On Mon, January 15, 2018 1:15 am, Nik H wrote:
> On Monday, January 15, 2018 at 12:20:48 AM UTC+7, Vít Šesták wrote:
>
>> As far as I understand it, microcode update cannot fix it. It just
>> brings some new instructions that can be used for Spectre fix. (But
>> they don't help on their own.)
>>
>> You can try to update your BIOS if it is well supported by your vendor.
>> Mine is.
>>
>>
>> Alternatively, you can try to update microcode via Xen. (In fact, the
>> new microcode is loaded on every boot, because CPU has no persistent
>> storage for that. It should be loaded in early stage of boot.*) Xen has
>> some documentation, it would be probably enough to use some Linux
>> package and add something like “ucode=scan” to Xen parameters:
>> https://wiki.xenproject.org/wiki/XenParavirtOps/microcode_update

>
> Thanks, this is good info. I found instructions to update microcode in
> linux - seems very simple. Xen instructions seem simple as well but where
> do I enter this? In the Dom0 terminal? I am a bit unclear as to how Dom0
> and Xen interact.

If you're referring to the "ucode=scan" addition to the bootloader; yes,
you'd enter those from dom0.

> As a side-note, spectre does compromise the entire qubes architecture. I
> know, nobody was thinking about these things, so no shame in that. But
> one of the main premises in qubes is that VMs are isolated from each
> other, and that is no longer the case as long as spectre is out there.
> Good that meltdown is not an issue, yes, but doesn't really matter,
> weakest link and all that.

It matters a bit because Spectre is harder to exploit than Meltdown. IIUR,
Qubes' design allowed it to constrict Meltdown to a single VM versus other
OS designs where that would give access to the entire system. I'm still
somewhat unclear on how Spectre operates under hardware virtualization but
you're right, it needs to be fixed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79d8c47ca62d358458e6850a36a74686.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Reply via email to