Re: [qubes-users] 2 new Intel vulnerabilites
Just a small comprehension question to the microkerel update shipped in the last xen update: are these microkernels "flashed" into some cpu memory, or are they re-run / setup at each boot again? Cheers, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eda58fcc-eb54-2caf-fa56-6dfdd0c2f5fa%40web.de.
Re: [qubes-users] Listing all available templates in a given repo
On Tue, Nov 12, 2019 at 5:38 PM Dan Krol wrote:
> Hello,
>
> *Caveat:* I'm fairly new to Qubes and Fedora.
>
> *Question:* How do I get a list of all available templates that I can
> install under each repository? (i.e. "current", "testing", "community" etc)
>
I would also like to see a list of templates and other addons that could be
shared by the community. A couple of examples of what could be shared by
community:
1. Debian, Fedora and possibly other distros templates for various use
cases.
2. alpha or experimental - Qubes-based SecureDrop Journalist Workstation
environment for submission handling
https://github.com/freedomofpress/securedrop-workstation
3. Prago provided his salt configurations for Firefox earlier today.
https://groups.google.com/forum/?utm_medium=email_source=footer#!msg/qubes-users/oStl_IGHuLQ/T56IxhxACAAJ
4. Backups to the local network unencrypted, or automated backups.
What would the community like to see documented?
What other tools, or website(s) can we build to provide gpg signed
templates and addons?
Debian and Ubuntu provide packages.debian.org and packages.ubuntu.com of
the various versions. The information can also be obtained from command
line tools, but the website is useful when looking for software and is
built automatically from the repositories. I haven't found anything
similar for Fedora, does something like it exist? It would be really cool
to see qubes provide an automated site which shows the templates and the
packages the template contains.
*What I've tried (for what it's worth):*
> * I can see my existing templates under `dnf list installed` in dom0.
> However, `dnf list available` comes up mysteriously empty.
>
$ rpm -qa --queryformat '%{SIZE} %{NAME} \n'| grep template | sort -n
(none) qubes-template-bionic-desktop
(none) qubes-template-buster-gnome
(none) qubes-template-fedora-30
(none) qubes-template-fedora-30-xfce
1032734783 qubes-template-debian-10-minimal
1337344042 qubes-template-fedora-30-minimal
1588460952 qubes-template-whonix-gw-15
2176031506 qubes-template-whonix-ws-15
3099013352 qubes-template-bionic
3490724048 qubes-template-debian-10
I have been trying to determine why some templates show none... And why I
can't seem to see where the space is actually used by dom0, it seems to sym
link to nothing.
Chuck
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAMet1z5e9Xe8o8qZhfDyqE-L1y6PoN701FNK-8fW%3DdGbs_h_5w%40mail.gmail.com.
[qubes-users] HCL Info - Dell Latitude E6520
