Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 14, 2019 at 10:37:33AM -0800, Lorenzo Lamas wrote: > Btw, do you think it is possible for Qubes to distribute the Intel > fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes? I don't think it's directly possible, this part of the system firmware is specific to particular device configuration (bundled together with the rest of BIOS/UEFI), not only CPU. A quote from Intel advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html | Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, | Intel® AMT and Intel® DAL update to the latest version provided by the | system manufacturer that addresses these issues. There could be a way to ease updating system firmware by integrating fwupd, but it isn't done yet: https://github.com/QubesOS/qubes-issues/issues/4855 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3PEHUACgkQ24/THMrX 1yy5rAf+OUCwS/oIGN04ps6Skv19pwCL8gkKizEoncXduI5nXUI1hBcqtmfBPbUj orJqWt65YKQPeCnWubbJHHA5cIe0KtG/yPTtMcG98caU8Qi1y/vi2Nv7lt6+y1GL BbGe/O2ZHYuZAMGLg9bbk3ZXmQ8hrAyHCB+3vvVxIlrPHkOShjpHztsgguug00MI sPNdg9IHurPNwbwbMgwHGIUDOgFr7MilGT1y3afzBEIrHZCT5SaPHernUYGd7oD9 PmhGsb5grJo5eYDO+wiizrW/by2BUXH+4Qeimtxk+N7xqqk7/btQXl77dOGQ5k/t 1uNcXNluSAXVspKvKJTIXhGlpJmAMQ== =cXye -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191115205412.GB4164%40mail-itl.
Re: [qubes-users] 2 new Intel vulnerabilites
haaber: > Just a small comprehension question to the microkerel update shipped in > the last xen update: are these microkernels "flashed" into some cpu > memory, or are they re-run / setup at each boot again? Cheers, Bernhard > I think you mean microcode. From what I know, the CPU starts with burned in microcode. Firmware/BIOS will then patch it if it has a more current version. The OS will then patch it again if a more current version. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b8823271-c8ad-6aa8-3d73-040a0e9d5b37%40danwin1210.me.
Re: [qubes-users] 2 new Intel vulnerabilites
Just a small comprehension question to the microkerel update shipped in the last xen update: are these microkernels "flashed" into some cpu memory, or are they re-run / setup at each boot again? Cheers, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eda58fcc-eb54-2caf-fa56-6dfdd0c2f5fa%40web.de.
Re: [qubes-users] 2 new Intel vulnerabilites
On Thursday, November 14, 2019 at 2:57:19 PM UTC+1, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2019-11-14 6:28 AM, Andrew David Wong wrote: > > On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: > >> There are 2 new vulnerabilities in Intel CPU's, also affecting > >> Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA > >> 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen > >> a new QSB. > > > > > > Yes, we're aware. We're currently in the process of preparing > > announcements about these XSAs. > > > > Typically, XSAs have a predisclosure period, during which the XSA > > is embargoed, and the Qubes Security Team has time to analyze it > > and prepare patches and an announcement. However, these XSAs had > > no embargo period, so the Qubes Security Team had no advance notice > > of them before they were publicly announced. > > > > The announcements have been published: > > https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ > > https://www.qubes-os.org/news/2019/11/13/qsb-053/ > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NXTIACgkQ203TvDlQ > MDB1tRAAwCpQCkP52V7LlN7TJGA2jdJGffw+Wp12l66m3fmY/y3FnxZnVBR8Q+Jm > rZ2TDW/khZVUyi3Oq8OH9BwClIBgO9k3HLu/Cjt68QoKsth24SRmufdzDicsBzJG > BFwXpX/uxJ7U08Ja1vlRWj3wln0pCc5xFKMkpDLMQ/3xaL/bAdXgMcxx5eAIUrjI > rd2V5UkqQsIFnEIfWyyVI45gcr8jCIb2P5TZ9yKuyKmHJQHBqYUlLwuc0cK+Az+J > 4SXwTMpp1H1F+iKhyageOgbCZQiVdxbodlw3rAyvA/rZ1zxogN+q27yfIkQu9TBO > Mj461YeX/bAHM35WNPJhCSH9Ivm/ahBGBCJxpwuZF9BWWE1gLfjQuZsEUQbJizjc > hn3oxsw2yFSg0bEuRJxkgHr9f/e2LnPDOc5lRJ/HY6ST2739CZfVgrxTV+4wKusv > c4/TGuXigOIKisLE3QBUFewZESbo6SfdLPDNHcgUWpunk66g/xMMGvTFIRcXbzWt > hKcnKj3+9qWFhJbuRF5VWDDuVIF0/biXglQAsUVM3q6xK5OKDTjXGR6M/DvQGH68 > sNEEOY8K+OcbGvX0188IGrrmK25i5X0z+0U4hFJFOi8e1iKh24a6cCi9hJ//Sotj > q0t5EUspfPzz7i6yE/FU1N0USZQSENtZKz18LV+NsEiQoO9qDaU= > =J53Z > -END PGP SIGNATURE- > > Thank you, and thanks for the earlier explanation! > Btw, do you think it is possible for Qubes to distribute the Intel > fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c7f4ddb-03e6-4894-a6d3-a3bb6fc64b41%40googlegroups.com.
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-14 6:28 AM, Andrew David Wong wrote: > On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: >> There are 2 new vulnerabilities in Intel CPU's, also affecting >> Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA >> 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen >> a new QSB. > > > Yes, we're aware. We're currently in the process of preparing > announcements about these XSAs. > > Typically, XSAs have a predisclosure period, during which the XSA > is embargoed, and the Qubes Security Team has time to analyze it > and prepare patches and an announcement. However, these XSAs had > no embargo period, so the Qubes Security Team had no advance notice > of them before they were publicly announced. > The announcements have been published: https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ https://www.qubes-os.org/news/2019/11/13/qsb-053/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NXTIACgkQ203TvDlQ MDB1tRAAwCpQCkP52V7LlN7TJGA2jdJGffw+Wp12l66m3fmY/y3FnxZnVBR8Q+Jm rZ2TDW/khZVUyi3Oq8OH9BwClIBgO9k3HLu/Cjt68QoKsth24SRmufdzDicsBzJG BFwXpX/uxJ7U08Ja1vlRWj3wln0pCc5xFKMkpDLMQ/3xaL/bAdXgMcxx5eAIUrjI rd2V5UkqQsIFnEIfWyyVI45gcr8jCIb2P5TZ9yKuyKmHJQHBqYUlLwuc0cK+Az+J 4SXwTMpp1H1F+iKhyageOgbCZQiVdxbodlw3rAyvA/rZ1zxogN+q27yfIkQu9TBO Mj461YeX/bAHM35WNPJhCSH9Ivm/ahBGBCJxpwuZF9BWWE1gLfjQuZsEUQbJizjc hn3oxsw2yFSg0bEuRJxkgHr9f/e2LnPDOc5lRJ/HY6ST2739CZfVgrxTV+4wKusv c4/TGuXigOIKisLE3QBUFewZESbo6SfdLPDNHcgUWpunk66g/xMMGvTFIRcXbzWt hKcnKj3+9qWFhJbuRF5VWDDuVIF0/biXglQAsUVM3q6xK5OKDTjXGR6M/DvQGH68 sNEEOY8K+OcbGvX0188IGrrmK25i5X0z+0U4hFJFOi8e1iKh24a6cCi9hJ//Sotj q0t5EUspfPzz7i6yE/FU1N0USZQSENtZKz18LV+NsEiQoO9qDaU= =J53Z -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a47d867-6068-9758-f277-1c0a269db6b5%40qubes-os.org.
Re: [qubes-users] 2 new Intel vulnerabilites
On 11/14/19 7:28 AM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: There are 2 new vulnerabilities in Intel CPU's, also affecting Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen a new QSB. Yes, we're aware. We're currently in the process of preparing announcements about these XSAs. Typically, XSAs have a predisclosure period, during which the XSA is embargoed, and the Qubes Security Team has time to analyze it and prepare patches and an announcement. However, these XSAs had no embargo period, so the Qubes Security Team had no advance notice of them before they were publicly announced. The researchers behind these MDS vuln disclosures were being strung along by Intel, who kept changing embargo dates. Eventually they decided to simply publish because the proposed patches from Intel were not addressing a large number of possible attacks. I have summary, links and some advice here: https://groups.google.com/d/msgid/qubes-users/85c426f7-7e17-b1ab-87c3-71f92d169955%40posteo.net In short, Intel have played a monopolist's game and delivered products that match; Its much better (and simpler) for people to move to AMD at least for the time being. It would help if the Qubes community had some clear AMD choices. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f82a8a41-2bd1-84de-fcfa-61b5e4fa744a%40posteo.net.
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: > There are 2 new vulnerabilities in Intel CPU's, also affecting Xen. > Xen has issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135). > Is the Qubes team aware yet? I haven't seen a new QSB. > Yes, we're aware. We're currently in the process of preparing announcements about these XSAs. Typically, XSAs have a predisclosure period, during which the XSA is embargoed, and the Qubes Security Team has time to analyze it and prepare patches and an announcement. However, these XSAs had no embargo period, so the Qubes Security Team had no advance notice of them before they were publicly announced. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NSEQACgkQ203TvDlQ MDDX8xAAlbt56HUIhFc13wh1F6E9H0aU2cve5Kp8Z9VmIvIp+yJP2RKr6jU4BLXJ Pxee0Peax/yZBwl7cg99plpssz1hGNn7mAv3Fgjcs23YVMPvHc5w6GtqTwayrKHF yFjLjA0b48gtPryP4qe5DYg+IZkaA7GIMDiHXoRafOLvQXP4KaH2x/SjsES0VXIh ZMfasNe5KHznn0aODpvGZC7znNkhUt3VP0xYeijGup2+ZoptDhxtYtUlKx8Y+Jqk uxPkfY9bUgqhqqKTmNCYQ+g53LgU+kn5ulITmunwEYkgQ+WD23Y7mT9rq9Uj/pro XCaMMNhVVm4iUSvOO5MwuzxJqpX3ae2BHbsg096uNzk6zpAb8dkNfvZsV0cm/b2X j94Uc4hG2MlLgI6U0by7/PYMc5n0oaSYGS9Jfrjz7TiTStId/sdRty1iVcerGjrl /+oyRG8wuVfiOVF0QJfDZ4ds6BX0aOssR8rhyJkdJVBfTRJTdF94mQRt8V6XK1rT ZqGHGATDXDIb1TseqOtnDoRjevlszATErPJSEnMMMpYT7VFSDt9Xy4UnPGLeF+oi Ba18M1yuH+WGS+g0zA3ESYf98Nbs9iILUTi0/BaNC0tQj6GrKOpJtCcZVoBlEAsz xi/ZafAVvjRWnRDSxaDewIl2bwpvrDJp71TunU8FX89rYR9NvDY= =5FCB -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46cbe0d6-7941-97a2-4a97-df044695f187%40qubes-os.org.