Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread yrebstv
On 2018-01-25 13:33, awokd wrote:
> On Thu, January 25, 2018 10:51 pm, yreb...@riseup.net wrote:
> 
>> *by this if I ran sudo qubes-dom0-update
>> --enablerepo=qubes-dom0-security-testing*once,  I take it , that
>> I am still on  the Stable  Track  "repo"  so somehow  magically  I
>> have the current testing Xen version (I checked and do),  but  when the
>> security  Xen  goes to Stable ,  they will just be integrated  . so
>> currently   I have a  combination of 1 time  security Xen and the rest is
>> "current"  (Not testing) ?
> 
> Exactly!


sorry, plz just disregard, restart the AppVM disappears , guess I don't
need to know :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f11fe0f4034c1950f36eb761d84d578a%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread yrebstv
On 2018-01-25 13:33, awokd wrote:
> On Thu, January 25, 2018 10:51 pm, yreb...@riseup.net wrote:
> 
>> *by this if I ran sudo qubes-dom0-update
>> --enablerepo=qubes-dom0-security-testing*once,  I take it , that
>> I am still on  the Stable  Track  "repo"  so somehow  magically  I
>> have the current testing Xen version (I checked and do),  but  when the
>> security  Xen  goes to Stable ,  they will just be integrated  . so
>> currently   I have a  combination of 1 time  security Xen and the rest is
>> "current"  (Not testing) ?
> 
> Exactly!

fwiw, I am noticing "qrexec not connected" in AppVM triangle in the GUI
Manager  on what appears to be a normal operating AppVM , but think I
saw it on a frozen HVM before rebooting 


is this of any particular concern .or possibly related to the new
Testing Xen packages?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba5150aa517babac1bf3c064cb73d747%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread 'awokd' via qubes-users
On Thu, January 25, 2018 10:51 pm, yreb...@riseup.net wrote:

> *by this if I ran sudo qubes-dom0-update
> --enablerepo=qubes-dom0-security-testing*once,  I take it , that
> I am still on  the Stable  Track  "repo"  so somehow  magically  I
> have the current testing Xen version (I checked and do),  but  when the
> security  Xen  goes to Stable ,  they will just be integrated  . so
> currently   I have a  combination of 1 time  security Xen and the rest is
> "current"  (Not testing) ?

Exactly!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07ea481657628bfab2ee108e36be7883.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread yrebstv
On 2018-01-24 23:20, awokd wrote:
> On Thu, January 25, 2018 2:17 am, yreb...@riseup.net wrote:
>> On 2018-01-24 15:12, Andrew David Wong wrote:
> 
>>>
>>> These packages will migrate from the security-testing repository to the
>>>  current (stable) repository over the next two weeks after being tested
>>>  by the community.
>>
>>
>> 1)
>> The latter (security) packages will migrate, I'd assume this means ?
> 
> Yes, this is the standard model for deploying all updates including
> security. They appear in testing first for bleeding edge users, then
> stable for everyone. Sometimes bugs are found in the testing phase causing
> the package to be pulled, so unless you are comfortable rolling back
> packages yourself you should leave it on stable.
> 
>> 2)
>> Where would I find the repositories in dom0 for the track I'm currently
>> using?
> 
> If you haven't changed it manually, you are on stable.
> 
>> 3)
>> after doing the 1x securitytesting repo update, how do I check which Xen
>> package is now installed?
> 
> In dom0, "dnf list installed".
> 
>> and/or  how do I bring up the  GUI
>> update manager  when it doesn't actually need to update it doesn't persist
> 
> No GUI, but in dom0 you can force it to check for updates with "sudo
> qubes-dom0-update". Might not be following your question here.

Mostly, got it.  Just the one item I'm unsure about.  @URL:
https://www.qubes-os.org/doc/software-update-dom0/

it mentions:
--
To temporarily enable any of these repos, use the
--enablerepo= option. Example commands:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable

To enable or disable any of these repos permanently, change the
corresponding boolean in /etc/yum.repos.d/qubes-dom0.repo.
--


*by this if I ran sudo qubes-dom0-update
--enablerepo=qubes-dom0-security-testing*once,  I take it , that
I am still on  the Stable  Track  "repo"  so somehow  magically  I
have the current testing Xen version (I checked and do),  but  when the
security  Xen  goes to Stable ,  they will just be integrated  . so
currently   I have a  combination of 1 time  security Xen and the rest
is  "current"  (Not testing) ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a80d2cd6a26c9e89b67949a414f96f9d%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread Vít Šesták
There actually is a GUI for checking dom0 updates. In Qubes VM manager, select 
dom0 and click the update button in top toolbar. Or you can also use the 
context menu.

