Re: [qubes-users] XSA-273 - Impact on Qubes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2018-08-25 16:50, Rusty Bird wrote: > Rob Fisher: >> I'm wondering when we can expect information on the impact of XSA-273 (1) on >> Qubes R4? > > I'd guess early next month: > https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ > We have now published QSB #43: L1 Terminal Fault speculative side channel (XSA-273). https://www.qubes-os.org/news/2018/09/02/qsb-43/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAluLW+AACgkQ203TvDlQ MDCCTBAAxhupcI68/IIuEKKCV8uoYM9Q9DKUxW70b99nh+HgFuVpbqMZJ87PeH4B d+z9rc7DQkPCoiW4hycCChOPyR6k7ZwPpPvD5FbuCXO63LboCD8lIoXSDKL4h6YV C7DPmjFx8HQPqF7jP30erbHegc7lr13t7tSAdS8ITVXfEV06JWrCilMRFTlwT0Ov 5jlpp9JHyQcgkITxuCokdPISJJk3F5GLDQ4YofU8i1FyeT8UvEHIStZhAT6WNMm5 laGq/QdYcw1Ma9yCbXZ0ElJD9VWEysEbxn1t70ulqQHYJNQrwM0uRlO+Jxd5JdgI w7HpEo1IPFuT28mh4x2NpQ7gTFMsN3hbgcMjlglBbYyPXZ6QwdOLOPp73f0pAAlC WBHhmFozOh2zb9XUGkj9yziDvLHyEIFckn+Z1u9CBITTgEMW1nvfzDZvSTwb5be9 L9EouciQ80xUWerp8AFx1OwnKk5teZrk1PxPY0CSIsNeVxhlgsBHSPxOfbbtkWOb iwxkrndspP5zqSDJmPMl2T/0pdQOh2fGx6T2hPluWb7/Xep02Jz9J+Ra+ZZ7YWRG p+PJWmPhrIagQ34AEBRPBrJjJ0XplBjBRBv850Goioz6e3Y++hKAGqCCqPYxVGeY T6mUTj6Ksw/Kvh8+l8roCnKj/Z7V66Ikvw6WdYNQyTMAR32YSOQ= =LIKN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b74d7348-8691-4895-4e38-12b83a08c3dd%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XSA-273 - Impact on Qubes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Ivan Mitev: > On 08/26/2018 12:50 AM, Rusty Bird wrote: > > Rob Fisher: > >> what are the best options for a Qubes user right now? > > > > - - Add smt=off as a Xen boot parameter (which disables hyperthreading) > > smt=off doesn't seem to work though: > > $ xl dmesg | grep smt > (XEN) Command line: [...] smt=off > > $ xl info | grep thread > threads_per_core : 2 Shit, you're right! Xen commit f049cd67a99bcf773aa4fceeedd5d1de17b2a8eb ("x86: command line option to avoid use of secondary hyper-threads") was added to the 4.8 branches a few days _after_ the 4.8.4 release. I should have checked better... Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbgpwfXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfgqsP/1xUuJNoRlbB1w9TAOL08Ei4 3Md4lfJ+uxbgPorrEw1Z9dyq1VX9o/u/zapZjziEYBCSSSp7PSr8iECJ66TJlZXV +tS30QAI4u/t6sf6wX7KPXVEaWE2FmlU7o/ID/mCaXPTUtTxDZewe3Q35kcKrNcp +pnGxOEM/DV3EQ6noYvK30sOWUxLwBG9XH/DzUCLVTUn0gjPAiEMgna39US4e9Cu YB5EK+cvSwnCBc3xawcLRHfMV3XnjVw2R3zN8VjHrm0xmbqUT9kXBjxBUX9xnd1v zrnlHsO8frZ1mx4F8GomdoYSK2qrnJjkYuvuwJGZexqBGu/N3G5FkWqSbRj0a1mj DN/i5PeQNQ+qnh42tpKjAbZBr2Zyb0kZGhZl30XTZJNfdlxdoShFUoIRExE6EwiT 7JCAcfxoF32YylsTLeklRNK/OODB6ihPkVeds/DNencM/ALINdJOYnSnHv1EsSl1 JcLAZ2vHHAhAn39kimHIQchPTMU+sBB/g3LSlHHZovXmduRhQw8TsW2BD0rF38G8 84iLAeJ8AIHQUFl5cWxDYFJGbizczfSzymPF9bVaWFVreJXqdFAYkP4sIku05OYE qP6P+u05dxN2eH/xaKAXgHV8LiRWtcEP+Vrj7kXphJG6MtmpqTPWcNMgtjP9sxsa miFJi6nxt0dqqX9SFvqa =39ak -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180826122503.GA966%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XSA-273 - Impact on Qubes?
