [[Update|standard ("everyday") updates]].
Host kernel version 5.15 was [https://forums.whonix.org/t/tor-browser-crashing-in-whonix-virtualbox-since-upgrade-to-host-linux-kernel-version-5-10-0-15/13767/13 reported] to cause many unrelated, strange issues inside VirtualBox VMs because that kernel version was still unsupported by VirtualBox. [
https://www.virtualbox.org/ticket/17055#comment:3
]
* [https://forums.whonix.org/t/recommended-specs/9679/14 host freeze]
* segmentation fault
s in many applications
* SIGSEGV
errors in all chromium based browsers
* broken [[sdwdate]]
* broken [[swap-file-creator]]
* broken update and upgrades with bizarre unusual otherwise never seen errors such as Hash Sum Mismatch
* Tor Browser was [https://forums.whonix.org/t/tor-browser-crashing-in-whonix-virtualbox-since-upgrade-to-host-linux-kernel-version-5-10-0-15/13767 reported] to have crashed inside VirtualBox with Segmentation fault (core dumped)
.
* [https://github.com/{{project_name_short}}/msgcollector msgcollector] issue was [https://forums.whonix.org/t/tor-browser-crashing-in-whonix-virtualbox-since-upgrade-to-host-linux-kernel-version-5-10-0-15/13767/11 reported] error_text: ‘exit_code: 0 | text: Failed to set up inotifywait! inotifywait_folder: /run/msgcollector | wait_exit_code: 141’
= Installation of Newer Kernels =
== Preparation ==
=== {{non_q_project_name_long}} ===
[[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]: No preparation is required.
=== {{q_project_name_long}} ===
[[{{q_project_name_short}}|{{q_project_name_short}}]]: A Qubes VM kernel is required.
{{Qubes_VM_Kernel}}
== Package Installation ==
{{Testers-only}}
[
Past Debian issue: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951315 linux-image-amd64 vs linux-headers-amd64 Debian buster-backports version mismatch bpo.2 vs bpo.3]
]
{{Install_Backport
|package_name=A newer Linux kernel
|package=linux-image-$(dpkg --print-architecture) linux-headers-$(dpkg --print-architecture)
}}
These steps can be repeated for any other host operating system installations or other VMs.
= See Also =
* [https://github.com/{{project_name_short}}/tirdad tirdad - TCP ISN CPU Information Leak Protection]
* [[Hardened-kernel|hardened-kernel]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]