Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Which kernel should I use ?

Help for Current Versions of MX
Message
Author
arky217
Forum Novice
Forum  Novice
Posts: 59
Joined: Mon Jun 19, 2017 6:00 pm

Which kernel should I use ?

#1 Post by arky217 » Wed Sep 26, 2018 10:43 pm

Does MX Linux update the kernel periodically like some distros do
or is it left up to the user to install a newer kernel ?

I've been using MX 17 horizon for a few days; it came with kernel 4.15.0-1,
which seems to be the latest one in the Stable Repo.

I noticed that in the MX Test Repo there are several newer kernels, the
latest one seems to be 4.18.0-1.

Is there any reason to install the latest one in the MX Test Repo ?

When a newer kernel becomes available in the Stable Repo,
will it be installed when I update the system ?

User avatar
dolphin_oracle
Forum Veteran
Forum Veteran
Posts: 10034
Joined: Sun Dec 16, 2007 1:17 pm

Re: Which kernel should I use ?

#2 Post by dolphin_oracle » Wed Sep 26, 2018 10:54 pm

kernel updates in the same family automatically update when possible. so 4.15 kernels should update automatically, although its been a while since we did a kernel update. we don't update between major kernel versions automatically.

been in the immortal words of ...well somebody...if it ain't broke don't fix it. If you need some later kernel for hardware reasons, they are available as you've noted.
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad T530 - MX-17
lenovo s21e & 100s - antiX-17, MX17(live-usb)
FYI: mx "test" repo is not the same thing as debian testing repo.

User avatar
Mauser
Forum Regular
Forum Regular
Posts: 744
Joined: Mon Jun 27, 2016 7:32 pm

Re: Which kernel should I use ?

#3 Post by Mauser » Wed Sep 26, 2018 11:52 pm

Stick with the 4.15.0-1 unless you want that gift from the NSA which is in the 4.18.0-1 kernel.

User avatar
zorzi
Forum Regular
Forum Regular
Posts: 135
Joined: Fri Apr 20, 2018 7:41 pm

Re: Which kernel should I use ?

#4 Post by zorzi » Thu Sep 27, 2018 3:13 am

From what I had read, 4.15 kernel is EOL (end of life) since a few weeks, it will not receive security updates anymore (though there's an upgrade for this kernel in MX test repo)...

In my opinion (and if you don't have brand new hardware), the best choice is to switch easily to (older but still supported) 4.9 Debian kernel, with MX package installer. With meta-packages linux-image and linux-headers installed, it updates automatically from Debian repos.
Desktop: HP Pavilion a6435 (Athlon64 2x 2,6Ghz, Radeon R7-240, Ram 4 Go, HD 500 Go) / MX Linux 17

User avatar
oops
Forum Regular
Forum Regular
Posts: 442
Joined: Tue Apr 10, 2018 5:07 pm

Re: Which kernel should I use ?

#5 Post by oops » Thu Sep 27, 2018 3:55 am

zorzi wrote:
Thu Sep 27, 2018 3:13 am
From what I had read, 4.15 kernel is EOL (end of life) since a few weeks, it will not receive security updates anymore (though there's an upgrade for this kernel in MX test repo)...

In my opinion (and if you don't have brand new hardware), the best choice is to switch easily to (older but still supported) 4.9 Debian kernel, with MX package installer. With meta-packages linux-image and linux-headers installed, it updates automatically from Debian repos.
Right, latest longterm is 4.14
seen here:
https://www.kernel.org/
$ inxi -Fxxxz : System: Host:XEON ... Distro: MX-17.1_x64 Horizon

User avatar
asqwerth
Forum Veteran
Forum Veteran
Posts: 3628
Joined: Sun May 27, 2007 5:37 am

Re: Which kernel should I use ?

#6 Post by asqwerth » Thu Sep 27, 2018 4:20 am

oops wrote:... latest longterm is 4.14
Yes, but does Debian's 4.14 kernel have the necessary patches against spectre and meltdown and the more recent vulnerabilities?

I don't really know how to read this: https://wiki.debian.org/DebianSecurity/SpectreMeltdown

but it looks to me as if Spectre1 is fixed from kernel 4.15 onwards?

I seem to recall that that was why MX17.1 point release bumped the default kernel up to Debian 4.15 kernel.

I've moved to 4.17-liquorix in both MX15/16 and MX17.


A convenient, less hands-on alternative is to go back to default 4.9 Debian kernel. That's assuming your hardware/CPU is not so new that it can't run on 4.9.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400

User avatar
oops
Forum Regular
Forum Regular
Posts: 442
Joined: Tue Apr 10, 2018 5:07 pm

Re: Which kernel should I use ?

#7 Post by oops » Thu Sep 27, 2018 4:32 am

asqwerth wrote:
Thu Sep 27, 2018 4:20 am
oops wrote:... latest longterm is 4.14
Yes, but does Debian's 4.14 kernel have the necessary patches against spectre and meltdown and the more recent vulnerabilities?

I don't really know how to read this: https://wiki.debian.org/DebianSecurity/SpectreMeltdown
...
... I guess than, If the 4.14 kernel is build with the modules for microcodes-update = YES (related with synaptic packages update) ... I think it's OK, but I am not sure.
To check, before-after:

Code: Select all

inxi --cpu --admin
# for the version number (not into inxi)
grep microcode /proc/cpuinfo
$ inxi -Fxxxz : System: Host:XEON ... Distro: MX-17.1_x64 Horizon

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 16962
Joined: Fri Dec 15, 2006 8:07 pm

Re: Which kernel should I use ?

#8 Post by Stevo » Thu Sep 27, 2018 2:44 pm

None of Debian's kernels, including the 4.18 we have in the test repo, ever enabled spec, if that's what you're worried about with the NSA reference. The 4.18 Liquorix kernels did, but there aren't any userspace programs to hook onto it anyway, so it makes little difference.

User avatar
baldyeti
Forum Regular
Forum Regular
Posts: 109
Joined: Sat Dec 05, 2009 4:37 pm

Re: Which kernel should I use ?

#9 Post by baldyeti » Thu Sep 27, 2018 5:11 pm

dolphin_oracle wrote:
Wed Sep 26, 2018 10:54 pm
in the immortal words of ...well somebody...if it ain't broke don't fix it. If you need some later kernel for hardware reasons, they are available as you've noted.
Mmmh ... not too sure what to make of this ... If my system was owned i might not notice and happily think "it ain't broken'
So I have to rely on my distribution maintainers to provide me with the best possible current protection , don't I ?

Running the "inxi" invocation suggested above, I am getting

Code: Select all

# MX17.1 stock 4.15.0-1-amd64 kernel:
	CPU:       Topology: Dual Core model: Intel Core i3-2120 bits: 64 type: MT MCP family: 6 
	model-id: 2A (42) stepping: 7 microcode: 2E L2 cache: 3072 KiB 
	Speed: 2515 MHz min/max: 1600/3300 MHz Core speeds (MHz): 1: 2515 2: 1930 	3: 1981 4: 2721 
	Vulnerabilities: Type: meltdown mitigation: PTI 
	Type: spectre_v1 mitigation: __user pointer sanitization 
	Type: spectre_v2 mitigation: Full generic retpoline, IBPB 

Code: Select all

# stretch vanilla 4.9.0-8-amd64 kernel:
	CPU:       Topology: Dual Core model: Intel Core i3-2120 bits: 64 type: MT MCP family: 6 model-id: 2A (42) 
	stepping: 7 microcode: 2E L2 cache: 3072 KiB 
	Speed: 1690 MHz min/max: 1600/3300 MHz Core speeds (MHz): 1: 1690 2: 1897 3: 1712 4: 1927 
	Vulnerabilities: Type: l1tf 
	mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
	Type: meltdown mitigation: PTI 
	Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
	Type: spectre_v1 mitigation: __user pointer sanitization 
	Type: spectre_v2 mitigation: Full generic retpoline, IBPB, IBRS_FW 
So...it looks like the current debian stretch 4.9 kernel (mid-August) has more patches/mitigations backported than the MX17.1 one for which i have received no update. They both support my oldish HW just fine. I do not understand the first thing about these threats and how important the counter-measures inxi sees in 4.9 but not in 4.15 are - maybe they're not needed because they're built-in for newer kernels ? Am I right in assuming that for a system properly working with the official debian kernel, the safer choice is to use that even under MX in order to get the best possible protection ?