On 08/26/2018 12:50 AM, Rusty Bird wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Rob Fisher: >> I'm wondering when we can expect information on the impact of XSA-273 (1) on >> Qubes R4? > > I'd guess early next month: > https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ > >> what are the best options for a Qubes user right now? > > - - Add smt=off as a Xen boot parameter (which disables hyperthreading) FWIW I was wondering how to turn off HT last week on a thinkpad 450s (i7, 2 cores) which doesn't have a "disable HT" bios option. I had overlooked the smt= boot option and tried maxcpus=2 but this left me with 1 core/2 threads instead of 2 cores / no HT. smt=off doesn't seem to work though: $ xl dmesg | grep smt (XEN) Command line: [...] smt=off $ xl info | grep thread threads_per_core : 2 $ xenpm get-cpu-topology shows CPU0, CPU1, CPU2, CPU3 $ xl vcpu-list shows that CPUs # 0-3 are randomly assigned to VCPUs # 0-3 Does smt=off work for you ? One possible workaround would be to pin CPUs to VMs. Another one would be to remove CPU1 and CPU3 from the cpu pool, like so: $ xl cpupool-cpu-remove Pool-0 1 $ xl cpupool-cpu-remove Pool-0 3 but: - I have no idea if this is identical to disabling HT - 'xl vcpu-list' shows that only CPU0 and CPU2 are used, but VMs still use 4 VCPUs - even VMs started after removing the CPUs - which doesn't seem optimal wrt context switching overhead. > - - If you're worried that some VM might want to steal data from another, > try not to run both at the same time > - - Hole up, have a nice cup of offline and wait for all this to blow over > > Rusty > -BEGIN PGP SIGNATURE- > > iQJ8BAEBCgBmBQJbgc8qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 > NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfr38P/1KtCRK5qEvTcCTVLVbwYZHj > k63iIhA6n7wzRaV8oaOq7YrRzFryNoikeU2eqYe+T6Rwuw3hBE842pN+rABTJ7BS > Lb9UdUaC14y481Ad0uMxR4MvE+zKx6Ok4XuHTEwpZXDPw5URqNLNwp0+3ll1MXj2 > lkRFqb9/IuwdR491YpQQAfjkD/EfHkMvd+TJAGowkUOBFno9605x8fLYRCMw0ZTL > U0c0amlRSeM57bhqPR0fMtc3rfFT/w+wZS1QHoq881qXfx9E29HjjOnTI3E1EN0I > MRbh222HsjScvl2O7OPbDUzIQW6uC/rZPYKrekMNYfK0c+sfUCehLE/RUNp3qdUf > 8dEpVL5uBFIL4wBSN4g9GIFa2wmHvnrJ90v7U7pJ61iWoA1vaKEARlECZU7u3+EH > rOXSdb0+o7RtOItY/Lb8e/qfZxfScvvCb2n7dz1fqFFB2dXd7pIixMT7cERPbvsR > AGiqs6hkmHKKuw38xeKhhl5yVQQhIa77WgAVVHQ0mXu0sqGOWPLA30kwp4Tioqvh > HgKl9OtEUlVfYDj9HOuRdKM7Ns8rxLyDuYd6ENDgkMIC8QCEmE6blmnkJybR2mBo > knEQ0vgRQ++R8eG0b+3u7a97Up94D6FhDGA5b042a0wOGgBEG7e9/sefwCOskXGL > pnSyzaTOZPeHlStNxxhf > =bImI > -END PGP SIGNATURE- > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a13160c-e502-63e5-c80b-5fb0980daa36%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XSA-273 - Impact on Qubes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 'awokd' via qubes-users: > > Rob Fisher: > >> what are the best options for a Qubes user right now? ^ > Get Qubes running on non-x86 architectures less prone to > vulnerabilities! Don't hold your breath ;) Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbgdhiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHXsP/Avjd7ZuwBIx1wDg90aoq6xE lNHxEMhly2z8KXfNzLOg/H+3yF7gg+DeKo9wU0gAKm2O1grxt9TWgvju3Wje1Wdu gvEIo6Ew/oK/UFl5oQLFR/5F+zCjMaB7SAqf1hKZsJhLm82PrF8kXtwm1+y/CZTE IB7ci8x0lB+2p0571uMuu1HMgTTHn+e/UfKbANbHrgBClYgsBgasZD6wy99gOKOY f4pcSfd3wQ3lmg5D8U44Pg5NMnGHFnhsu1prqbrsYFSwzLxkhWD6mODvYZ2G8BbM +F/49iIafiGrhOrLGF+M/jnH/rIYT48IZEM90IFoS55WbeFZdvjID7inqFBDUbc2 EyyxuPUXku80NTuVlJP9t4/tinH7K+IfK5VV9F3jjU4tMO8kgdKJ+LMDkLGaKUoW Qy22Lm2EWDNXBFMopxwcHeIp19RbIYKEcjMrknI6XT2LPt4Dfg/Ibd8F5k95/SC4 LFAxA4BJJXyJQdaIdit2t//38h0N7irmP6bDpihNjW0zVgAZwUNd/u1gwtLYS5z4 RHwfIdHnHv1ZG9mV3noMiVJLDgml0RTkuyCz+dEmYe6X5MhChdsmDqcLm2/xC5cW lOwULl6dFbYVudOfi0yJnrXHSSDGINLYweSBJEuMC4nSfmab5vKr4Qvk3arJIw1i ebXtbANVEiih6ZkBuW2a =H494 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180825222954.GA1510%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XSA-273 - Impact on Qubes?
On Sat, August 25, 2018 9:50 pm, Rusty Bird wrote: > Rob Fisher: >> what are the best options for a Qubes user right now? > > - - Add smt=off as a Xen boot parameter (which disables hyperthreading) > to make the attack harder? - - If you're worried that some VM might want to > steal data from another, try not to run both at the same time - - Hole up, > have a nice cup of offline and wait for all this to blow over Get Qubes running on non-x86 architectures less prone to vulnerabilities! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ea6fd3870e89af5360fad70c59c8399.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XSA-273 - Impact on Qubes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rob Fisher: > I'm wondering when we can expect information on the impact of XSA-273 (1) on > Qubes R4? I'd guess early next month: https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ > what are the best options for a Qubes user right now? - - Add smt=off as a Xen boot parameter (which disables hyperthreading) to make the attack harder? - - If you're worried that some VM might want to steal data from another, try not to run both at the same time - - Hole up, have a nice cup of offline and wait for all this to blow over Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJbgc8qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfr38P/1KtCRK5qEvTcCTVLVbwYZHj k63iIhA6n7wzRaV8oaOq7YrRzFryNoikeU2eqYe+T6Rwuw3hBE842pN+rABTJ7BS Lb9UdUaC14y481Ad0uMxR4MvE+zKx6Ok4XuHTEwpZXDPw5URqNLNwp0+3ll1MXj2 lkRFqb9/IuwdR491YpQQAfjkD/EfHkMvd+TJAGowkUOBFno9605x8fLYRCMw0ZTL U0c0amlRSeM57bhqPR0fMtc3rfFT/w+wZS1QHoq881qXfx9E29HjjOnTI3E1EN0I MRbh222HsjScvl2O7OPbDUzIQW6uC/rZPYKrekMNYfK0c+sfUCehLE/RUNp3qdUf 8dEpVL5uBFIL4wBSN4g9GIFa2wmHvnrJ90v7U7pJ61iWoA1vaKEARlECZU7u3+EH rOXSdb0+o7RtOItY/Lb8e/qfZxfScvvCb2n7dz1fqFFB2dXd7pIixMT7cERPbvsR AGiqs6hkmHKKuw38xeKhhl5yVQQhIa77WgAVVHQ0mXu0sqGOWPLA30kwp4Tioqvh HgKl9OtEUlVfYDj9HOuRdKM7Ns8rxLyDuYd6ENDgkMIC8QCEmE6blmnkJybR2mBo knEQ0vgRQ++R8eG0b+3u7a97Up94D6FhDGA5b042a0wOGgBEG7e9/sefwCOskXGL pnSyzaTOZPeHlStNxxhf =bImI -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180825215034.GA1241%40mutt. For more options, visit https://groups.google.com/d/optout.
[qubes-users] XSA-273 - Impact on Qubes?
I'm wondering when we can expect information on the impact of XSA-273 (1) on Qubes R4? I can't help but notice it's absence from the Qubes XSA-tracker page (2). Some OS Vendors have implemented kernel patches in an attempt to mitigate these vulnerabilities, but as of yet I haven't seen any such patches to the qubes-kernel-vm or the Hypervisor. In the common case that microcode updates aren't possible via a BIOS update (HW vendor not made them available), and disabling hyper-threadding is not possible in the BIOS - what are the best options for a Qubes user right now? Thanks, Rob. Links: (1) - https://xenbits.xen.org/xsa/advisory-273.html (2) - https://www.qubes-os.org/security/xsa/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9075ff94cda5166e16d7c3a189ab576a%40posteo.net. For more options, visit https://groups.google.com/d/optout.