OTOH, in this case, the main benefit of the GUI are the notifications. The 
update process itself is usually more friendly from commandline. And you cannot 
install security-testing using GUI.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/17ef6cbe-00d4-45ac-93e2-3220d4c01e81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-25 Thread 'awokd' via qubes-users
On Thu, January 25, 2018 2:17 am, yreb...@riseup.net wrote:
> On 2018-01-24 15:12, Andrew David Wong wrote:

>>
>> These packages will migrate from the security-testing repository to the
>>  current (stable) repository over the next two weeks after being tested
>>  by the community.
>
>
> 1)
> The latter (security) packages will migrate, I'd assume this means ?

Yes, this is the standard model for deploying all updates including
security. They appear in testing first for bleeding edge users, then
stable for everyone. Sometimes bugs are found in the testing phase causing
the package to be pulled, so unless you are comfortable rolling back
packages yourself you should leave it on stable.

> 2)
> Where would I find the repositories in dom0 for the track I'm currently
> using?

If you haven't changed it manually, you are on stable.

> 3)
> after doing the 1x securitytesting repo update, how do I check which Xen
> package is now installed?

In dom0, "dnf list installed".

> and/or  how do I bring up the  GUI
> update manager  when it doesn't actually need to update it doesn't persist

No GUI, but in dom0 you can force it to check for updates with "sudo
qubes-dom0-update". Might not be following your question here.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5877f3a839a49a8520367e507d47c1f8.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-24 Thread yrebstv
On 2018-01-24 15:12, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2018-01-24 16:14, yreb...@riseup.net wrote:
>> [...]
>>
>> So... there are packages *to be released *at some undefined point
>> in the near future? -- The following packages contain the patches
>> described above:
>>
>> - Xen packages, version 4.6.6-36 --
>>
>> via the normal dom0 update process ?   would be nice to see it in
>> simple English
>>
> 
> Sorry! We forgot to include our usual patching instructions. I've just
> created a pull request [1] to have this added to the QSB:
> 
> ```
> The specific packages that contain the XPTI patches for Qubes 3.2 are
> as follows:
> 
>   - Xen packages, version 4.6.6-36
> 
> The packages are to be installed in dom0 via the Qubes VM Manager or via
> the qubes-dom0-update command as follows:
> 
>   For updates from the stable repository (not immediately available):
>   $ sudo qubes-dom0-update
> 
>   For updates from the security-testing repository:
>   $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
> 
> A system restart will be required afterwards.
> 
> These packages will migrate from the security-testing repository to the
> current (stable) repository over the next two weeks after being tested
> by the community.


1)
The latter (security) packages will migrate, I'd assume this means ?  

2)
Where would I find the repositories in dom0 for the track I'm currently
using?

3) 
after doing the 1x securitytesting repo update, how do I check which Xen
package is now installed? and/or  how do I bring up the  GUI
update manager  when it doesn't actually need to update it doesn't
persist 

cc: thelist

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/239f63f73844750735049543719e3032%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-24 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2018-01-24 16:14, yreb...@riseup.net wrote:
> [...]
> 
> So... there are packages *to be released *at some undefined point
> in the near future? -- The following packages contain the patches
> described above:
> 
> - Xen packages, version 4.6.6-36 --
> 
> via the normal dom0 update process ?   would be nice to see it in
> simple English
> 

Sorry! We forgot to include our usual patching instructions. I've just
created a pull request [1] to have this added to the QSB:

```
The specific packages that contain the XPTI patches for Qubes 3.2 are
as follows:

  - Xen packages, version 4.6.6-36

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.
```