network: | Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 04) Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34) Wired Networking isn't working. Plugging in the wired network disables the wifi. I have checked logs for the cause without success. Should I try running a different kernel in sys-net and/or dom0? Any other useful suggestions would be appreciated? Chuck -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAMet1z7FZz_fDVtsJycUUxmTrXGpscy3B1GV%2BXuMM-0u7hxnPg%40mail.gmail.com. Qubes-HCL-Dell_Inc_-Latitude_E6520-20191114-152124.yml Description: application/yaml
Re: [qubes-users] 2 new Intel vulnerabilites
On Thursday, November 14, 2019 at 2:57:19 PM UTC+1, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2019-11-14 6:28 AM, Andrew David Wong wrote: > > On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: > >> There are 2 new vulnerabilities in Intel CPU's, also affecting > >> Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA > >> 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen > >> a new QSB. > > > > > > Yes, we're aware. We're currently in the process of preparing > > announcements about these XSAs. > > > > Typically, XSAs have a predisclosure period, during which the XSA > > is embargoed, and the Qubes Security Team has time to analyze it > > and prepare patches and an announcement. However, these XSAs had > > no embargo period, so the Qubes Security Team had no advance notice > > of them before they were publicly announced. > > > > The announcements have been published: > > https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ > > https://www.qubes-os.org/news/2019/11/13/qsb-053/ > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NXTIACgkQ203TvDlQ > MDB1tRAAwCpQCkP52V7LlN7TJGA2jdJGffw+Wp12l66m3fmY/y3FnxZnVBR8Q+Jm > rZ2TDW/khZVUyi3Oq8OH9BwClIBgO9k3HLu/Cjt68QoKsth24SRmufdzDicsBzJG > BFwXpX/uxJ7U08Ja1vlRWj3wln0pCc5xFKMkpDLMQ/3xaL/bAdXgMcxx5eAIUrjI > rd2V5UkqQsIFnEIfWyyVI45gcr8jCIb2P5TZ9yKuyKmHJQHBqYUlLwuc0cK+Az+J > 4SXwTMpp1H1F+iKhyageOgbCZQiVdxbodlw3rAyvA/rZ1zxogN+q27yfIkQu9TBO > Mj461YeX/bAHM35WNPJhCSH9Ivm/ahBGBCJxpwuZF9BWWE1gLfjQuZsEUQbJizjc > hn3oxsw2yFSg0bEuRJxkgHr9f/e2LnPDOc5lRJ/HY6ST2739CZfVgrxTV+4wKusv > c4/TGuXigOIKisLE3QBUFewZESbo6SfdLPDNHcgUWpunk66g/xMMGvTFIRcXbzWt > hKcnKj3+9qWFhJbuRF5VWDDuVIF0/biXglQAsUVM3q6xK5OKDTjXGR6M/DvQGH68 > sNEEOY8K+OcbGvX0188IGrrmK25i5X0z+0U4hFJFOi8e1iKh24a6cCi9hJ//Sotj > q0t5EUspfPzz7i6yE/FU1N0USZQSENtZKz18LV+NsEiQoO9qDaU= > =J53Z > -END PGP SIGNATURE- > > Thank you, and thanks for the earlier explanation! > Btw, do you think it is possible for Qubes to distribute the Intel > fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c7f4ddb-03e6-4894-a6d3-a3bb6fc64b41%40googlegroups.com.
Re: [qubes-users] QSB #053: TSX Asynchronous Abort speculative side channel (XSA-305)
One of the packages came down with an incorrect signature: *** ERROR while receiving updates: Error while verifing kernel-4.19.82-1.pvops.qubes.x86_64.rpm signature: /var/lib/qubes/updates/rpm/kernel-4.19.82-1.pvops.qubes.x86_64.rpm: rsa sha1 (MD5) PGP MD5 NOT OK I'm not sure if that kernel is necessary for the patch, but that is what downloaded when I specified qubes-dom0-security-testing. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da48d9d7-33f6-0f83-3a4e-55b1b3306c89%40posteo.net.
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-14 6:28 AM, Andrew David Wong wrote: > On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: >> There are 2 new vulnerabilities in Intel CPU's, also affecting >> Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA >> 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen >> a new QSB. > > > Yes, we're aware. We're currently in the process of preparing > announcements about these XSAs. > > Typically, XSAs have a predisclosure period, during which the XSA > is embargoed, and the Qubes Security Team has time to analyze it > and prepare patches and an announcement. However, these XSAs had > no embargo period, so the Qubes Security Team had no advance notice > of them before they were publicly announced. > The announcements have been published: https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ https://www.qubes-os.org/news/2019/11/13/qsb-053/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NXTIACgkQ203TvDlQ MDB1tRAAwCpQCkP52V7LlN7TJGA2jdJGffw+Wp12l66m3fmY/y3FnxZnVBR8Q+Jm rZ2TDW/khZVUyi3Oq8OH9BwClIBgO9k3HLu/Cjt68QoKsth24SRmufdzDicsBzJG BFwXpX/uxJ7U08Ja1vlRWj3wln0pCc5xFKMkpDLMQ/3xaL/bAdXgMcxx5eAIUrjI rd2V5UkqQsIFnEIfWyyVI45gcr8jCIb2P5TZ9yKuyKmHJQHBqYUlLwuc0cK+Az+J 4SXwTMpp1H1F+iKhyageOgbCZQiVdxbodlw3rAyvA/rZ1zxogN+q27yfIkQu9TBO Mj461YeX/bAHM35WNPJhCSH9Ivm/ahBGBCJxpwuZF9BWWE1gLfjQuZsEUQbJizjc hn3oxsw2yFSg0bEuRJxkgHr9f/e2LnPDOc5lRJ/HY6ST2739CZfVgrxTV+4wKusv c4/TGuXigOIKisLE3QBUFewZESbo6SfdLPDNHcgUWpunk66g/xMMGvTFIRcXbzWt hKcnKj3+9qWFhJbuRF5VWDDuVIF0/biXglQAsUVM3q6xK5OKDTjXGR6M/DvQGH68 sNEEOY8K+OcbGvX0188IGrrmK25i5X0z+0U4hFJFOi8e1iKh24a6cCi9hJ//Sotj q0t5EUspfPzz7i6yE/FU1N0USZQSENtZKz18LV+NsEiQoO9qDaU= =J53Z -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a47d867-6068-9758-f277-1c0a269db6b5%40qubes-os.org.
[qubes-users] QSB #053: TSX Asynchronous Abort speculative side channel (XSA-305)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #053: TSX Asynchronous Abort speculative side channel (XSA-305). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #053 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-053-2019.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ ``` ---===[ Qubes Security Bulletin #53 ]===--- 2019-11-13 TSX Asynchronous Abort speculative side channel (XSA-305) Summary On 2019-11-12, the Xen Security Team published Xen Security Advisory 305 (CVE-2019-11135 / XSA-305) [1] with the following description: | This is very closely related to the Microarchitectural Data Sampling | vulnerabilities from May 2019. | | Please see https://xenbits.xen.org/xsa/advisory-297.html for details | about MDS. | | A new way to sample data from microarchitectural structures has been | identified. A TSX Asynchronous Abort is a state which occurs between a | transaction definitely aborting (usually for reasons outside of the | pipeline's control e.g. receiving an interrupt), and architectural state | being rolled back to start of the transaction. | | During this period, speculative execution may be able to infer the value | of data in the microarchitectural structures. | | For more details, see: | https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort | | An attacker, which could include a malicious untrusted user process on a | trusted guest, or an untrusted guest, can sample the content of | recently-used memory operands and IO Port writes. | | This can include data from: | | * A previously executing context (process, or guest, or |hypervisor/toolstack) at the same privilege level. | * A higher privilege context (kernel, hypervisor, SMM) which |interrupted the attacker's execution. | | Vulnerable data is that on the same physical core as the attacker. This | includes, when hyper-threading is enabled, adjacent threads. | | An attacker cannot use this vulnerability to target specific data. An | attack would likely require sampling over a period of time and the | application of statistical methods to reconstruct interesting data. This is yet another CPU hardware bug related to speculative execution. Only Intel processors which support TSX and have hardware mitigation against MDS are affected (see the XSA and the Intel advisory linked above for details and a list of affected processor families). Note: There was no embargo period for this XSA. Patching = The Xen Project has provided patches that mitigate this issue. A CPU microcode update is required to take advantage of them. Note that microcode updates may not be available for older CPUs. (See the Intel advisory linked above for details.) The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-12 - microcode_ctl 2.1-29.qubes1 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-305.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/11/13/qsb-053/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NWa4ACgkQ203TvDlQ MDDHSQ/+JMTkDECEu8z2TuUQRfWmP+h3xqTAYVCkS3uCY7CEmXo34zdcz7NxEGZq pruHXGMB/EgVG7GCurN6HKRXStjGf0qhK/Jw/J8Zw9QND4kI38JV8ohmuhBJU8Mc 3HVoTLFtjOlnzf8CEJR7977uo4O3C+PLg//zfUZv/Z3RNZN0fhSuWTWnO5m55tC9 ATNzZL/UKoaZmXnvOv05q7olE+fFcdTzn9kNm4QUVkM+Z/NfwdjnTZT2Hjpooe3Y 4SDxKJ2bqKxMGcw80qPjss+gXmqu7+Lsfwzdn2qdZtYhE4cDYDnklPaJQ1kc+5PO CkSr8jCGn8fDBGu3jao4ASQ12wAT4eXj39KSxZgXAwwxkYYlqh5ts8ZTyOcVHWoc
[qubes-users] XSA-304 does not affect the security of Qubes OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Xen Project has published Xen Security Advisory 304 (XSA-304). This XSA does *not* affect the security of Qubes OS, and no user action is necessary. This XSA has been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#304 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NVO8ACgkQ203TvDlQ MDDFgw/9F/a+RBPOT8fgSbq70uEbD91JYalHYeg3fh3aB/v9PopBLqyyGQbiYYxd xjLqgA1bYdg+mA5PCqWBrx5juuHn2zl3zkWl3+495kSvCjQ1MqAnGtG8iTD8ecgC WAiJpbB+ieuDB/mgQfK6C71CZ2CfqXc2oNy/9vnNwP4Qm8CCs7DGk4DxIRdn8Wes h1nfCkq5VG3w6RBN2vVsYq8pTkp7m5lwlrz7B9iLkdQsB6xXNPwjTcpW6RuW+Je/ onzFPV+iR7U/AYCLzUnU8PT3ZWK9jcEdDUzCb1IuXSL6lmvPHUTs7P1bm7Gt/Doa ++tgqA6WfaxhH3c+fAIsIfbob5R78Q585MjrEK7RYp38ItEOq9lijlVhnFfZUk9Q HbnC83W+LejaCYJunNELoyPfHwCdvg2SqQPSiiVXunNNQMMYiV9KLuQPL71nqzbX DHXFBmCm8mTomkn2JlzwljzeunE53mGQJP7739hi8IrAWK2ZfZNAMsfoJmajKIk8 tO215ByCbglxeYu8R3sajjuFxG8hemc2GG7T60ItihULSsYKmT8BCMyJl01wFn31 pVEfF4lzGhwWFVhusFufFXghkKpqraEC8u7FyOBsAWaly/1U5ws9dV1n+tQ4GQWh lRRO6htRWCqulpiY8dIcTRmYlGco7kxSXRDuy6jlZ5wn6XDdlUs= =avAi -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7ee6c9a-a9b6-2aed-4505-385667096813%40qubes-os.org.
Re: [qubes-users] 2 new Intel vulnerabilites
On 11/14/19 7:28 AM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: There are 2 new vulnerabilities in Intel CPU's, also affecting Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen a new QSB. Yes, we're aware. We're currently in the process of preparing announcements about these XSAs. Typically, XSAs have a predisclosure period, during which the XSA is embargoed, and the Qubes Security Team has time to analyze it and prepare patches and an announcement. However, these XSAs had no embargo period, so the Qubes Security Team had no advance notice of them before they were publicly announced. The researchers behind these MDS vuln disclosures were being strung along by Intel, who kept changing embargo dates. Eventually they decided to simply publish because the proposed patches from Intel were not addressing a large number of possible attacks. I have summary, links and some advice here: https://groups.google.com/d/msgid/qubes-users/85c426f7-7e17-b1ab-87c3-71f92d169955%40posteo.net In short, Intel have played a monopolist's game and delivered products that match; Its much better (and simpler) for people to move to AMD at least for the time being. It would help if the Qubes community had some clear AMD choices. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f82a8a41-2bd1-84de-fcfa-61b5e4fa744a%40posteo.net.
