QSB-107 changes the picture: QSB-107: Multiple CPU branch prediction
vulnerabilities - #2 by Insurgo
Thank You for bringing awareness to this!
Here
and especially QSB-107 - Multiple CPU branch prediction vulnerabilities - WILL AFFECT < 8th gen CPU forever · Issue #1975 · linuxboot/heads · GitHub
QSB-107 - Multiple CPU branch prediction
vulnerabilities - WILL AFFECT < 8th gen CPU forever
Disturbed, though not surprised to read, your observations:
“Actually, Speculation vulnerabilities discovered in 2017-up to
recently deployed CPU based microcode mitigations never really
preventing some speculation attacks (even thought we thought
they did… until it was discovered they didn’t, again, recently”
…
“situation is different now since new research confirms that if
things are aligned differently, previous speculation mitigation
can be bypassed altogether.”
…
“it is becoming difficult to defend platforms against users who
most probably do not have the proper opsec to not run qubes that
are unsafe (disposable qubes) in parallel of qubes that are meant
to protect secrets (vault)…”
Wish I had constructive comments for those who want, as you word
it, “a plug-and-pray security experience”.
To your documentation question on github:
FWIW IMO Heads doc section: Binary blobs, microcode updates and
transient execution vulnerabilities
is very good though it (and/or qubes docs) might benefit from
info of what “proper” opsec can and cannot actually mitigate.
Just my 2 cents.
P.S. As of this post Certified hardware | Qubes OS
lists T430 and X230.