Are known cpu bugs a risk as long as I work with Qubes OS?

[Rainer Neumann]

Thank you, Sven, for your answer to the topic of qubes-hcl-report. I have one aditional question.

If I type in a console "cat /proc/cpuinfo", I get an output, where one line is called "bugs". It looks like my cpu has a lot of bugs: null_seg, cpu_meltdown, spectre_v1, spectre_v2, spec_store_bypass, l1tf, mds, swapgs, itlb_multihit, srbds.

The producer of my computer offeres a bios and microprocessor update for the purpose to fix these bugs. It is an exe-file for Windows: https://www.dell.com/support/home/de-ch/drivers/driversdetails?driverid=5m70h&oscode=wt32a&productcode=optiplex-7010

Okay, lets say, we can trust Intel and the computer manufacturer. But is it really necesarry to install the update as long as I work with Qubes OS?

Kindly regards,
Rainer

[Sven Semmler]

Hi Rainer, you wrote:
> Okay, lets say, we can trust Intel and the computer manufacturer.
> But is it really necesarry to install the update as long as I work
> with Qubes OS?

I answer so you know I am not ignoring you. The fact is that I am not
qualified to answer this question. I hope someone like unman will come
and address it.

/Sven

--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

[awokd]

Rainer Neumann:

Not necessary I suppose, since Xen runs a (temporary) microcode update
when it boots, but would not be a bad idea to update the bios anyways in
case some bug breaks the microcode patching on boot or you boot some
other OS some day that does not include this step on boot.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[Andrew David Wong]

Have a look at this:

https://unix.stackexchange.com/questions/456425/what-does-the-bugs-section-of-proc-cpuinfo-actually-show

Specifically:

"Dump the flags which denote we have detected and/or have applied bug
workarounds to the CPU we're executing on, in a similar manner to the
feature flags."

In other words, according to the commit that added it, the "bugs"
section doesn't tell you whether your CPU is vulnerable to the things in
the list. Maybe a mitigation has already been applied. Maybe it has
merely been detected and nothing has been done about it. We have no way
to tell just from this section. You would have to do further
investigation into each of these in order to try to determine whether
your CPU is currently vulnerable.

Here's a discussion about doing that:

https://www.reddit.com/r/linux/comments/8k3x3b/til_proccpuinfo_shows_architecture_bugs_such_as/

It specifically mentions checking in:

/sys/devices/system/cpu/vulnerabilities/

However, Qubes is different from a standard Linux OS, and we often take
our own special steps to address security problems, so there may be
additional mitigations on top of whatever is mentioned here. In
addition, the unique architecture of Qubes makes certain classes of
security vulnerabilities inapplicable, so it will probably depend on the
specific nature of that particular bug.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org