[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF)


#41

Qubes (and by extension Qubes-Whonix) is no longer vulnerable after dom0 upgrades.

https://github.com/QubesOS/qubes-issues/issues/4262#issuecomment-419737145


#42

Created a whonixcheck test.

Test not yet enabled by default. Package not updated yet.

whonixcheck --verbose --cli --gui --function check_spectre_meltdown

Will enable by default later. Only for platforms where this is fixable? Or all? Let’s suppose it can only be fixed in Qubes but not VirtualBox / KVM? We tell users about it “not our fault, but well, trash your hardware if you can’t fix it if you want to be secure”?

Wording suggestions welcome since this could be a major source of support requests.

WARNING: Spectre Meltdown Test Result: Vulnerable.

Technical information:
sudo spectre-meltdown-checker --paranoid
exited with code 1.

Recommendation:
See https://www.whonix.org/wiki/Spectre_Meltdown.

(The part WARNING: is not flexible. It’s either INFO:, WARNING: or ERROR:. All other text is flexible.)


#43

Enable it for all and then link to a wiki page that lists advice for all hypervisors we support.

KVM Is fixable it just happens my hardware has a problem accepting the microcode not a general problem for everyone. Also the next release will have passthrough enabled making the default config safe for consumption.


#45

Alright. Will enable for everyone by default.

Updated wording:

WARNING: Spectre Meltdown Test Result: Vulnerable.

Technical information:
sudo spectre-meltdown-checker --paranoid
exited with code 1.

Recommendation:
See https://www.whonix.org/wiki/Spectre_Meltdown.

If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:

whonixcheck_skip_functions+=" check_spectre_meltdown "

Please populate https://www.whonix.org/wiki/Spectre_Meltdown with platform specific instructions etc., i.e. how to modify existing VMs settings, keep in mind multiple VMs.


#46

spectre-meltdown-checker will be installed in Whonix by default. Dependency of whonixcheck.

Available in stable-proposed-updates and testers repository.


#47

#48

Late boot microcode loading can be forced and does appear to happen in kernel logs.

echo 1 > /sys/devices/system/cpu/microcode/reload


#49

VirtualBox ticket created:
VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed

How to reproduce:

A host running Debian stretch. Using VirtualBox version 5.2.18. A guest running Debian stretch.

Host using stretch-backports with get access to newer microcode. (Old versions are incapable to show spectre/meltdown fixed.)

spectre-meltdown-checker being installed on host and in guest from stretch-backports. (Old versions are incapable to show spectre/meltdown fixed.)

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

sudo apt-get update

sudo apt-get -t stretch-backports install spectre-meltdown-checker

Suppose microcode being installed.

Intel:

sudo apt-get -t stretch-backports install intel-microcode

Amd:

sudo apt-get -t stretch-backports install amd64-microcode

Suppose running spectre-meltdown-checker on the host looks fine.

sudo spectre-meltdown-checker --paranoid ; echo $?

By fine I mean exit code 0 and not showing “vulnerable”.

Suppose using all VirtualBox spectre/meltdown defense options.

VBoxManage modifyvm vm-name --ibpb-on-vm-entry on

VBoxManage modifyvm vm-name --ibpb-on-vm-exit on

VBoxManage modifyvm vm-name --spec-ctrl on

VBoxManage modifyvm vm-name --l1d-flush-on-sched off

(These options were introduced in VirtualBox version 5.2.18.)

Expected result:

spectre-meltdown-checker in guest VM saying “all fine”.

sudo spectre-meltdown-checker --paranoid ; echo $?

By fine I mean exit code 0 and not showing “vulnerable”.

Actual result:

spectre-meltdown-checker reporting vulnerable.

Questions:

Can you reproduce the same issue?

Were all necessary steps performed to protect the guest from spectre/meltdown?

Is this a VirtualBox issue or false-positive in spectre-meltdown-checker?

(Previously posted in VirtualBox forum.)


#50

Previouly experimental command

VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched off
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched off

was wrong. Should be actually:

VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched on
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched on

Could you please try with --l1d-flush-on-sched on? @TNT_BOM_BOM

Just now corrected the wiki template:

https://www.whonix.org/wiki/Template:VirtualBox_Spectre_Meltdown


#51

Please also apply:

VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-vm-entry on
VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-vm-entry on

#52

Please also apply:

VBoxManage modifyvm "Whonix-Gateway" --nestedpaging off
VBoxManage modifyvm "Whonix-Workstation" --nestedpaging off

I am more confident now that it will be correct and complete. Theory for now. Still needs to be tested.


#53

If the host operating system is considered spectre/meltdown safe, will VirtualBox guests in extension also be spectre/meltdown safe?

Not necessarily. […]


#54

Output needed.

sudo spectre-meltdown-checker --paranoid -v -v -v

And.

sudo sh -x /usr/bin/spectre-meltdown-checker --paranoid -v -v -v

#55

No problem on my hardware i.e. no warning


#56

Qubes is sorted. VirtualBox is the issue currently.


#57

I dunno if this already solved by qubes or even patched by intel…


#58

#59

Spectre V2 seems to be gonna be disabled by default for linux , more to read here:

“When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It’s apparently better to just disable SMT entirely, which is what security-conscious people do anyway,” wrote Torvalds.


#60

seven new Meltdown and Spectre attacks
https://groups.google.com/forum/#!topic/qubes-users/eTSZ5vb5ugo