[qubes-users] Are known cpu bugs a risk as long as I work with Qubes OS?

Thank you, Sven, for your answer to the topic of qubes-hcl-report. I have one aditional question.

If I type in a console "cat /proc/cpuinfo", I get an output, where one line is called "bugs". It looks like my cpu has a lot of bugs: null_seg, cpu_meltdown, spectre_v1, spectre_v2, spec_store_bypass, l1tf, mds, swapgs, itlb_multihit, srbds.

The producer of my computer offeres a bios and microprocessor update for the purpose to fix these bugs. It is an exe-file for Windows: https://www.dell.com/support/home/de-ch/drivers/driversdetails?driverid=5m70h&oscode=wt32a&productcode=optiplex-7010

Okay, lets say, we can trust Intel and the computer manufacturer. But is it really necesarry to install the update as long as I work with Qubes OS?

Kindly regards,
Rainer

Hi Rainer, you wrote:

Okay, lets say, we can trust Intel and the computer manufacturer.
But is it really necesarry to install the update as long as I work
with Qubes OS?

I answer so you know I am not ignoring you. The fact is that I am not qualified to answer this question. I hope someone like unman will come and address it.

/Sven

Rainer Neumann:

Thank you, Sven, for your answer to the topic of qubes-hcl-report. I have one aditional question.

If I type in a console "cat /proc/cpuinfo", I get an output, where one line is called "bugs". It looks like my cpu has a lot of bugs: null_seg, cpu_meltdown, spectre_v1, spectre_v2, spec_store_bypass, l1tf, mds, swapgs, itlb_multihit, srbds.

The producer of my computer offeres a bios and microprocessor update for the purpose to fix these bugs. It is an exe-file for Windows: https://www.dell.com/support/home/de-ch/drivers/driversdetails?driverid=5m70h&oscode=wt32a&productcode=optiplex-7010

Okay, lets say, we can trust Intel and the computer manufacturer. But is it really necesarry to install the update as long as I work with Qubes OS?

Not necessary I suppose, since Xen runs a (temporary) microcode update when it boots, but would not be a bad idea to update the bios anyways in case some bug breaks the microcode patching on boot or you boot some other OS some day that does not include this step on boot.

Have a look at this:

Specifically:

"Dump the flags which denote we have detected and/or have applied bug workarounds to the CPU we're executing on, in a similar manner to the feature flags."

In other words, according to the commit that added it, the "bugs" section doesn't tell you whether your CPU is vulnerable to the things in the list. Maybe a mitigation has already been applied. Maybe it has merely been detected and nothing has been done about it. We have no way to tell just from this section. You would have to do further investigation into each of these in order to try to determine whether your CPU is currently vulnerable.

Here's a discussion about doing that:

It specifically mentions checking in:

/sys/devices/system/cpu/vulnerabilities/

However, Qubes is different from a standard Linux OS, and we often take our own special steps to address security problems, so there may be additional mitigations on top of whatever is mentioned here. In addition, the unique architecture of Qubes makes certain classes of security vulnerabilities inapplicable, so it will probably depend on the specific nature of that particular bug.