XSA-273 - security impact on Qubes?
85 views
Skip to first unread message
Rob Fisher
Aug 25, 2018, 4:59:09 PM8/25/18
to qubes...@googlegroups.com
I've also posted to qubes-users, but perhaps qubes-devel is more
appropriate for this:
I'm wondering when we can expect information on the impact of XSA-273
(1) on Qubes R4? I can't help but notice it's absence from the Qubes
XSA-tracker page (2).
Some OS Vendors have implemented kernel patches in an attempt to
mitigate these vulnerabilities, but as of yet I haven't seen any such
patches to the qubes-kernel-vm or the Hypervisor.
In the common case that microcode updates aren't possible via a BIOS
update (HW vendor not made them available), and disabling
hyper-threadding is not possible in the BIOS - what are the best options
for a Qubes user right now?
Thanks,
Rob.
Links:
(1) - https://xenbits.xen.org/xsa/advisory-273.html
(2) - https://www.qubes-os.org/security/xsa/
appropriate for this:
I'm wondering when we can expect information on the impact of XSA-273
(1) on Qubes R4? I can't help but notice it's absence from the Qubes
XSA-tracker page (2).
Some OS Vendors have implemented kernel patches in an attempt to
mitigate these vulnerabilities, but as of yet I haven't seen any such
patches to the qubes-kernel-vm or the Hypervisor.
In the common case that microcode updates aren't possible via a BIOS
update (HW vendor not made them available), and disabling
hyper-threadding is not possible in the BIOS - what are the best options
for a Qubes user right now?
Thanks,
Rob.
Links:
(1) - https://xenbits.xen.org/xsa/advisory-273.html
(2) - https://www.qubes-os.org/security/xsa/
Andrew David Wong
Aug 26, 2018, 3:57:20 AM8/26/18
to Rob Fisher, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2018-08-25 15:59, Rob Fisher wrote:
> I've also posted to qubes-users, but perhaps qubes-devel is more
> appropriate for this:
>
> I'm wondering when we can expect information on the impact of
> XSA-273 (1) on Qubes R4? I can't help but notice it's absence from
> the Qubes XSA-tracker page (2).
>
Already addressed:
https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAluCXU0ACgkQ203TvDlQ
MDDwNA/9EjlchCQOCwi8yAt/eLClv3eOrSteo6GHzncHVaEho6/zAbtDGkDHhPsS
/gZEpKJ3Bs9iJEUyCtpg6t7kWpxC3iwE+ZI6R3mKk1mpXcVtyHv1lDeuj5MK1R7S
Nv7hRivJ2Yum6kxQSIHM0edsQ/mxNyorXHD27V8QdbkEAtxw7QNp+t7pTsPnQbI3
w7ocaGZg1fHFvK7NUXm0hEjksQeSnwRBVR/PhKNDtUTNnxeUgfxq8dJdygCOfFfm
/lLFri3iaKX4ZZPz17fZGyRc2uBzsE56wIhn4FzvoJUY4CdsS7rM3TuvYk1/T6Y5
LhpxBT9T4aq75erphUNp1suPtZeqN5JV6oaf9vCu6LXqJXg7k1awHvVEv8nmN0o5
9DO7dQ5LJJPqnhaNsYdgm30zICFN4sNASTY+rFaZzM6iQhusQD1kSAsmZ8QWCC26
2FlaigRv8QvyelfF0TL42j5oGnP6/IbVViZQ6zhK2NdzivpBnK21BTkgB9P/yDjH
5CYbOytGf6HfmYAGr3MfqKSlYSF6Gy9Ex+WdUpylg35OdwAfjDVb7ZsNgh73OTO/
7uvwd2L39hejLoPX4n4U1D1tOjSTgaqvXO8Qa5oljs8sZSrAqW99bs3fJjwr8eHV
H5h1rHNej9YKVpNnjYK1E/owNcp96I0B6gF7gOMloy9V+nftQgI=
=8b5L
-----END PGP SIGNATURE-----
Hash: SHA512
On 2018-08-25 15:59, Rob Fisher wrote:
> I've also posted to qubes-users, but perhaps qubes-devel is more
> appropriate for this:
>
> I'm wondering when we can expect information on the impact of
> XSA-273 (1) on Qubes R4? I can't help but notice it's absence from
> the Qubes XSA-tracker page (2).
>
https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAluCXU0ACgkQ203TvDlQ
MDDwNA/9EjlchCQOCwi8yAt/eLClv3eOrSteo6GHzncHVaEho6/zAbtDGkDHhPsS
/gZEpKJ3Bs9iJEUyCtpg6t7kWpxC3iwE+ZI6R3mKk1mpXcVtyHv1lDeuj5MK1R7S
Nv7hRivJ2Yum6kxQSIHM0edsQ/mxNyorXHD27V8QdbkEAtxw7QNp+t7pTsPnQbI3
w7ocaGZg1fHFvK7NUXm0hEjksQeSnwRBVR/PhKNDtUTNnxeUgfxq8dJdygCOfFfm
/lLFri3iaKX4ZZPz17fZGyRc2uBzsE56wIhn4FzvoJUY4CdsS7rM3TuvYk1/T6Y5
LhpxBT9T4aq75erphUNp1suPtZeqN5JV6oaf9vCu6LXqJXg7k1awHvVEv8nmN0o5
9DO7dQ5LJJPqnhaNsYdgm30zICFN4sNASTY+rFaZzM6iQhusQD1kSAsmZ8QWCC26
2FlaigRv8QvyelfF0TL42j5oGnP6/IbVViZQ6zhK2NdzivpBnK21BTkgB9P/yDjH
5CYbOytGf6HfmYAGr3MfqKSlYSF6Gy9Ex+WdUpylg35OdwAfjDVb7ZsNgh73OTO/
7uvwd2L39hejLoPX4n4U1D1tOjSTgaqvXO8Qa5oljs8sZSrAqW99bs3fJjwr8eHV
H5h1rHNej9YKVpNnjYK1E/owNcp96I0B6gF7gOMloy9V+nftQgI=
=8b5L
-----END PGP SIGNATURE-----
Rob Fisher
Sep 15, 2018, 6:32:16 PM9/15/18
to qubes...@googlegroups.com
Thanks for your feedback, and especially thanks to the Qubes Security
Team for getting this turned around so quickly and comprehensively.
I particularly like the design decision to disable SMT (HT) in Xen
irrespective of BIOS config. As BIOSs can be buggy on some HW, or simply
not provide the user with a choice to disable certain features like SMT.
Team for getting this turned around so quickly and comprehensively.
I particularly like the design decision to disable SMT (HT) in Xen
irrespective of BIOS config. As BIOSs can be buggy on some HW, or simply
not provide the user with a choice to disable certain features like SMT.
Reply all
Reply to author
Forward
0 new messages