Commit 775d3ded authored by segfault's avatar segfault
Browse files

Merge branch 'stable' into bugfix/16602-parts-of-unlock-veracrypt-volumes-not-translated

parents 3ff0fe03 8299b435
......@@ -17,7 +17,7 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
# Base for the string that will be passed to "lb config --bootappend-live"
# FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs"
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 mds=full,nosmt union=aufs"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
......@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.19.0-4'
KERNEL_VERSION='4.19.0-5'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -10,9 +10,9 @@ Package: b43-fwcutter
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: unavailable in stretch and stretch-backports
Explanation: unavailable in stretch and stretch-backports, version in sid is intentionally broken (Debian#928518)
Package: electrum python3-electrum
Pin: release o=Debian,n=sid
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: Electrum dependencies
......@@ -37,10 +37,15 @@ Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:firmware-nonfree
Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Package: firmware-linux firmware-linux-nonfree firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Pin: release o=Debian,n=sid
Pin-Priority: 990
Explanation: Exception to src:firmware-nonfree pinning due to Debian#928631
Package: firmware-amd-graphics
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 990
Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
http://people.torproject.org/~boklm/builds/8.5-build2/
http://torbrowser-archive.tails.boum.org/8.5-build2/
......@@ -249,9 +249,7 @@ firmware-intel-sound
firmware-ipw2x00
firmware-iwlwifi
firmware-libertas
firmware-linux
firmware-linux-free
firmware-linux-nonfree
firmware-misc-nonfree
firmware-realtek
firmware-ti-connectivity
......
......@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
### `mds=full,nosmt`
As per
<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
if the CPU is vulnerable, this:
1. enables "all available mitigations for the MDS vulnerability, CPU
buffer clearing on exit to userspace";
2. disables SMT which is another avenue for exploiting this class
of attacks.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment