Qubes OS updates Weekly Review - Y2025-W07

Introduction

Weekly review of new packages uploaded to Qubes OS repositories. Link to previous version here.

amd-gpu-firmware-20250211-1.fc37.noarch.rpm
amd-gpu-firmware-20250211-1.fc41.noarch.rpm
amd-ucode-firmware-20250211-1.fc37.noarch.rpm
amd-ucode-firmware-20250211-1.fc41.noarch.rpm
atheros-firmware-20250211-1.fc37.noarch.rpm
atheros-firmware-20250211-1.fc41.noarch.rpm
brcmfmac-firmware-20250211-1.fc37.noarch.rpm
brcmfmac-firmware-20250211-1.fc41.noarch.rpm
cirrus-audio-firmware-20250211-1.fc37.noarch.rpm
cirrus-audio-firmware-20250211-1.fc41.noarch.rpm
dvb-firmware-20250211-1.fc37.noarch.rpm
dvb-firmware-20250211-1.fc41.noarch.rpm
intel-audio-firmware-20250211-1.fc37.noarch.rpm
intel-audio-firmware-20250211-1.fc41.noarch.rpm
intel-gpu-firmware-20250211-1.fc37.noarch.rpm
intel-gpu-firmware-20250211-1.fc41.noarch.rpm
intel-vsc-firmware-20250211-1.fc37.noarch.rpm
intel-vsc-firmware-20250211-1.fc41.noarch.rpm
iwlegacy-firmware-20250211-1.fc37.noarch.rpm
iwlegacy-firmware-20250211-1.fc41.noarch.rpm
iwlwifi-dvm-firmware-20250211-1.fc37.noarch.rpm
iwlwifi-dvm-firmware-20250211-1.fc41.noarch.rpm
iwlwifi-mvm-firmware-20250211-1.fc37.noarch.rpm
iwlwifi-mvm-firmware-20250211-1.fc41.noarch.rpm
kernel-6.6.75-1.qubes.fc37.x86_64.rpm
kernel-6.6.75-1.qubes.fc41.x86_64.rpm
kernel-6.6.77-1.qubes.fc37.x86_64.rpm
kernel-6.6.77-1.qubes.fc41.x86_64.rpm
kernel-devel-6.6.75-1.qubes.fc37.x86_64.rpm
kernel-devel-6.6.75-1.qubes.fc41.x86_64.rpm
kernel-devel-6.6.77-1.qubes.fc37.x86_64.rpm
kernel-devel-6.6.77-1.qubes.fc41.x86_64.rpm
kernel-modules-6.6.75-1.qubes.fc37.x86_64.rpm
kernel-modules-6.6.75-1.qubes.fc41.x86_64.rpm
kernel-modules-6.6.77-1.qubes.fc37.x86_64.rpm
kernel-modules-6.6.77-1.qubes.fc41.x86_64.rpm
kernel-qubes-vm-6.6.75-1.qubes.fc37.x86_64.rpm
kernel-qubes-vm-6.6.75-1.qubes.fc41.x86_64.rpm
kernel-qubes-vm-6.6.77-1.qubes.fc37.x86_64.rpm
kernel-qubes-vm-6.6.77-1.qubes.fc41.x86_64.rpm
libertas-firmware-20250211-1.fc37.noarch.rpm
libertas-firmware-20250211-1.fc41.noarch.rpm
linux-firmware-20250211-1.fc37.noarch.rpm
linux-firmware-20250211-1.fc41.noarch.rpm
linux-firmware-whence-20250211-1.fc37.noarch.rpm
linux-firmware-whence-20250211-1.fc41.noarch.rpm
liquidio-firmware-20250211-1.fc37.noarch.rpm
liquidio-firmware-20250211-1.fc41.noarch.rpm
microcode_ctl-2.1.20250211-58.qubes1.fc37.x86_64.rpm
microcode_ctl-2.1.20250211-58.qubes1.fc41.x86_64.rpm
mlxsw_spectrum-firmware-20250211-1.fc37.noarch.rpm
mlxsw_spectrum-firmware-20250211-1.fc41.noarch.rpm
mrvlprestera-firmware-20250211-1.fc37.noarch.rpm
mrvlprestera-firmware-20250211-1.fc41.noarch.rpm
mt7xxx-firmware-20250211-1.fc37.noarch.rpm
mt7xxx-firmware-20250211-1.fc41.noarch.rpm
netronome-firmware-20250211-1.fc37.noarch.rpm
netronome-firmware-20250211-1.fc41.noarch.rpm
nvidia-gpu-firmware-20250211-1.fc37.noarch.rpm
nvidia-gpu-firmware-20250211-1.fc41.noarch.rpm
nxpwireless-firmware-20250211-1.fc37.noarch.rpm
nxpwireless-firmware-20250211-1.fc41.noarch.rpm
python3-xen-4.17.5-6.fc37.x86_64.rpm
qcom-firmware-20250211-1.fc37.noarch.rpm
qcom-firmware-20250211-1.fc41.noarch.rpm
qed-firmware-20250211-1.fc37.noarch.rpm
qed-firmware-20250211-1.fc41.noarch.rpm
qubes-artwork_4.3.4-1+deb12u1_amd64.deb
qubes-artwork_4.3.4-1+deb13u1_amd64.deb
qubes-artwork-4.3.4-1.fc40.noarch.rpm
qubes-artwork-4.3.4-1.fc41.noarch.rpm
qubes-artwork_4.3.4-1+jammy1_amd64.deb
qubes-artwork_4.3.4-1+noble1_amd64.deb
qubes-artwork-anaconda-4.3.4-1.fc40.noarch.rpm
qubes-artwork-anaconda-4.3.4-1.fc41.noarch.rpm
qubes-artwork-efi-4.3.4-1.fc40.noarch.rpm
qubes-artwork-efi-4.3.4-1.fc41.noarch.rpm
qubes-artwork-plymouth-4.3.4-1.fc40.noarch.rpm
qubes-artwork-plymouth-4.3.4-1.fc41.noarch.rpm
qubes-core-dom0-4.2.36-1.fc37.noarch.rpm
qubes-core-dom0-4.3.17-1.fc41.noarch.rpm
qubes-core-dom0-linux-4.3.10-1.fc41.x86_64.rpm
qubes-core-dom0-linux-kernel-install-4.3.10-1.fc41.x86_64.rpm
qubes-core-dom0-vaio-fixes-4.3.10-1.fc41.x86_64.rpm
qubes-mgmt-salt-dom0-qvm-4.3.2-1.fc41.noarch.rpm
qubes-mgmt-salt-dom0-virtual-machines-4.2.20-1.fc41.noarch.rpm
qubes-release-4.2-12.fc37.noarch.rpm
qubes-release-4.3-0.4.fc41.noarch.rpm
qubes-release-notes-4.2-12.fc37.noarch.rpm
qubes-release-notes-4.3-0.4.fc41.noarch.rpm
qubes-vm-xen-4.17.5-6-x86_64.pkg.tar.zst
realtek-firmware-20250211-1.fc37.noarch.rpm
realtek-firmware-20250211-1.fc41.noarch.rpm
tiwilink-firmware-20250211-1.fc37.noarch.rpm
tiwilink-firmware-20250211-1.fc41.noarch.rpm
xen-4.17.5-6.fc37.x86_64.rpm
xen-devel-4.17.5-6.fc37.x86_64.rpm
xen-doc-4.17.5-6.fc37.noarch.rpm
xen-hypervisor-4.17.5-6.fc37.x86_64.rpm
xen-libs-4.17.5-6.fc37.x86_64.rpm
xen-licenses-4.17.5-6.fc37.x86_64.rpm
xen-runtime-4.17.5-6.fc37.x86_64.rpm

Highlights

• Qubes OS R4.2.4
• Novacustom V540U laptop is certified.
• Qube Manager new look and feel
• Downgrade of Thinkpad x230/t430 certification

Details

In addition to the usual minor fixes and patches (full list here):

• core-admin v4.3.17 & v4.3.18 (r4.3)
  . The changes for v4.3.17 were discussed in last week newsletter earlier than usual (qrexec caching)
  . A bug in (New Device API) PCI assignment is fixed (only applicable for R4.3).
  . A test for storage performance is added. This is exciting since this will allow clear performance evaluation and comparison of various file-systems (BTRFS, ext4, XFS, ZFS, …) for dom0.
  . Novacustom V540u laptop is marked as certified.
  . qvm-features-request (mostly used in templates) will be able to send requests with spaces in values to dom0. This is specifically useful for Whonix templates which will be using in-VM kernels with additional security improvements in near future. Space in feature value was needed for Kernel parameters.

• manager v4.3.9-1 (r4.3)
  . The good old Qube Manager has been using “Crystal” icons from Everaldo Coelho for around 15 years. They were due for a change to keep with the current trend of flat icons which is used everywhere these days.
  . The first column of Qube manager (column 0) is deleted. Apparently no one uses it these days since the Qute Cube icons signify the qube type. I personally did not realize this before writing this newsletter.
  . Here are the screenshots:

Y2025-W07-Qube-Manager1668×869 233 KB

• vmm-xen-stubdom-linux v4.3.2 (r4.3)
  vmm-xen v4.19.1-3 (r4.3)
  Fixing 13th generation Intel GPU compatibility with sys-gui-gpu and assuring proper GPU pass-through.

• artwork v4.3.4-1 (r4.3)
  The (Qute) Cube icons are improved.

• mgmt-salt-dom0-virtual-machines v4.2.20 (r4.3)
  . Fixes for sys-gui-gpu inputs, assuring USB pointing devices will be properly attached to it if necessary.
  . After reducing memory usage for netvm & usbvm, default memory setting is reduced from 425MB to 300MB.

• qubes-release v4.3-0.4 (r4.3)
  qubes-release v4.2-12 (r4.2)
  . Qubes Release R4.2.4. Official announcement on forum here.
  . The offline release notes file (/usr/share/doc/qubes-release-notes/README.Qubes-Release-Notes) is updated since it contained R4.1 release notes.

• core-admin-linux v4.3.10 (r4.3)
  Archlinux upgrade (via GUI or CLI updater) did not clean the unused packages. This is fixed.

• mgmt-salt-dom0-qvm v4.3.2 (r4.3)
  Salt support for the new devices API. You will be able to write salt formulas for example to automatically attach port_id:* to specific qube.

• linux-kernel v6.6.75-1 v6.6.77-1 (r4.2 & r4.3)
  It appears that v6.6.77 reverts some of the changes in previous version, mostly related to build failures (no boot problem issues)

• intel-microcode v20250211 (r4.3)
  . The new Intel Microcode covers five security issues. Some details here.
  . Sadly Intel does not provide security patches for older CPUs used in the (currently certified) Thinkpad x230/t430 machines anymore.

• linux-firmware v20250211-1 (r4.2 & r4.3)
  Few firmware updates. One might be related to a Qualcomm bluetooth chip used in Lenovo X13 laptops.

Epilogue

Certification status of Thinkpad x230/t430 will be downgraded because of lack of security patches from Intel. Some details here. If you heavily depend on Qubes OS because of security concerns and you are currently using one of those old machines, it is time to consider an upgrade. I am personally using an HP EliteBook G1 from the same era (with hyper-threading enabled for some desperately needed performance); however, I am using it as a development machine.

Thank you very much for this summary, it is really great, especially to see you continue working on it.

Due to the Lenovo ThinkPad X230/T430 certificates being revoked, this meme I created two months ago is now obsolete as well.

Wait, why would this make your meme obsolete? The recommended system requirements have not changed since this meme was posted.

Does this include the T430s as well?

It is equipped with 3rd generation Intel CPUs. So the answer is most probably yes. I would like to emphasize, it won’t be like that those laptops will be de-certified. Their certification might be downgraded. I share the original issue once more:

p.s.: and it should be also noted that even with no microcode updates, those laptops with Qubes OS are pretty decent secure machines for many use cases.

I interpret Qubes-certified hardware as recommendations by the Qubes OS team, so revoking a certificate means they no longer recommend the aforementioned Lenovo ThinkPad models.

I still don’t understand why that would make the meme obsolete. If anything, it seems like the opposite.

Also, and this should be stressed, in some cases, these older processors
may not have the features that give rise to security issues, so the
absence of microcode updates is not relevant.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

The meme highlighted the fact that the Qubes OS team recommended Qubes-certified laptops even though they did not receive microcode updates and thus contradicted the documentation for system hardware requirements. The certificates are being called into question via discussion, with the current suggestion by @marmarek being a separate section for previously certified hardware as a form of certificate downgrade, so there are a few ways this issue can resolve at this point in time:

1. Recommend the Qubes-certified laptops lacking microcode updates as usual, except with an additional disclaimer/note indicating the lack of microcode updates/security assurance for eligible product models.
2. Change the certification process for Qubes OS 5 and beyond to exclude any Qubes-certified hardware without microcode updates.

I’m not sure there is any transparency about what the microcode actually fix. There may be a ton of other vulnerabilities that are fixed we are not aware of.

Ah, I understand your reasoning now, but it’s worth noting that the microcode part was only added to the system requirements on 2024-09-02, whereas the first X230 was certified on 2019-07-18, over five years earlier.