Tickless Kernels – Sequoia Exploit

Posted on by

    I have removed all tickless kernels prior to 5.13.4 because they are vulnerable to a recently announced root exploit that goes by “Sequoia”, CVE-2021-33909.

     5.13.4 tickless kernels are available for all Debian and now for all Redhat based Intel and AMD x86-64 systems (any 64 bit Intel or AMD CPU).  Previously I only made ‘.deb’ packages available but because I had some Redhat based systems for which the distributor has not made 5.13.4 available yet, I compiled for this platform as well.

     There are two kernels provided.  The ‘client’ kernel meant for home systems and work stations, optimized for low latency, it is 1000HZ clock tickless (tickless means clock interrupts cause context switches only when there is work scheduled, this saves a lot of wasted CPU cycles) and fully preemptive.  The ‘server’ kernel is meant for servers and is optimized for maximal throughput and has a 100HZ clock and is non-preemptive.  It is also, like the client kernel, tickless.

     On servers, the tickless feature is particularly useful where a large number of virtual machines are hosted as each machine adds to the host CPU load and all those clock interrupt reschedules add up to a lot of wasted CPU cycles.

     On laptops the tickless kernel is useful because saving CPU cycles extends battery life.

     To install these kernels, first download ALL three ‘.deb’ files for Debian based distributions or both ‘.rpm’ files for RPM distributions located in the client or server directory.  You can download via the web at https://www.eskimo.com/kernel, or via ftp at ftp://ftp.eskimo.com/pub/kernel using anonymous login.  If you are behind NAT, to use ftp after you login type passive to put the server in passive mode.

     Then  on Debian based systems, install with dpkg -i *.deb.  On Redhat based systems install with rpm -i *.rpm.  If on Redhat you get a complaint about headers conflicting with existing header package, remove the existing package with rpm –nodeps -e existing (whatever the existing package name is).  The –nodeps is important here otherwise removing the headers will remove some 300-odd dependent packages.

    If you run into any issues, please generate a ticket at: https://www.eskimo.com/support/osTicket/.  Thank you.