That sums it up.
master ← tlaurion:boards_and_tester-QSB-107-add_cpu_gen_and_big_fat_warning_for_8th_gen_and_older
opened 07:46PM - 21 May 25 UTC
Proposition to fix #1975
EDIT:
- not all 8th gen CPUs are the same. [qubes-… public matrix channel post](https://matrix.to/#/!WtRrlYUTHOQjqGcSnn:invisiblethingslab.com/$BYrC39tttLRlZU7wzbeGT_cJZzsVVybRv2F0cCR_QFI?via=invisiblethingslab.com&via=matrix.org&via=nitro.chat):
>
> - **SOME** Intel 8th Gen CPU are supposed to have received microcode updates and ARE NOT considered vulnerable to qsb-107 AFAIK:
> - t480/t480s is 8th gen Kaby Lake Refresh : Intel Core i7-8650U (ESU ended 12/31/2024)
> - Dell Latitude 7242 Rugged Extreme is 8th gen cpu Kaby Lake : i5-8350U (ESU ended 12/31/2024
> - Librem mini v1 is 8th gen : Whiskey lake Intel Core i7-8565U (ESU ends 03/31/2026)
> - Intel 7th Gen CPUs ARE VULNERABLE and won't receive microcode updates
> - RETPOLINE WAS NOT sufficient preventing the spectre v2 variant
>
---
As of today (2025/05/26):
- coreboot upstream updated their 3rdparty/intel-microcode git module ref to [202505](https://review.coreboot.org/c/coreboot/+/87817).
- This means that that 202505 microcode update is not applied by the firmware under any firmware produced by CircleCI today
- Proper QSB-107 mitigations might or might not be applied by the OS (Read: Only an operating system that included this microcode update properly in their initramfs image at early boot (LiveOS beware) will update the CPU microcode to properly mitigate QSB-107 related CVEs).
Intel 7th generation and below are vulnerable to QSB-107, with a few exceptions for Intel 8th generation listed in the GitHub pull request. Depending on your threat model, you may need to decide whether it is acceptable to be vulnerable to QSB-107 or not against your adversaries.
3 Likes