After total system failure, found that the VM sigkil-at-will still can happen even after a fresh install.
Thought there was a difference between kernel latest
and stable
. There is not. Same vuln.
Attacker has always been able to eventually disable Qubes Updater mechanism for the past several years. Qubes have to be individually updated and salt is bypassed (but repos aren’t onionized by default anyway). Doesn’t matter, though, because then the attacker just sigkills if individual update is attempted.
Now it looks like systemd
won’t boot. Tried rescue.
dbus-broker.service
qubesd.service