[1] https://github.com/QubesOS/qubes-secpack/pull/18

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlppLtoACgkQ203TvDlQ
MDDTmRAAw2QrNmo6JHHrgwa7Y2izZXIA84sjE/3HRVA1PkTZTlef3y6xLzCB9nYn
o3TFnIvgHztkqlNFw67DMIGaXj8lf/KotlknnEIl8uuDufJNtjZHQ36KFkOud4KU
H7nlKGSYELzAllydPhQZy6joqCcgCWAscJDwHNq8wDcMjgXVp0/E42jP6tGvYylL
4cCg66sjAoGH3jN8sJZZhaWKfhS7N+CagATUgHPjSy7d3Zh2hTI7JGOofGJ7V92f
YZ2s7CEu8RAxYld8GHzyRasKL8Ri+gLx2uUa+qlKmBVNvRMuoUeysu0oHJmEHMEG
uZsrrCL/ldL1jYyaXhsJt6lrUxgwYC7MuVp5NlnFsKxmw1fN2enjnOUVMV4/ikdI
iGq02cagbtLowO5vctQz4heNFo583xhFRk0ib9BBeb1vx4qfhMrJkZ3qEmWFlq8j
ZFbE13YNnJflOappGmSIXlB1hx4OqeaZS55ORjIbiIKTM/dZ0wRNDO5LxFFv9b1W
rLF4HFP5AIpNF4AxBp5AeYcPee++8Jqtdgb4nBjlWtiYNIFAwg52xLW6DJLErrOy
YCZ2Ujq+XxtXHFd4Ci131TXTCVkGH3+YzzvYAgErxPMh+wDPT1yhaI8YkhQxExMG
+yBiofdwk10b5k0TVUncW6UgNqo+96cGlIJFxiKjQl4h7X9G0+o=
=W9b/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab89cb1e-3904-b774-af7d-0773ea8a61b0%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-announce] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-24 Thread yrebstv
On 2018-01-23 23:29, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Dear Qubes Community,
> 
> We have just updated Qubes Security Bulletin (QSB) #37:
> Information leaks due to processor speculative execution bugs.
> 
> The text of the main changes are reproduced below. For the full
> text, please see the complete QSB in the qubes-secpack:
> 
> 
> 
> Learn about the qubes-secpack, including how to obtain, verify, and
> read it:
> 
> 
> 
> View all past QSBs:
> 
> 
> 
> View XSA-254 in the XSA Tracker:
> 
> 
> 
> ```
> Changelog
> ==
> 
> 2018-01-11: Original QSB published
> 2018-01-23: Updated mitigation plan to XPTI; added Xen package versions
> 
> [...]
> 
> (Proper) patching
> ==
> 
> ## Qubes 4.0
> 
> As explained above, almost all the VMs in Qubes 4.0 are
> fully-virtualized by default (specifically, they are HVMs), which
> mitigates the most severe issue, Meltdown. The only PV domains in Qubes
> 4.0 are stub domains, which we plan to eliminate by switching to PVH
> where possible. This will be done in Qubes 4.0-rc4 and also released as
> a normal update for existing Qubes 4.0 installations. The only remaining
> PV stub domains will be those used for VMs with PCI devices. (In the
> default configuration, these are sys-net and sys-usb.) To protect those
> domains, we will provide the Xen page-table isolation (XPTI) patch, as
> described in the following section on Qubes 3.2.
> 
> ## Qubes 3.2
> 
> Previously, we had planned to release an update for Qubes 3.2 that would
> have made almost all VMs run in PVH mode by backporting support for this
> mode from Qubes 4.0. However, a much less drastic option has become
> available sooner than we and the Xen Security Team anticipated: what the
> Xen Security Team refers to as a "stage 1" implementation of the Xen
> page-table isolation (XPTI) mitigation strategy [5]. This mitigation
> will make the most sensitive memory regions (including all of physical
> memory mapped into Xen address space) immune to the Meltdown attack. In
> addition, this mitigation will work on systems that lack VT-x support.
> (By contrast, our original plan to backport PVH would have worked only
> when the hardware supported VT-x or equivalent technology.)
> 
> Please note that this mitigation is expected to have a noticeable
> performance impact. While there will be an option to disable the
> mitigation (and thereby avoid the performance impact), doing so will
> return the system to a vulnerable state.
> 
> The following packages contain the patches described above:
> 
>  - Xen packages, version 4.6.6-36
> 
> [...]
> 
> Here is an overview of the VM modes that correspond to each Qubes OS
> version:
> 
> VM type \ Qubes OS version | 3.2 | 4.0-rc1-3 | 4.0-rc4 |
> - -- | --- | - | --- |
> Default VMs without PCI devices| PV  |HVM|   PVH   |
> Default VMs with PCI devices   | PV  |HVM|   HVM   |
> Stub domains - Default VMs w/o PCI | N/A |PV |   N/A   |
> Stub domains - Default VMs w/ PCI  | N/A |PV |   PV|
> Stub domains - HVMs| PV  |PV |   PV|
> 
> ```
> 
> On 2018-01-11 08:57, Andrew David Wong wrote:
>> Dear Qubes Community,
>>
>> We have just published Qubes Security Bulletin (QSB) #37:
>> Information leaks due to processor speculative execution bugs.
>> The text of this QSB is reproduced below. This QSB and its accompanying
>> signatures will always be available in the Qubes Security Pack
>> (qubes-secpack).
>>
>> View QSB #37 in the qubes-secpack:
>>
>> 
>>
>> Learn about the qubes-secpack, including how to obtain, verify, and
>> read it:
>>
>> 
>>
>> View all past QSBs:
>>
>> 
>>
>> View XSA-254 in the XSA Tracker:
>>
>> 
>>
>> ```
>>  ---===[ Qubes Security Bulletin #37 ]===---
>>
>>January 11, 2018
>>
>>
>> Information leaks due to processor speculative execution bugs
>>
>> Summary
>> 
>>
>> On the night of January 3, two independent groups of researchers
>> announced the results of their months-long work into abusing modern
>> processors' so-called speculative mode to leak secrets from the system's
>> privileged memory [1][2][3][4]. As a response, the Xen Security Team
>> published Xen Security Advisory 254 [5]. The Xen Security Team did _not_
>> previously share information about these problems via their (non-public)
>> security pre-disclosure list, of which the Qubes Security Team is a
>> member.
>>
>> In the limited time we've had to