QSB-076: Intel microcode updates

We have just published Qubes Security Bulletin (QSB) 076: Intel microcode updates. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-076 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-076-2022.txt

In addition, you may wish to:


             ---===[ Qubes Security Bulletin 076 ]===---

                             2022-02-11

                      Intel microcode updates


User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - microcode_ctl package, version 2.1-34.qubes1

  For Qubes 4.1, in dom0:
  - microcode_ctl package, version 2.1-34.qubes1

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR19 will change due to the new
microcode in the initramfs.


Summary
--------

On 2022-02-08, Intel published microcode updates [3] for some of their
CPUs that fix security issues [4]. INTEL-SA-00561 (CVE-2021-0145) [7][8]
affects Qubes installations on hardware with affected CPU models. Red
Hat provides a good overview [5]:

| A flaw was found in microcode. Fast store forwarding prediction in one
| domain could be controlled by software previously executed in another
| domain. Such control helps a malicious program running in user mode
| (or guest VM) to trigger transient execution gadgets in supervisor
| mode (or VMM), potentially leading to sensitive data disclosure.

There is also a separate vulnerability -- INTEL-SA-00589
(CVE-2021-33120) [9] -- that seems to affect mainly low-power
architecture CPUs, e.g., Atom. However, due to the sparse description of
the issue, we cannot judge whether it affects Qubes OS.

Impact
-------

INTEL-SA-00561 (CVE-2021-0145) is another CPU vulnerability related to
speculative execution (also called transient execution). If successfully
exploited, it could allow an attacker to read information across
security boundaries. In this case, the successful exploitation could
allow an attacker-controlled VM to read information that should be
accessible only to the hypervisor.

This affects at least 10th generation mobile and 11th generation mobile
and desktop Intel Core CPUs. For a full list of affected CPU models, see
Intel's table [6] or Red Hat's summary [5].


Credits
--------

See the original security advisories. Additional thanks to Red Hat for
their helpful overview of the microcode updates.


References
-----------

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-2022027
[4] https://www.intel.com/content/www/us/en/security-center/default.html
[5] https://access.redhat.com/articles/6716541
[6] https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
[7] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html
[8] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html
[9] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/02/11/qsb-076/