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: > There are 2 new vulnerabilities in Intel CPU's, also affecting Xen. > Xen has issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135). > Is the Qubes team aware yet? I haven't seen a new QSB. > Yes, we're aware. We're currently in the process of preparing announcements about these XSAs. Typically, XSAs have a predisclosure period, during which the XSA is embargoed, and the Qubes Security Team has time to analyze it and prepare patches and an announcement. However, these XSAs had no embargo period, so the Qubes Security Team had no advance notice of them before they were publicly announced. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NSEQACgkQ203TvDlQ MDDX8xAAlbt56HUIhFc13wh1F6E9H0aU2cve5Kp8Z9VmIvIp+yJP2RKr6jU4BLXJ Pxee0Peax/yZBwl7cg99plpssz1hGNn7mAv3Fgjcs23YVMPvHc5w6GtqTwayrKHF yFjLjA0b48gtPryP4qe5DYg+IZkaA7GIMDiHXoRafOLvQXP4KaH2x/SjsES0VXIh ZMfasNe5KHznn0aODpvGZC7znNkhUt3VP0xYeijGup2+ZoptDhxtYtUlKx8Y+Jqk uxPkfY9bUgqhqqKTmNCYQ+g53LgU+kn5ulITmunwEYkgQ+WD23Y7mT9rq9Uj/pro XCaMMNhVVm4iUSvOO5MwuzxJqpX3ae2BHbsg096uNzk6zpAb8dkNfvZsV0cm/b2X j94Uc4hG2MlLgI6U0by7/PYMc5n0oaSYGS9Jfrjz7TiTStId/sdRty1iVcerGjrl /+oyRG8wuVfiOVF0QJfDZ4ds6BX0aOssR8rhyJkdJVBfTRJTdF94mQRt8V6XK1rT ZqGHGATDXDIb1TseqOtnDoRjevlszATErPJSEnMMMpYT7VFSDt9Xy4UnPGLeF+oi Ba18M1yuH+WGS+g0zA3ESYf98Nbs9iILUTi0/BaNC0tQj6GrKOpJtCcZVoBlEAsz xi/ZafAVvjRWnRDSxaDewIl2bwpvrDJp71TunU8FX89rYR9NvDY= =5FCB -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46cbe0d6-7941-97a2-4a97-df044695f187%40qubes-os.org.
[qubes-users] Intel's continued security meltdown, MDS edition:
From Kim Zetter at the New York Times: https://twitter.com/KimZetter/status/1194374230109868032 When Intel released patch for CPU vulns last May, it said the patch fixed all the vulns. But researchers at @vu5ec say this isn't true and Intel knew it. Intel asked them not to disclose this and to alter conf. paper about the vulns. “We think it’s time to simply tell the world that even now Intel hasn’t fixed the problem,” Herbert Bos (@herbertbos ) says. “There are tons of vulnerabilities still left, we are sure. And they don’t intend to do proper security engineering until their reputation is at stake.” https://www.nytimes.com/2019/11/12/technology/intel-chip-fix.html https://mdsattacks.com/ - Its worth noting that the lion's share of these vulns are vendor-specific to Intel. I have long held the position that Spectre+Meltdown showed AMD x86 to be "substantially" better engineered with respect to security; I now believe that assessment to be an understatement. Competition between Intel and AMD is very asymmetrical, as the former amounts to a monopoly and the latter is the only one that feels acute competitive pressure (and hence, AMD has felt a greater need to engineer responsibly). OTOH, Intel has maintained their position with lazy engineering shortcuts, rigged benchmarks, and anti-competitive threats lodged against PC makers. For their threats, the company even announced it will refuse to pay a hefty EU judgment against them. That is the "merit" in how they maintain dominance. Even though I greatly favor the development and promotion of open source hardware (including CPUs), there are no open alternatives for Qubes users in the short-mid term. So recognizing that open source is not a singular guiding principle – that competition is vitally important for the availability of desirable and safe products – I think it would be best if the Qubes project and community recognized the situation and made a modest effort to certify AMD hardware as a safer alternative to Intel. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85c426f7-7e17-b1ab-87c3-71f92d169955%40posteo.net.
