Upgrade dom0 to mitigate risk of a Meltdown attack in Qubes

Qubes-Whonix R3.2 users should upgrade dom0 as a priority (my emphasis below).

Update for QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Spectre) | Qubes OS

Qubes 3.2

Previously, we had planned to release an update for Qubes 3.2 that would have made almost all VMs run in PVH mode by backporting support for this mode from Qubes 4.0. However, a much less drastic option has become available sooner than we and the Xen Security Team anticipated: what the Xen Security Team refers to as a “stage 1” implementation of the Xen page-table isolation (XPTI) mitigation strategy [5]. This mitigation will make the most sensitive memory regions (including all of physical memory mapped into Xen address space) immune to the Meltdown attack. In addition, this mitigation will work on systems that lack VT-x support. (By contrast, our original plan to backport PVH would have worked only when the hardware supported VT-x or equivalent technology.)

Please note that this mitigation is expected to have a noticeable performance impact. While there will be an option to disable the mitigation (and thereby avoid the performance impact), doing so will return the system to a vulnerable state.

The specific packages that contain the XPTI patches for Qubes 3.2 are as follows:

  • Xen packages, version 4.6.6-36

The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows:

For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update

For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

1 Like