I’ve seen a couple articles related to a new class of vulnerabilities called Microarchitectural Data Sampling that require some performance-degrading software patches to fix; and some companies are advocating for disabling hyperthreading. Given that Librem laptops are running different microcode, are our machines vulnerable as well?
Ah, I didn’t know if the way coreboot disables things like Intel ME would effect it. I was also wondering if kernel patches or other software fixes were in the works.
For Qubes you need to update both Dom0 (sudo qubes-dom0-update) and Coreboot/Heads from Purism,
in case you use the Librem laptop. Qubes won’t be affected if you just patch it in software, but to be on
the safe side it’s better to use the patched microcode in both Coreboot and your underlying OS.
Admittedly I’m a bit fuzzy on things other than straight up software updates (sudo apt-get types of things), but what do I need to do to install this on a Librem 13v3?
Update the firmware - if you have coreboot (the default) the guide is here:
then, assuming you use PureOS (or any other Debian based distro that uses apt like Ubuntu) do:
sudo apt-get update
sudo apt-get dist-upgrade
Or open Software (click the super key type software and press enter), click on the Updates tab and Download.
I’m here because I’m thinking about buying a librem.
Does anyone know what kind of performance hit these latest fixes bring with them? And does the patches fix the vulnerability completely? Considering the vulnerability defeats qubes security, this has me worried…
The latest releases of Qubes (after 4.0) actually default to boot with smt=off so it was not vulnerable
in that context.
Are the performance trade-offs worth it to disable SMT(Hyperthreading)? Depends on your use case.
If you are a gamer, why do you even care about these attacks?
If you are a Qubes user, 1-10% performance drop for having reasonably better isolation is negligible.
Many setups who don’t care about those vulnerabilities, such as single user machines with high IO
disable all those recent flags altogether, with the following kernel boot flag:
So the best thing you can do for yourself is benchmark the performance of the things you use,
and what matters more to you. Don’t trust all those online tests, they don’t show real life examples.
Well, my gaming computer is logged into my steam account, which has my credit card info, so on that machine I care a lot. Will probably just remove the card info there.
But more relevant here: I’m wondering what the performance hit will be for the avarage qqubes user. Since I don’t have a librem yet, I can’t benchmark.
Instead I ask here, in the hopes that someone else has more relevant info. I was just thinking there might be some qubes-librem users in here…
This is not the type of attacks an average card thief leverages
Your card will be fine. This is a sophisticated attack to break out from containers, sandboxes/VMs.
Hosting providers or anyone who stores highly sensitive data on mixed privileges machines is at risk.
But this is not something 99.999% script kiddie cyber criminals will do, more like nation state actors.
The reason nobody will provide you accurate benchmark is because it’s an individual case.
Someone uses Qubes to compile stuff, someone to browse the web, someone to analyze Windows malware,
some do all of the above. Nobody will have a use case that will be near yours except you.
I code and use SSH. There’s loads of users here with similar use cases.
And the hacker who broke into Reddit wasn’t going after the cards, just using them for SE.