-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, Mar 11, 2020 at 04:05:03PM +0800, Sandy Harris wrote: > https://techxplore.com/news/2020-03-unfixable-flaw-intel-chipset.html
As with many other firmware-level vulnerabilities, this can't be exploited on Qubes, because no VM can talk to that firmware directly in the first place. But the issue is deeper, as the issue isn't only about OS layer, but keys embedded inside the CPU. If those keys are leaked, many CPU crypto features become useless. The exact list isn't clear to me, but it may apply to: - fTPM (not used in Qubes), - SGX (not used in Qubes), - microcode verification (used in Qubes, but inaccessible to VM), - ME/FSP/other firmware verification (used by platform, before Qubes is loaded, but may affect system runtime) There are some rumors that some of the keys may be not unique to a specific CPU, but shared across CPU family - in that case, key extracted from one CPU may be used to prepare malware for other systems with the same CPU family. In any case, it looks like even if some of the keys are leaked using this vulnerability, the attacker would need a physical access (or break into dom0) to attack Qubes, as relevant interfaces are not available from within a VM. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5qQIcACgkQ24/THMrX 1yyTJgf/cvES/MttCVUcV/RYYFLIgW2H5SBTtR2XU/kMJF2crppM8NPpie0Q5a+c qB53aha3h8D5Y66SiKzBN2dSy2halqQv+yCvdSiffbYWJWPCC17xNg/nRBFQ7jG2 owa0zkcYQOwN9Fm2O/SlfImqpJ5R2w1M3r0yHR9Lg+Q2nIgQ9cT6f1QncnlodEIa Qb8qu93yV3NstQA9VJ3wPJ8uSFecXunEkSdUB8HLRWs2DDd4pnPM/NaI6kn2fz7g T/WLZMT+7ZmsNMTAVA/mJX6VjYICfdUHXcFOKY6JMByFalWRXM3Yktclrc344ytq J4H904OttmE+M9PNw9o/RS5MpesWqw== =wfKX -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200312140040.GA19117%40mail-itl.
