Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rusty Bird: > To me as a layman, it looks like Qubes is indeed vulnerable to the > XSA-273 data leak, and that fixing it involves > > 1. disabling hyperthreading (by adding smt=off to the Xen command line) > 2. AND upgrading Intel microcode to 20180807 > 3. AND upgrading Xen https://groups.google.com/d/msg/qubes-users/v5UPnWmnzJY/WG9lmyxYAgAJ => There's no point in manually adding the smt=off parameter - Qubes' latest Xen 4.8.4-1 package doesn't support it yet, and I imagine the next package version is going to add it automatically. Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbgqGUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0bwP/iGQCNSorNefwhFSldoqvjJa fSz1oZoqU81ESpqxMvylTGT+Q0odjG01PQpQ+y14+EZZgkgbM3NIbIUcTLYX4HIf 3cjcsqmyp17YbM0pqCeG3DuTQFo1IJZh22pqUt+6q7Y3G4hSYNlW1jvy76n9c9Ae h0tW9gQb3EpTxzQGaryKswq+NyXKR1D0mUIErKTdLSk8KzROIhCLE8pQWbKFX5/t 8M5xZ8+VTw1aGF4v+LS8Oxjhl2R1PkMc0Qi7IKgZhTFE+RqQOkMJK75Emv7U5eFK oEEx7sWVy7nh3beKaaZUBThCZU0iLZRuvODp64eUkSqJYCHvtABzvHyhMBT++4l/ n3bBJ+/dMRpe846FZuzdqxb0AbbBwGCeCRCk7SXZRnNIEDavJhW/x1Tr13oGIkan mNLiA2uaeQY1mOOVXyiK4zfYblDl0xtCEa2zPFvFya/iWC0nDSntuzT6zMxZuq8i ywFDxax22XezSA0m2RwE/5M1I/8dx92yUcscCvpW5HU/WsEccRubo95kcMg5l9U6 cH7G6nZLAxSCek4SobvW9yp1CjbuVNmSFR2GPGRKpoe67sEvTRbxP4Mmhxd+D1c6 AKMKiK1vg5/pV3pioeICI97FYvYu/sTynX5uMq4PKv6LgUae+EPKWaut0Qdkz3xK YdGbUkoqLk/l92E+M43l =zaWC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180826124820.GA1008%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Chris Laprise: > On 08/15/2018 08:40 AM, Rusty Bird wrote: > > To me as a layman, it looks like Qubes is indeed vulnerable to the > > XSA-273 data leak, and that fixing it involves > > > > 1. disabling hyperthreading (by adding smt=off to the Xen command line) > > 2. AND upgrading Intel microcode to 20180807 > > On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I > wonder if this makes the CoreBoot targeted systems essentially > unsafe/unusable. Apparently, there are microcode updates for Ivy Bridge (page 10) and even Sandy Bridge (page 14): https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf > Very bad. Maybe slightly less so. :) Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbdUnbXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf8P8P/3YFam7dyux4Qb4AuzzXX1/i AV243309HUgr/HXKvQMuOjXnItOcptg/J56lxlNZg4vrgXAEVr1YPMjEFkcgC/9l iLLV1W76vvURQcEb7FLqAI+UC6L1Pm9Um5qSAHzcY41kE9ASSz1AcEH4abVp6iCB b3o2YWlMN4Bz9HQq03jb5WD/qoumXdUdmASsTWDA0s9h9TIDrYSXyUJCXg/OAxyO qBfbfIAeTL7IZ6UB5ewIeGK/lZujmd0c3jhyfQh+7t1/nTBccdz4xK65DKhbxEVY NIAFj5K2qeZXtxqOGa3XIo8b5oiLsDAQ1uSBJfgC9D325qnROSM5uebIHIOCSixB su7FjBXu9F5b0l09mib2CmmhrZdo1hf42kxHl/MTo6H8gwpUTO+pxvxcXDouBrEg Y11YT/j2ux7ugaP6KYML8G3dzXD1GGTENaLD7p4p7hPNwK2QPRcnDWWCZ/cHxOQj FdCpCz2vBaqy3rPxHu6ujVYCBBBJVMBUsoeH4yhKvkojwAPmIT4r8GYq3epfYU+9 IrzQ8ARKnRpHOqSrAD+9x1AikaNePi5SYsfg8W+ZcZpD767QTFMbZ3mb35oqJEbN Vg9BCcj1OOVuc/mG+hI3Ki1u3AS/D0RRMKg/fInuTJ4e2N6Z9S8U1dnx/yblVT/X bAKRaM0Z+0V+Og7C5VS0 =T78o -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180816095435.GB1219%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sphere: > I have hyperthreading disabled on my BIOS, do I still have to add > that option to Xen command line? Disabling it in the BIOS is okay too, according to the XSA. > By pull request you mean, it's still being grabbed for use and > installation using qubes-dom0-update right? Yes, the official microcode package for qubes-dom0-update hasn't been built/uploaded yet. You could build it yourself with qubes-builder (after applying the patch from the GitHub pull request), but I think it's pointless as long as there's no updated Xen package to actually use the new LD1_FLUSH microcode instruction. Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbdUjoXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfnLcP/3m8dHksgWS6QW+rDSMpv1tD 4dVpPf76cihRlJpDttXucU7rfqTaldzF6ytIlTHCoZYpa06fOKsqmcKYZ6HE7fn2 iGCCFdDKao+DDfvP3caNupRs4DCD0Z2H1VLXZHwWVniN/s2MVEIv8BN5nWB0HvpH 2R45/lKC5BjMq0l2i42tPp3Nm/CjDbh4X/etqrx2p729Ykw9TTJCkPO1diImdu9N CYzvA5amIduDRnJrNanBZKANjetHnNQysmEbGXWndgbVshd6JF53zq9CcgArHKZp LqadTe+d1ayoAaRidVdD+I72h/1wjGDVx2OVcrtVKq6hhqJ24YQHlHO0XKDQfmK3 5xzxgjx9SlFwVw7u9a4osxsmExSMpuXA+9wdmegbNJoFmKgvIfYFLLrWrtvgN2pU Cvhxbmb7+MtbwVcN9Xlo2LbgKA/bAJ0dRgKcuAWZYH0ceo2tokfKu1GT5asSI8bJ QHlqE68r8SVZrU7hic6qfaqA2U1MPjJJSh7k19HduhrkwUYL8o9Tzpjgz4mqfAod hnb+H1GsqHRA8eT4ZyG7YQ5aB5PxBZHFOydAPAfmxjkloEtV78mbuzfWM5bAa8EW kZ4QRNSY1msm3h6NeJIZroGS1/PBtaDBQXwwiXJ0FmkX5AvVvJ2hltk8VNS1epdj leeMYghualtPH8s7ka3L =P5jC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180816095032.GA1219%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
On 08/15/2018 08:40 AM, Rusty Bird wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sphere: https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/ There are other vulnerabilities disclosed along with this today and if possible, I would like to confirm that as well. On a side note, I have long disabled Hyperthreading on my machine. To me as a layman, it looks like Qubes is indeed vulnerable to the XSA-273 data leak, and that fixing it involves 1. disabling hyperthreading (by adding smt=off to the Xen command line) 2. AND upgrading Intel microcode to 20180807 On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I wonder if this makes the CoreBoot targeted systems essentially unsafe/unusable. Very bad. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c1e9733-4a7d-bc0a-7ab0-927b4599e7f2%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
On Wednesday, August 15, 2018 at 8:50:28 PM UTC+8, Rusty Bird wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Sphere: > > https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/ > > > > There are other vulnerabilities disclosed along with this today and > > if possible, I would like to confirm that as well. > > > > On a side note, I have long disabled Hyperthreading on my machine. > > To me as a layman, it looks like Qubes is indeed vulnerable to the > XSA-273 data leak, and that fixing it involves > > 1. disabling hyperthreading (by adding smt=off to the Xen command line) > 2. AND upgrading Intel microcode to 20180807 > 3. AND upgrading Xen > > There's a pull request* for the new microcode package. As for Xen, the > XSA says they're "not supplying separate patches because the changes > have many complicated prerequisites", and their d95b5bb commit on the > staging-4.8 branch is 42 patches ahead of RELEASE-4.8.4... :\ > > Rusty > > > * https://github.com/QubesOS/qubes-intel-microcode/pull/2 > -BEGIN PGP SIGNATURE- > > iQJ8BAEBCgBmBQJbdB8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 > NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf+A4P/jJopc94LC67vWz+PmkLOmB5 > DaxS/VmFB70CNzfDmQMJ58YLOJ7z2wu9GEOOnHgP+KmAKsn9/xtp5nufrMfNoOd+ > a7dezBA0b2vHy7aVaAXG3qhRL9PhHqpFhcUrudShATrUWdY2aFnaeRGSZDbwoR40 > jGEgjxFFM2SGEtTHOEuKBBfLU/OJMw72ClmIAIdtvfEPABQ0WYw95OmcVTzi+tvZ > 2bEwXJz1cXUovGzDPInbBBZm43m3X/r9FAnsFdLQXyjgRNkFc2LuhVz5Tc12NGjH > 6Xb2qJlIhQVZjotRPqm506G6UrKrx5DB0lANY2/H8tl/tPACyoTY+EHrOJHIz/21 > XipPbVVLqQJtQJOgQXCkHEPz49X1Deni/TFedrQxzEuTiOH5R/KVjqEe17cwyaL4 > f6HHf94OiFHGKVmGtwySwMxxWiH9T0UOu3+Xzo3UNE9IPkLoakcXMTvaLFJS9Hfa > AFZil3+aKMogWWRS0mJJc0UX+m9jpPdwERdXAriqAY4mp59TJ3qt5OFEobSlG4kD > aRIfBiQbMRZagfwtsHLTxwEymwMyaovm/q7hv6cZvNYm2S7cztMdFXeUquYlZgJi > ZzCr+AirENSDSBq+hCosnGdvwAAemiUBpRh3kXHMuOTtR1Lu3ulnatN64SCznzPR > M8ZJnNdpOLX4RqU/yTr/ > =E4BM > -END PGP SIGNATURE- I have hyperthreading disabled on my BIOS, do I still have to add that option to Xen command line? By pull request you mean, it's still being grabbed for use and installation using qubes-dom0-update right? As for Xen updates, welp we have no choice but to wait for that I suppose. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d320435-9846-4dc7-90b5-edb2740bb0de%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sphere: > https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/ > > There are other vulnerabilities disclosed along with this today and > if possible, I would like to confirm that as well. > > On a side note, I have long disabled Hyperthreading on my machine. To me as a layman, it looks like Qubes is indeed vulnerable to the XSA-273 data leak, and that fixing it involves 1. disabling hyperthreading (by adding smt=off to the Xen command line) 2. AND upgrading Intel microcode to 20180807 3. AND upgrading Xen There's a pull request* for the new microcode package. As for Xen, the XSA says they're "not supplying separate patches because the changes have many complicated prerequisites", and their d95b5bb commit on the staging-4.8 branch is 42 patches ahead of RELEASE-4.8.4... :\ Rusty * https://github.com/QubesOS/qubes-intel-microcode/pull/2 -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbdB8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf+A4P/jJopc94LC67vWz+PmkLOmB5 DaxS/VmFB70CNzfDmQMJ58YLOJ7z2wu9GEOOnHgP+KmAKsn9/xtp5nufrMfNoOd+ a7dezBA0b2vHy7aVaAXG3qhRL9PhHqpFhcUrudShATrUWdY2aFnaeRGSZDbwoR40 jGEgjxFFM2SGEtTHOEuKBBfLU/OJMw72ClmIAIdtvfEPABQ0WYw95OmcVTzi+tvZ 2bEwXJz1cXUovGzDPInbBBZm43m3X/r9FAnsFdLQXyjgRNkFc2LuhVz5Tc12NGjH 6Xb2qJlIhQVZjotRPqm506G6UrKrx5DB0lANY2/H8tl/tPACyoTY+EHrOJHIz/21 XipPbVVLqQJtQJOgQXCkHEPz49X1Deni/TFedrQxzEuTiOH5R/KVjqEe17cwyaL4 f6HHf94OiFHGKVmGtwySwMxxWiH9T0UOu3+Xzo3UNE9IPkLoakcXMTvaLFJS9Hfa AFZil3+aKMogWWRS0mJJc0UX+m9jpPdwERdXAriqAY4mp59TJ3qt5OFEobSlG4kD aRIfBiQbMRZagfwtsHLTxwEymwMyaovm/q7hv6cZvNYm2S7cztMdFXeUquYlZgJi ZzCr+AirENSDSBq+hCosnGdvwAAemiUBpRh3kXHMuOTtR1Lu3ulnatN64SCznzPR M8ZJnNdpOLX4RqU/yTr/ =E4BM -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180815124012.GA923%40mutt. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Is Qubes vulnerable to CVE-2018-3620?
https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/ There are other vulnerabilities disclosed along with this today and if possible, I would like to confirm that as well. On a side note, I have long disabled Hyperthreading on my machine. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12d30846-c21f-4eac-9d79-38d90adaab0b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
