Changelog ========== 2018-01-11: Original QSB published 2018-01-23: Updated mitigation plan to XPTI; added Xen package versions [...] (Proper) patching ================== ## Qubes 4.0 As explained above, almost all the VMs in Qubes 4.0 are fully-virtualized by default (specifically, they are HVMs), which mitigates the most severe issue, Meltdown. The only PV domains in Qubes 4.0 are stub domains, which we plan to eliminate by switching to PVH where possible. This will be done in Qubes 4.0-rc4 and also released as a normal update for existing Qubes 4.0 installations. The only remaining PV stub domains will be those used for VMs with PCI devices. (In the default configuration, these are sys-net and sys-usb.) To protect those domains, we will provide the Xen page-table isolation (XPTI) patch, as described in the following section on Qubes 3.2. ## Qubes 3.2 Previously, we had planned to release an update for Qubes 3.2 that would have made almost all VMs run in PVH mode by backporting support for this mode from Qubes 4.0. However, a much less drastic option has become available sooner than we and the Xen Security Team anticipated: what the Xen Security Team refers to as a "stage 1" implementation of the Xen page-table isolation (XPTI) mitigation strategy [5]. This mitigation will make the most sensitive memory regions (including all of physical memory mapped into Xen address space) immune to the Meltdown attack. In addition, this mitigation will work on systems that lack VT-x support. (By contrast, our original plan to backport PVH would have worked only when the hardware supported VT-x or equivalent technology.) Please note that this mitigation is expected to have a noticeable performance impact. While there will be an option to disable the mitigation (and thereby avoid the performance impact), doing so will return the system to a vulnerable state. The specific packages that contain the XPTI patches for Qubes 3.2 are as follows: - Xen packages, version 4.6.6-36 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. [...] Here is an overview of the VM modes that correspond to each Qubes OS version: VM type \ Qubes OS version | 3.2 | 4.0-rc1-3 | 4.0-rc4 | ---------------------------------- | --- | --------- | ------- | Default VMs without PCI devices | PV | HVM | PVH | Default VMs with PCI devices | PV | HVM | HVM | Stub domains - Default VMs w/o PCI | N/A | PV | N/A | Stub domains - Default VMs w/ PCI | N/A | PV | PV | Stub domains - HVMs | PV | PV | PV |