TL;DR spectre kind bug that allows reading memory where not intended.
3 Likes
DVM
May 14, 2025, 9:09am
2
There has been no post on this yet on the Qubes website, but it does seem that Qubes is affected.
Xen posted an XSA a few days ago:
https://xenbits.xen.org/xsa/advisory-469.html
It requires updates to both Xen and Intel microcode. Both were pushed to the testing/security repository:
opened 08:19PM - 12 May 25 UTC
r4.2-host-cur-test
r4.2-vm-archlinux-cur-test
r4.2-host-sec-test
r4.2-vm-archlinux-sec-test
Update of vmm-xen to v4.17.5-7 for Qubes OS r4.2, see comments below for details… and build status.
From commit: https://github.com/QubesOS/qubes-vmm-xen/commit/3f22292e960142d8314b2d3528e327a686b895f0
[Changes since previous version](https://github.com/QubesOS/qubes-vmm-xen/compare/v4.17.5-6...v4.17.5-7):
QubesOS/qubes-vmm-xen@3f22292 version 4.17.5-7
QubesOS/qubes-vmm-xen@7cff61c Apply XSA-469 patches
Referenced issues:
If you're release manager, you can issue GPG-inline signed command:
* `Upload-component r4.2 vmm-xen 3f22292e960142d8314b2d3528e327a686b895f0 current all` (available 5 days from now)
* `Upload-component r4.2 vmm-xen 3f22292e960142d8314b2d3528e327a686b895f0 security-testing all`
You can choose subset of distributions like:
* `Upload-component r4.2 vmm-xen 3f22292e960142d8314b2d3528e327a686b895f0 current vm-bookworm,vm-fc37` (available 5 days from now)
Above commands will work only if packages in current-testing repository were built from given commit (i.e. no new version superseded it).
For more information on how to test this update, please take a look at https://www.qubes-os.org/doc/testing/#updates.
opened 06:33PM - 12 May 25 UTC
r4.2-host-cur-test
r4.2-host-sec-test
Update of intel-microcode to v20250512 for Qubes OS r4.2, see comments below for… details and build status.
From commit: https://github.com/QubesOS/qubes-intel-microcode/commit/734f1faa75c2ec503ebdb2c1abf04b89c54f2d31
[Changes since previous version](https://github.com/QubesOS/qubes-intel-microcode/compare/v20250211...v20250512):
QubesOS/qubes-intel-microcode@734f1fa Update 20250512
Referenced issues:
If you're release manager, you can issue GPG-inline signed command:
* `Upload-component r4.2 intel-microcode 734f1faa75c2ec503ebdb2c1abf04b89c54f2d31 current all` (available 5 days from now)
* `Upload-component r4.2 intel-microcode 734f1faa75c2ec503ebdb2c1abf04b89c54f2d31 security-testing all`
You can choose subset of distributions like:
* `Upload-component r4.2 intel-microcode 734f1faa75c2ec503ebdb2c1abf04b89c54f2d31 current vm-bookworm,vm-fc37` (available 5 days from now)
Above commands will work only if packages in current-testing repository were built from given commit (i.e. no new version superseded it).
For more information on how to test this update, please take a look at https://www.qubes-os.org/doc/testing/#updates.
3 Likes
Its always kind of bad when hardware correctness depends on software patches being applied.
Microcode is such a weird kind of “updatable (as a noun)”
3 Likes
Per-VM memory encryption would be a good protection against all these side-channel stuff.
The question is how will they keys be protected (as they still need to be in RAM?).
2 Likes
The indirect target selection is for the “training solo” vulnerabilities, it’s not the same as the branch privilege injection vulnerability.
Two different vulnerabilities were found in Intel CPUs.
https://www.phoronix.com/news/Training-Solo-Vulnerability
https://www.phoronix.com/news/Branch-Privilege-Injection
2 Likes
DVM
May 14, 2025, 4:43pm
6
I assumed the article was about the first one, my bad. There still hasn’t been a post from the Qubes team about the “training solo” one, so at least that part has been answered.
Apparently, the Intel microcode I linked covers the branch privilege injection, based on this post from the Xen mailing list:
https://lore.kernel.org/all/6ff1387d-6577-455d-8a1a-0dee04907b1c@citrix.com/
3 Likes
adw
May 14, 2025, 9:43pm
7
A new QSB is being finalized and will be published very soon. Hold tight.
2 Likes