Actions

Install Newer Kernels

From Whonix



Newerlinux161108640.png

Testers only! Testers only!

Introduction[edit]

Kernel Options[edit]

GNU/Linux provides a wide variety of possible kernel options [archive] for individual users. Active kernel releases fall into several main categories: [1]

  • Prepatch (RC) kernels: these "release candidate" kernels are pre-releases of the mainline kernel that are intended for developers and Linux enthusiasts. [2] They contain new features and must be tested before they are put into a stable release.
  • Mainline: the mainline tree is where all new features are introduced and where new development occurs. Every 2-3 months, a new mainline kernel is released.
  • Stable: After a mainline kernel is released, it is classified as stable. Bug fixes for the stable kernel are backported from the mainline tree. On approximately a weekly basis, stable kernel updates are released. Normally only a few bug fix kernel releases are available before the next mainline kernel is released.
  • Long-term (LTS): At any time there are usually several "long-term maintenance" kernel releases available. Bug fixes are backported for older kernels, but these are focused on the most important issues and releases are not very frequent (particularly for older trees).
  • Distribution kernels: A number of Linux distributions provide long-term maintenance kernels, which are sometimes not based on those maintained by kernel developers. This is the case for Debian upon which Whonix ™ is based. [3]

Interested readers can refer to The Linux Kernel Archives [archive] to see the prepatch, mainline, stable and long-term kernels that are currently available.

Recommended Kernel[edit]

For the vast majority of Whonix ™ users, there is simply no reason to change from the distribution kernel that is in use.

The general expert consensus is that while LTS kernels have less hardening features and not all bug fixes are backported, they have less attack surface and potentially less chance of having new bugs. In comparison, stable kernels have more hardening features and all known bug fixes to date, but a higher attack surface and a greater potential for new bugs. [4] The grsecurity development team has also noted that the majority of Linux kernel vulnerabilities are those that have most recently been introduced (released) in newer versions. [5] [6]

The developer who is responsible for stable Linux kernel releases (Greg Kroah-Hartman), has also confirmed this viewpoint. His recommendation of what kernel should be used (ranked from best to worst) is as follows: [7] [8]

  1. Supported kernel from your favorite Linux distribution.
  2. Latest stable release.
  3. Latest LTS release.
  4. Older LTS release that is still being maintained.

In Debian's case, it is noted that the distribution kernel is not based on the latest stable upstream kernel release, but they still ensure that any necessary bug fixes are applied on a regular basis.

Whonix ™ developers have also noted there is a risk of instability and breakage when utilizing kernels from Debian backports. [9] For instance, this had previously resulted in Qubes breakage [10] and caused mismatches in the kernel image versus kernel headers.

One possible exception to the recommendation in this section concerns Qubes-Whonix users, since the dom0 kernel applies to all qubes by default. To benefit from a number of recent security developments (such as Linux Kernel Runtime Guard (LKRG)), the use of in-VM kernels [archive] is a prerequisite.

Preparation[edit]

Non-Qubes-Whonix ™[edit]

Non-Qubes-Whonix ™: No preparation is required.

Qubes-Whonix ™[edit]

Qubes-Whonix ™: A Qubes VM kernel is required.

  1. Follow the Qubes OS Installing kernel in Debian VM [archive] instructions.
  2. Ensure the Qubes VM kernel is functional before proceeding -- Qubes VM kernel issues should be raised at Qubes support [archive] and not in Whonix ™ forums. [11] [12]
  3. Reboot dom0 with Qubes VM kernel. This is because Qubes VM kernel might break unrelated things such as the USB VM. [13]
  4. Once the Qubes VM kernel is functional, proceed with the following instructions.


Installation[edit]

Debian issue: linux-image-amd64 vs linux-headers-amd64 Debian buster-backports version mismatch bpo.2 vs bpo.3 [archive]

linux-image-$(dpkg --print-architecture) linux-headers-$(dpkg --print-architecture) can be installed from Debian backports. This is non-ideal, see footnote. [14]

1. Boot Whonix-Workstation ™ (whonix-ws-15) TemplateVM.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources.

Note: this applies to Whonix 15.0.1.5.1. Later Whonix versions may use a codename different to buster.

In Whonix-Workstation ™ (whonix-ws-15) TemplateVM, run.

sudo su -c "echo -e 'deb tor+https://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t buster-backports install linux-image-$(dpkg --print-architecture) linux-headers-$(dpkg --print-architecture)

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [15] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

Because of Debian issue linux-image-amd64 vs linux-headers-amd64 Debian buster-backports version mismatch bpo.2 vs bpo.3 [archive] the following is required as well. (Only package installation command required.)

sudo apt install linux-headers-5.4.0-0.bpo.2-amd64 linux-image-5.4.0-0.bpo.2-amd64 can be installed from Debian backports. This is non-ideal, see footnote. [16]

1. Boot Whonix-Workstation ™ (whonix-ws-15) TemplateVM.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources.

Note: this applies to Whonix 15.0.1.5.1. Later Whonix versions may use a codename different to buster.

In Whonix-Workstation ™ (whonix-ws-15) TemplateVM, run.

sudo su -c "echo -e 'deb tor+https://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t buster-backports install sudo apt install linux-headers-5.4.0-0.bpo.2-amd64 linux-image-5.4.0-0.bpo.2-amd64

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [17] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

See Also[edit]

Footnotes[edit]

  1. https://www.kernel.org/category/releases.html [archive]
  2. These must be compiled from source.
  3. To tell if you are running a distribution kernel, in a terminal run: uname -r. If anything appears after the dash, then a distribution kernel is in use. At the time of writing, Debian is utilizing the following distribution kernel [archive]: 4.19.98-1+deb10u1.
  4. https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598?page=11 [archive]
  5. https://www.grsecurity.net/the_truth_about_linux_4_6 [archive]
  6. See also: Debian wiki Kernel FAQ [archive].
  7. http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/ [archive]
  8. He also notes that an unmaintained kernel release should never be used.
  9. http://forums.whonix.org/t/kernel-versions-and-security-debian-backports/5791 [archive]
  10. See: https://github.com/QubesOS/qubes-issues/issues/4443 [archive]
  11. https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275 [archive]
  12. Qubes feature request: Simplify and promote using in-vm kernel [archive]
  13. As experienced firsthand by Whonix ™ developer Patrick Schleizer.
  14. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix ™ users might want to consider using Multiple Whonix-Workstation ™ and Qubes-Whonix ™ users might want to consider using Multiple Qubes-Whonix ™ TemplateVMs or Software Installation in a TemplateBasedVM.
  15. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  16. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix ™ users might want to consider using Multiple Whonix-Workstation ™ and Qubes-Whonix ™ users might want to consider using Multiple Qubes-Whonix ™ TemplateVMs or Software Installation in a TemplateBasedVM.
  17. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: Twitter.png Facebook.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables [archive]. Please come and introduce yourself in the development forum [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.