Security problem? Nitro-PC microcode-updates

Iḿ not sure whether this is the right category to post or not. But I’ll try.

The following post is related to this link:

and therein to the section where no help can be offered to a part of Intel CPU users because the tool issued a “no” in both items under “sudo cpu-microcode-info” despite the patch.

Unfortunately, this is the case with one of my computers.

Therefore I looked for an alternative at a company that offers special and especially secure PCs for Qubes. But the CPU installed in the computer there belongs to the same series as the one I have in the said computer.

I wrote to the company and made them aware of this problem and they replied that the update was up to date and that the appropriate microcodes were installed.

How can this be, when according to Qubes-081 there can be no remedy despite the update?

Thanks for opinions.

This post gives a good explanation of the issue.

Thanks for the link, I have read it and conclude that it is a very hard way to find the right and at least half way safe Qubes PC.

What just make me wonder is that a company like nitrokey, which supplies very good products, says it has updates for the corresponding CPU, but that this according to sudo-cpu-microcode-info does not lead to any success in eliminating the problem.

cpu-microcode-info only tells me which version of the microcode I have installed.

lscpu will tell you which known vulnerabilities your CPU has and how/if they are being mitigated

1 Like

Yes, you are right, but reading through the text at the following link, if you get “no” twice when typing “sudo-info-cpu”, then there is no help for fixing the vulnerability…:

I have done some tests with my PC and there are some inconsistencies.

On the one hand, “sudo-cpu-microcode-info” gives “no” for everything according to the mentioned link. So there is no workaround with that.
This coincides with the fact that there is no corresponding microcode listed under /lib/firmware/intel-ucode, despite the latest Qubes 4.1.1 version. There is also no matching microcode on the matching Intel page:

On the other hand: If I run lscpu, it outputs (among other things) “not affected” for “Vulnerability Mmio Stale Data”, although according to XSA-404 all Intel CPUs should be affected.

How does all this fit together?

Since the Nitro PC processor also belongs to the same CPU family as mine, the question is whether it can be the same here.

Linux kernel is clearer on your question
https://docs.kernel.org/admin-guide/hw-vuln/processor_mmio_stale_data.html

First. Nitrokey doesn’t make CPUs nor chipsets. It is important to know what it is. For x230/t430/w530/t530/we are talking about ivy bridge.

And those are not vulnerable. When looking at Intel, they provide information for non EOL products nor microcode updates for them, which is confusing but doesn’t help understanding the issue.

I would invite you to reply and quote parts on referred article to clarify pieces needing more information.

Thanks for answering. Please look at those links:

Please scroll down and you`ll find information about the cpu used in this machine.

Processor: Intel Core i7-10510U, 10th generation

I think it`s not Ivy Bridge, but Comet Lake. Please look also this link to verify this information:

And further the Intel-Link which I`ve posted above.

Sorry I thought that you were talking about the Nitropad, my bad (which is why I answered because I checked for x230 which is what the NitroPad is).

sudo cpu-microcode-info on dom0 will tell you if microcode is available/installed.
Providing the output here would permit others to jump in as well.

I would advise to ask for Nitrokey to come here and reply to all so that they do not have to reply to each individual questions going their way.

The same advice as in my other post will also share the same light on what mitigations are applied from Xen and kernel for your CPU:

Where

Was right on point and permits you to get to kernel report on the current vuls/mitigations applied.

Thanks for answering again.

As I had written above, the company had answered me the same. After running sudo cpu-microcode-info I had received a “no” result for both 20220510 update available and update installed in all cases.

I will go through the kernel report again in detail.