Are Librem laptops affected by the latest round of Intel processor vulnerabilities?


#1

I’ve seen a couple articles related to a new class of vulnerabilities called Microarchitectural Data Sampling that require some performance-degrading software patches to fix; and some companies are advocating for disabling hyperthreading. Given that Librem laptops are running different microcode, are our machines vulnerable as well?

Thanks,

rjrjr


#2

Yes they are. Different Microcode? I think you mix it up with BIOS which is not related to MDS.


#3

Ah, I didn’t know if the way coreboot disables things like Intel ME would effect it. I was also wondering if kernel patches or other software fixes were in the works.


#4

A patch is already rolled on Debian.
4.9.168-1+deb9u2 (2019-05-13) x86_64 GNU/Linux

/proc/cpuinfo
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds

/sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

For Qubes users:
XSA-297

Qemu/libvirt/microcode/kernel patches are in repos. Reboot is required.


#5

we’ll be releasing new firmware with Intel’s latest microcode updates very shortly :slight_smile:


#6

and they’ve been released!


#7

For qubes am I understanding this patch will just be pushed in a Dom0 update?


#8

For Qubes you need to update both Dom0 (sudo qubes-dom0-update) and Coreboot/Heads from Purism,
in case you use the Librem laptop. Qubes won’t be affected if you just patch it in software, but to be on
the safe side it’s better to use the patched microcode in both Coreboot and your underlying OS.


#9

Admittedly I’m a bit fuzzy on things other than straight up software updates (sudo apt-get types of things), but what do I need to do to install this on a Librem 13v3?


#10

Update the firmware - if you have coreboot (the default) the guide is here:


then, assuming you use PureOS (or any other Debian based distro that uses apt like Ubuntu) do:
sudo apt-get update
sudo apt-get dist-upgrade
Or open Software (click the super key type software and press enter), click on the Updates tab and Download.


#11

Thanks! I’ll give it a go later tonight (GMT - 6.0 here).


#12

I’m here because I’m thinking about buying a librem.
Does anyone know what kind of performance hit these latest fixes bring with them? And does the patches fix the vulnerability completely? Considering the vulnerability defeats qubes security, this has me worried…


#13

The latest releases of Qubes (after 4.0) actually default to boot with smt=off so it was not vulnerable
in that context.

Are the performance trade-offs worth it to disable SMT(Hyperthreading)? Depends on your use case.
If you are a gamer, why do you even care about these attacks? :slight_smile:
If you are a Qubes user, 1-10% performance drop for having reasonably better isolation is negligible.
Many setups who don’t care about those vulnerabilities, such as single user machines with high IO
disable all those recent flags altogether, with the following kernel boot flag:

nopti nospectre_v2 spectre_v2_user=off spec_store_bypass_disable=off l1tf=off

So the best thing you can do for yourself is benchmark the performance of the things you use,
and what matters more to you. Don’t trust all those online tests, they don’t show real life examples.


#14

Well, my gaming computer is logged into my steam account, which has my credit card info, so on that machine I care a lot. Will probably just remove the card info there.

But more relevant here: I’m wondering what the performance hit will be for the avarage qqubes user. Since I don’t have a librem yet, I can’t benchmark.

Instead I ask here, in the hopes that someone else has more relevant info. I was just thinking there might be some qubes-librem users in here…


#15

This is not the type of attacks an average card thief leverages :joy:
Your card will be fine. This is a sophisticated attack to break out from containers, sandboxes/VMs.
Hosting providers or anyone who stores highly sensitive data on mixed privileges machines is at risk.
But this is not something 99.999% script kiddie cyber criminals will do, more like nation state actors.

The reason nobody will provide you accurate benchmark is because it’s an individual case.
Someone uses Qubes to compile stuff, someone to browse the web, someone to analyze Windows malware,
some do all of the above. Nobody will have a use case that will be near yours except you.


#16

I code and use SSH. There’s loads of users here with similar use cases.
And the hacker who broke into Reddit wasn’t going after the cards, just using them for SE.

But sure, I’ll leave this thread now.