Marco Giglio wrote: > it seems that there are 2 possible short-term mitigations against > Meltdown for QubesOS 3.2 users. > - Move PV VMs to HVM. > [...] > Qubes 4 users shouldn't be affected by SP3/Meltdown
It is really fortunate that Qubes OS 4.0 has moved to HVM-only domains. I think an attacker is prevented from breaking out of a compromised guest, into the host or other guests. It's exactly the worst-case scenario that Qubes OS was engineered to mitigate. But still, on vulnerable Intel hardware, when running an HVM guest OS without the KPTI patches, malware running as a non-privileged user could steal sensitive data from the kernel of that guest, or elevate privileges. That requires HVM *and* updating the guest kernels (with KPTI) in order to fix it, I think. (I don't think replacing 64-bit PV guests with 32-bit is a good idea, because KPTI is not implemented at all for Xen PV, or for any 32-bit architectures yet.) > but should be affected from SP1/SP2/Spectre. These vulnerabilities might be exploited by JavaScript to break out of the sandbox, for example. And then there is a potential to attack the hypervisor or other guests by poisoning the branch prediction logic and doing cache timing attacks. I don't think HVM helps here. I notice that OpenSUSE is shipping CPU microcode for Intel and AMD, disabling branch prediction completely. That sounds a bit extreme but may be the only way to be safe against future exploits. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180105130759.GA97350%40pyro.eu.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature