Qubes (and by extension Qubes-Whonix) is no longer vulnerable after dom0 upgrades.
Created a whonixcheck test.
https://github.com/Whonix/whonixcheck/commit/4d65231b87b1dbc7827cd47c86f1f4d5476bcda2
Test not yet enabled by default. Package not updated yet.
whonixcheck --verbose --cli --gui --function check_spectre_meltdown
Will enable by default later. Only for platforms where this is fixable? Or all? Let’s suppose it can only be fixed in Qubes but not VirtualBox / KVM? We tell users about it “not our fault, but well, trash your hardware if you can’t fix it if you want to be secure”?
Wording suggestions welcome since this could be a major source of support requests.
WARNING: Spectre Meltdown Test Result: Vulnerable.
Technical information:
sudo spectre-meltdown-checker --paranoid
exited with code 1.Recommendation:
See Spectre Meltdown - Whonix.
(The part WARNING:
is not flexible. It’s either INFO:
, WARNING:
or ERROR:
. All other text is flexible.)
Enable it for all and then link to a wiki page that lists advice for all hypervisors we support.
KVM Is fixable it just happens my hardware has a problem accepting the microcode not a general problem for everyone. Also the next release will have passthrough enabled making the default config safe for consumption.
Alright. Will enable for everyone by default.
Updated wording:
WARNING: Spectre Meltdown Test Result: Vulnerable.
Technical information:
sudo spectre-meltdown-checker --paranoid
exited with code 1.Recommendation:
See Spectre Meltdown - Whonix.If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:
whonixcheck_skip_functions+=" check_spectre_meltdown "
Please populate Spectre Meltdown - Whonix with platform specific instructions etc., i.e. how to modify existing VMs settings, keep in mind multiple VMs.
spectre-meltdown-checker will be installed in Whonix by default. Dependency of whonixcheck.
https://github.com/Whonix/Whonix/commit/47d9bdde4f9985aa8b29d64c2bd81f17addf18b6
Available in stable-proposed-updates and testers repository.
Late boot microcode loading can be forced and does appear to happen in kernel logs.
echo 1 > /sys/devices/system/cpu/microcode/reload
VirtualBox ticket created:
VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed
How to reproduce:
A host running Debian stretch. Using VirtualBox version 5.2.18. A guest running Debian stretch.
Host using stretch-backports with get access to newer microcode. (Old versions are incapable to show spectre/meltdown fixed.)
spectre-meltdown-checker being installed on host and in guest from stretch-backports. (Old versions are incapable to show spectre/meltdown fixed.)
sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list" sudo apt-get update sudo apt-get -t stretch-backports install spectre-meltdown-checker
Suppose microcode being installed.
Intel:
sudo apt-get -t stretch-backports install intel-microcode
Amd:
sudo apt-get -t stretch-backports install amd64-microcode
Suppose running spectre-meltdown-checker on the host looks fine.
sudo spectre-meltdown-checker --paranoid ; echo $?
By fine I mean exit code 0 and not showing “vulnerable”.
Suppose using all VirtualBox spectre/meltdown defense options.
VBoxManage modifyvm vm-name --ibpb-on-vm-entry on VBoxManage modifyvm vm-name --ibpb-on-vm-exit on VBoxManage modifyvm vm-name --spec-ctrl on VBoxManage modifyvm vm-name --l1d-flush-on-sched off
(These options were introduced in VirtualBox version 5.2.18.)
Expected result:
spectre-meltdown-checker in guest VM saying “all fine”.
sudo spectre-meltdown-checker --paranoid ; echo $?
By fine I mean exit code 0 and not showing “vulnerable”.
Actual result:
spectre-meltdown-checker reporting vulnerable.
Questions:
Can you reproduce the same issue?
Were all necessary steps performed to protect the guest from spectre/meltdown?
Is this a VirtualBox issue or false-positive in spectre-meltdown-checker?
Previouly experimental command
VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched off
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched off
was wrong. Should be actually:
VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched on
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched on
Could you please try with --l1d-flush-on-sched on
? @nurmagoz
Just now corrected the wiki template:
Please also apply:
VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-vm-entry on
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-vm-entry on
Please also apply:
VBoxManage modifyvm "Whonix-Gateway" --nestedpaging off
VBoxManage modifyvm "Whonix-Workstation" --nestedpaging off
I am more confident now that it will be correct and complete. Theory for now. Still needs to be tested.
If the host operating system is considered spectre/meltdown safe, will VirtualBox guests in extension also be spectre/meltdown safe?
Output needed.
sudo spectre-meltdown-checker --paranoid -v -v -v
And.
sudo sh -x /usr/bin/spectre-meltdown-checker --paranoid -v -v -v
No problem on my hardware i.e. no warning
Qubes is sorted. VirtualBox is the issue currently.
I dunno if this already solved by qubes or even patched by intel…
Spectre V2 seems to be gonna be disabled by default for linux , more to read here:
“When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It’s apparently better to just disable SMT entirely, which is what security-conscious people do anyway,” wrote Torvalds.
seven new Meltdown and Spectre attacks
https://groups.google.com/forum/#!topic/qubes-users/eTSZ5vb5ugo
More nasty things now:
- Foreshadow
I have installed intel-microcode on debian buster host and it doesnt solve the issue and it shows with spectre-meltdown-checker:
CVE-2018-3640 aka ‘Variant 3a, rogue system register read’
CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’
It mentioned here microcode updates should solve the problems:
https://security-tracker.debian.org/tracker/CVE-2018-3640
https://security-tracker.debian.org/tracker/CVE-2018-3615
im using debian buster + intel-microcode installed version 3.20190321.1
(with Qubes case microcode_ctl-2:2.1-26.qubes1.fc25.x86_64
) and the checker shows that im vulnerable ?!
Either false positive from the checker or microcode update opens some old vulnerabilities.
(spectre-meltdown-checker version 0.40-3 and 0.40-1~bpo9+1 same results)
cc @Patrick @HulaHoop @torjunkie @Algernon can you test that ? All my PCs showing the same results in debian buster & Qubes.