The whole intel vulnerability story is certainly creating confusion for users and extra work for maintainers; I am not complaining about MX but merely trying to understand what one's best option is.

User avatar
Richard
Posts: 2236
Joined: Fri Dec 12, 2008 10:31 am

Re: Which kernel should I use ?

#10 Post by Richard » Thu Sep 27, 2018 5:32 pm

For comparison, #3 is the 4.18.7-antix kernel for comparison which runs well on my laptop.

Code: Select all

# MX17.1 stock 4.15.0-1-amd64 kernel:
	CPU:       Topology: Dual Core model: Intel Core i3-2120 bits: 64 type: MT MCP family: 6 
	model-id: 2A (42) stepping: 7 microcode: 2E L2 cache: 3072 KiB 
	Speed: 2515 MHz min/max: 1600/3300 MHz Core speeds (MHz): 1: 2515 2: 1930 	3: 1981 4: 2721 
	Vulnerabilities: Type: meltdown mitigation: PTI 
	Type: spectre_v1 mitigation: __user pointer sanitization 
	Type: spectre_v2 mitigation: Full generic retpoline, IBPB 

Code: Select all

# stretch vanilla 4.9.0-8-amd64 kernel:
	CPU:       Topology: Dual Core model: Intel Core i3-2120 bits: 64 type: MT MCP family: 6 model-id: 2A (42) 
	stepping: 7 microcode: 2E L2 cache: 3072 KiB 
	Speed: 1690 MHz min/max: 1600/3300 MHz Core speeds (MHz): 1: 1690 2: 1897 3: 1712 4: 1927 
	Vulnerabilities: Type: l1tf 
	mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
	Type: meltdown mitigation: PTI 
	Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
	Type: spectre_v1 mitigation: __user pointer sanitization 
	Type: spectre_v2 mitigation: Full generic retpoline, IBPB, IBRS_FW 

Code: Select all

# MX17.1 running kernel 4.18.7-antix.1-amd64-smp
	   CPU:       Topology: Dual Core model: Intel Core i5-3320M bits: 64 type: MT MCP family: 6 model-id: 3A (58) 
           stepping: 9 microcode: 20 L2 cache: 3072 KiB 
           Speed: 1258 MHz min/max: 1200/3300 MHz Core speeds (MHz): 1: 1202 2: 1251 3: 1200 4: 1198 
           Vulnerabilities: Type: l1tf 
           mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
           Type: meltdown mitigation: PTI 
           Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
           Type: spectre_v1 mitigation: __user pointer sanitization 
           Type: spectre_v2 mitigation: Full generic retpoline, IBPB, IBRS_FW 
The "l1tf" or L1TF vulnerability: https://www.suse.com/support/kb/doc/?id=7023077
Situation
Modern Intel CPUs feature "hyper threads", where multiple threads of execution can happen on the same core, sharing various resources, including the Level 1 (L1) Data Cache.

Researchers have found that during speculative execution, pagetable address lookups do not honor pagetable present and other reserved bits, so that speculative execution could read memory content of other processes or other VMs if this memory content is present in the shared L1 Datacache of the same core.

The issue is called "Level 1 Terminal Fault", or short "L1TF".

At this time this issue is known to only affect Intel CPU's.

Workaround :
The workaround depends on the physical address limit on the CPU.

For example, execute :
grep physical /proc/cpuinfo
When the returned limit contains "36 bits", the following kernel boot parameter can be added
mem=32G
Last edited by Richard on Thu Sep 27, 2018 7:49 pm, edited 2 times in total.
MX18b1: Lenovo T430: Intel Ivy Bridge i5-3320M, 8GB RAM, 4.19.0-1-amd64, 119 GB SSD
MX18b1: Eee&AA1 NBs: Dual Core Atom N270, 1GB RAM, 4.19.0-1-686, 150 GB HDD
DoubleCmd/Thunar, LibO613, Dropbox, Vivaldi/Firefox, CherryTree, Vbox. LinuxCounter #208633

Post Reply

Return to “MX Help”