On Sunday, 7 January 2018 18:18:06 UTC, Marek Marczykowski-Górecki wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Fri, Jan 05, 2018 at 12:14:43PM +0000, Marco Giglio wrote: > > By reading that advisory and information posted here ( > > https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/), > > it seems that there are 2 possible short-term mitigations against > > Meltdown for QubesOS 3.2 users. > > - Move PV VMs to HVM. > > This option require VT-x support in the hardware. Something that wasn't > required by 3.2 before.
Would it be possible to have a statement update on these 2 issues for 3.2 users. Ideally with 2 options: paranoid: what to do to disable branch prediction (ala OpenSuSE) best option with todays patch: upgrade to Q4? stay on 3.2 and patch/upgrade templates? > > > - Move PV VMs to use 32-bit kernels. It should prevent to use > > Meltdown/SP3 against the hypervisor, but it won't prevent it against the > > kernel itself. Then update when newer 32-bit kernel with KPIT are > > available. > > This option require replacing both VM kernel _and_ templates. Especially > painful for heavily customized templates. out of topic but was very useful for my upgrade to fedora-26. I use standard template and instead of customizing a clone template, I set-up on start up... Here is an example for a postgresql server of my /rw/config/rc.local rm -rf /var/lib/pgsql ln -s /rw/var/pgsql /var/lib/pgsql /usr/sbin/systemctl enable postgresql & /usr/sbin/systemctl start postgresql & /usr/sbin/iptables -I INPUT -j ACCEPT -i eth0 -s ... -p tcp --sport 1024:65535 --dport 5432 -m conntrack --ctstate NEW To upgrade I just had to take the vanilla fedora-26 template and install postgresql in it. > > > Qubes 4 users shouldn't be affected by SP3/Meltdown, but should be > > affected from SP1/SP2/Spectre. > > Yes, that's correct. > > We're still evaluating available options. For example there are three > alternative workarounds for SP3 developed in parallel on xen-devel, each > having own good and bad sides. And patches to mitigate SP1/SP2 are also > not ready yet. > > For this reason, we're delaying Qubes OS rc4 (originally scheduled to be > released tomorrow), until we come up with final plan what to do about > those hardware issues. > > > On 01/04/2018 10:53 PM, Chris Drake wrote: > > > It is very clear: https://xenbits.xen.org/xsa/advisory-254.html > > > > > > IMPACT > > > ====== > > > > > > Xen guests may be able to infer the contents of arbitrary host memory, > > > including memory assigned to other guests. > > > > > > VULNERABLE SYSTEMS > > > ================== > > > > > > Systems running all versions of Xen are affected. > > > > > > MITIGATION > > > ========== > > > > > > There is no mitigation for SP1 and SP2. > > > > > > RESOLUTION > > > ========== > > > > > > There is no available resolution for SP1 or SP3. > > > > > > > > > For those unaware - this is a hardware fault. CPUs make use of > > > speculative execution (Spectre) or Pipelines (Meltdown) - both of which > > > can be used to attempt to access illegal memory. The access fails, > > > however, it's possible to use the "stolen" memory before the access-fail > > > is enforced in a way that makes it available on a side-channel (cache in > > > these exploits, but could be anything else like ports/dma) to any > > > non-privileged process. > > > > > > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -----BEGIN PGP SIGNATURE----- > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlpSZD0ACgkQ24/THMrX > 1yyK9Qf/T5jG7zHPjwCmF4ztD2FRJoo0qJzWmtjgNz67V+tK1K/hQsTph3CMor5N > UCKSKqSXxRZVjTfgv4CW4SJqUfDk++aIs/lvdsAABOt25LU2nVOy9BwPSWVYZDs7 > KqsERFSAaorNEzq0CftHVIDyvzOOtWRD/eGL4P5TlfTvCvv2HN2/Br9esItxF3CM > vzT/qGCnNpkhn9TIlVxK/JTeZ9t/krC1Z2/vaiU5h+noxv6LFvL4pZ5zILjNgcGu > BeeqymA1VrWijoRA2W+qdI3s3moCOQfWNvXxYujc/sAr/axVjqfdC4+qsL2h4pH2 > OykhrEfRubAVSqyW4c/vYunT7ARY7A== > =00Sg > -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2aba18a9-356e-4e7e-8b43-5e24539256d2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
