Is there a way to pull up a log of the QSB/XSA and CVE microcode/Hypervisor patches applied to Xen/QubesOS via dom0, or using the GUI within the xfce desktop?
Is there a dom0 command that can pull up a history log? It would be nice to see if these patches
have been applied to the hypervisor you are working on and the date/time/filesize (metadata)
for the patch
This is just a general DNF feature (nothing specific to Qubes, QSBs, or XSAs), but it might help:
Yes this is helpful. Is there any command for viewing microcode update history?
My understanding is that that depends on your hardware. For example, Intel microcode updates can usually be loaded through the OS, whereas AMD microcode updates often can’t. See the explanation in QSB-093, for example.
So, for Intel, I suppose dnf history should work, but for AMD, I guess you’d need some kind of UEFI/BIOS update history tool (never heard of one) or, more likely, just compare the UEFI/BIOS version you see in the UEFI/BIOS itself with some list provided by your motherboard/computer vendor.
None of this is Qubes-specific, as far as I can tell, and this is just my impression of how things work from a user’s perspective. I could be wrong.
I think the microcode is loaded as part of the linux kernel. But it needs to be converted into a format
that will be compatible with the kernel (.bin). Check out this link, it is a tool for converting from intel microcode file format to a format compatible with Linux(.rpm):
https://pagure.io/microcode_ctl/
This, of course introduces a step which could be buggy or maliciously manipulated
Deploy an Intel microcode. This tool is obsolete and the microcode is the
subject to be distributed via kernel-firmware, however Intel still does not
supply the microcode in a form consumable by the Linux’s microcode driver. So
that this tool transform Intel’s microcode as well as deploy it.