On Monday, January 15, 2018 at 12:20:48 AM UTC+7, Vít Šesták wrote:
> As far as I understand it, microcode update cannot fix it. It just brings 
> some new instructions that can be used for Spectre fix. (But they don't help 
> on their own.)
> 
> You can try to update your BIOS if it is well supported by your vendor. Mine 
> is.
> 
> Alternatively, you can try to update microcode via Xen. (In fact, the new 
> microcode is loaded on every boot, because CPU has no persistent storage for 
> that. It should be loaded in early stage of boot.*) Xen has some 
> documentation, it would be probably enough to use some Linux package and add 
> something like “ucode=scan” to Xen parameters: 
> https://wiki.xenproject.org/wiki/XenParavirtOps/microcode_update
> 
> Regards,
> Vít Šesták 'v6ak'
> 
> *) Some μcode updates can be loaded even runtime, but this is not so general 
> and I don't recommend it. As far as I understand, the result of runtime 
> patching might vary on what instructions have been used before the attempt to 
> patch it, so you could end up with some race condition.


Thanks, this is good info. I found instructions to update microcode in linux - 
seems very simple. Xen instructions seem simple as well but where do I enter 
this? In the Dom0 terminal? I am a bit unclear as to how Dom0 and Xen interact.

I am guessing normal VMs do not have enough privileges to update microcode 
(well... hopefully, otherwise compromised VMs could install malicious 
microcode...)

As a side-note, spectre does compromise the entire qubes architecture. I know, 
nobody was thinking about these things, so no shame in that. But one of the 
main premises in qubes is that VMs are isolated from each other, and that is no 
longer the case as long as spectre is out there. Good that meltdown is not an 
issue, yes, but doesn't really matter, weakest link and all that. 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/effb5ab9-2bda-46d3-a9c1-604b1f1c1fbe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to