New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSA-273: L1 Terminal Fault #4252
Comments
You must have missed this: https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ |
Yes, I did miss it. That makes sense. How difficult would it be to
preemptively push out an updated Xen package?
…On Mon, Aug 27, 2018, 2:31 AM Andrew David Wong ***@***.***> wrote:
This bug is already known to affect Xen (XSA-273), and has already been
brought up on the qubes-users mailing list. As such, it is rather shocking
that no QSB has been issued, nor does the XSA tracker make any mention of
this XSA.
You must have missed this:
https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4252 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGGWB697pMkImntIdBrbcVAaHrlZVG0gks5uU5JWgaJpZM4WNHoa>
.
|
Now, there's QubesOS/qubes-vmm-xen#45 for people who can/want build it themselves.
In principle they should both be able to do so since their keys are in https://github.com/QubesOS/qubes-builder/blob/master/qubes-developers-keys.asc, so the builder infrastructure should accept tags signed by them. |
@DemiMarie: AFAIU the dom0 kernel doesn't need to be patched. |
Packages got pushed 6 hours ago that set smt=off in your grub configuration. QubesOS/updates-status#642 Does anyone know the impact this will have on performance? I just updated to the new xen binaries from the qubes-dom0-current-testing repository. Edit: found this https://access.redhat.com/security/vulnerabilities/L1TF-perf |
We have just published Qubes Security Bulletin (QSB) #43: L1 Terminal Fault speculative side channel (XSA-273). |
FWIW performance is catastrophic after the l1tf updates on my thinkpad T450s (i7-5600). What used to be an expensive "state-of-the-art" laptop 2 years ago is now as useful as an electrical heater, to the point that I'm considering ditching all those security fixes and live with the vulnerabilities :( Eg.:
I'll try to disable the "fixes" one by one when time allows to see what causes the high loadavg, which is probably the reason for the increased power consumption and the fan kicking in. (Meanwhile, any suggestions welcome). |
R3.2 or R4.0? In case of R3.2, make sure VMs use updated kernel, otherwise fallback mitigation may kick in, which greatly reduce performance (look for |
Sorry, I'm on R4.0 (totally forgot there was still R3.2, I'm using R4.0 since rc2). Dom0 and templatesVMs are updated with the -testing repos. After a reboot (as I'm typing this comment), I have sys-{net,firewall,usb} VMs + 2 fedora-28 AppVMs running (one appvm with firefox with only one tab open - github - and one appvm with thunderbird):
|
I have the same CPU as @taradiddles and I've noticed an increase in heat coming from the laptop as well (I'm running 4.0). I was expecting this though, as disabling SMT is going to make the CPU work harder. I wonder if we'll ever be able to enable SMT safely again? |
I'm not convinced SMT (or lack thereof) is the culprit here: SMT helps in some cases but may also be detrimental in others (eg. scientific simulations, hpc, ...).
(I clearly should be under 50% cpu utiliziation with only a browser + mail client appvms). I'll try to turn SMT back on later today for tests. |
@taradiddles Turning off SMT on hypervisors has a larger performance impact I believe. I'm not 100% sure, so don't quote me on that.. |
@lunarthegrey: I guess you're right... I just did a quick test with smt=on: the laptop's fan stays off or runs at very low speed, and power consumption is back to ~6W on battery. But quite oddly, loadavg and xentop "metrics" are worse (loadavg @ 0.80, |
With smt=on, I see similar xentop cpu usage of ~14% for *-dm. |
@airelemental : are you using a laptop ? If yes, it may be interesting to compare the power consumption on battery with both smt=on and smt=off since it's the only "reliable" metric I've found for now. I've kept smt=on since my last comment because I can't work on my laptop with smt=off, but I've tried to disable two theads (one on each core) from the cpu pool, with |
On my laptop, my power consumption is either unchanged or maybe somewhat improved compared to before, but nowhere near a factor of 2. |
Does the stubdom still need to be updated? Since this update I've started getting intermittent crashes of the "-dm" stubdom of a Window 10 VM. xl dmesg: ...-dm.log: |
Yes, that looks to be the case. @HW42 that's interesting, as stubdomain don't have swap, any idea? |
Include mitigations for L1TF, otherwise Xen will crash the domain. QubesOS/qubes-issues#4252
Include mitigations for L1TF, otherwise Xen will crash the domain. QubesOS/qubes-issues#4252
Thanks, the stubdomain hasn't crashed for 2 days now. |
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 (cherry picked from commit 938578c)
So from what I understand people are experiencing increased heat and batteries don't last as long with Ever since SMT was turned off for me I have noticed increased heat + low battery life. I updated my BIOS so I can turn SMT off in the BIOS and I'm leaving |
@lunarthegrey I experience no increased CPU temperature with Oddly enough, with |
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 Signed-off-by: Frédéric Pierret <frederic.epitre@orange.fr>
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 Signed-off-by: Frédéric Pierret <frederic.epitre@orange.fr>
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
@andrewdavidwong This issue was originally opened to have Qubes address L1TF. Per the description, in dom0:
So, in that sense, it is now fixed. For issues related to the performance hit and temperature increase, in the future these could be put together as a separate issue -- where we could track the fix for that independent of the actual addition of L1TF mitigation in Qubes. Let me know if I'm wrong here. |
@andrewdavidwong Ah, good point. I didn't notice the timestamp on those commits. Thanks! |
The commits referenced above are porting the work done for R4.0, into R4.1 devel branches. The original issue here is completed. |
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Many Intel processors (and BIOSes) have invalid IOMMU configuration for IGFX, which cause multiple problems - from screen glitches, to system hang. Since IGFX currently is still in dom0 (isn't isolated from other system components), disabling IOMMU for it doesn't lower overall security. When GUI domain will be implemented, we need to re-enable IOMMU here and hope hardware manufacturers will fix it in the meantime. Fixes QubesOS/qubes-issues#2836 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Many Intel processors (and BIOSes) have invalid IOMMU configuration for IGFX, which cause multiple problems - from screen glitches, to system hang. Since IGFX currently is still in dom0 (isn't isolated from other system components), disabling IOMMU for it doesn't lower overall security. When GUI domain will be implemented, we need to re-enable IOMMU here and hope hardware manufacturers will fix it in the meantime. Fixes QubesOS/qubes-issues#2836 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Many Intel processors (and BIOSes) have invalid IOMMU configuration for IGFX, which cause multiple problems - from screen glitches, to system hang. Since IGFX currently is still in dom0 (isn't isolated from other system components), disabling IOMMU for it doesn't lower overall security. When GUI domain will be implemented, we need to re-enable IOMMU here and hope hardware manufacturers will fix it in the meantime. Fixes QubesOS/qubes-issues#2836 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Many Intel processors (and BIOSes) have invalid IOMMU configuration for IGFX, which cause multiple problems - from screen glitches, to system hang. Since IGFX currently is still in dom0 (isn't isolated from other system components), disabling IOMMU for it doesn't lower overall security. When GUI domain will be implemented, we need to re-enable IOMMU here and hope hardware manufacturers will fix it in the meantime. Fixes QubesOS/qubes-issues#2836 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
-- This will solve rhinstaller#959 for new installations. Related to QubesOS/qubes-issues#959 -- -- Linux kernel have some memory overhead depending on maxmem. Dom0 isn't meant to use that much memory (most should be assigned to AppVMs), so on big systems this will be pure waste. QubesOS/qubes-issues#1136 Fixes QubesOS/qubes-issues#1313 -- -- Try to update microcode as early as possible if provided. This option will scan all multiboot modules besides dom0 kernel. In our case this is perfect - there is only one other module and it is initramfs which have microcode early cpio prepended. QubesOS/qubes-issues#3703 -- -- Defaults set during package installation do not apply, as booloader configuration doesn't exist at that stage yet. Reported by @rustybird QubesOS/qubes-issues#4252 -- -- It tries to mount every existing block device, including VM images. -- Based on : - 0f7cc31 - 40c7967 - 5bd0830 - 223e0ad - 724b128 - 203e8d7 - a6bfe43
Qubes OS version:
All
Affected component(s):
Xen, dom0 kernel
Steps to reproduce the behavior:
Run
cat /sys/devices/system/cpu/vulnerabilities/l1tf
in dom0Expected behavior:
Actual behavior:
General notes:
This indicates that Qubes is vulnerable to L1 Terminal Fault attacks, which can result in compromise of arbitrary data located in any Qubes domain. Since this includes LUKS keys, this cannot be fully mitigated by not running sensitive and untrusted code simultaneously.
This bug is already known to affect Xen (XSA-273), and has already been brought up on the qubes-users mailing list. As such, it is rather shocking that no QSB has been issued, nor does the XSA tracker make any mention of this XSA.
Related issues:
The text was updated successfully, but these errors were encountered: