Closed cfm closed 11 months ago
This is blocked on https://github.com/freedomofpress/securedrop-apt-test/pull/202#issuecomment-1709117337, which will be resolved with new packages tomorrow.
Unblocked by freedomofpress/securedrop-apt-test#203. We're hoping to complete testing in time to promote to securedrop-apt-prod
on Monday.
Tested on sd-bullseye template by manually installing kernel. Kernel boots and blackhat tests come back fine, but the spectre/meltdown checker reports SRBDS unmitigated (see also kev's results on the server). It also reports an Unknown result for CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)'
.
Unlike kev's, I notice this line in the hardware preflight check:
* CPU supports Special Register Buffer Data Sampling (SRBDS): NO
Regardless, looking into the failures:
xen-hypervisor-4.14.6-1
and microcode_ctl-2.1.55
. This all by way of saying I believe these are false positives.Thanks, @ro. Per https://github.com/freedomofpress/securedrop/issues/6938#issuecomment-1716625204, do you get the same results (with the same meltdown.sh
) on the previous kernel?
Yes - on the 5.15.123-1 grsec workstation kernel I get the same result for the SRBDS.
Being done in coordination with freedomofpress/securedrop#6938.
Checklist
build-logs
apt-test.freedom.press
apt.freedom.press
and releasedTest plan
[ ] Per https://github.com/freedomofpress/securedrop/issues/6762#issuecomment-1520569189: