Dear Qubes Community,

We have updated Qubes Security Bulletin (QSB) #40: Information leaks due to processor speculative store bypass (XSA-263). The text of the main changes are reproduced below. For the full text, please see the complete QSB in the qubes-secpack:

View QSB #40 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-040-2018.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/qsb/

View XSA-263 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#263

Changelog
==========

2018-05-24: Original QSB published
2018-06-11: Updated and clarified Patching section

Patching
=========

The mitigation for this issue is called called "Speculative Store Bypass
Disable" (SSBD). For Intel processors, SSBD requires both a software
update and a CPU microcode update. For AMD processors, a software update
alone is sufficient; no microcode update is necessary. The packages
described below provide the necessary software updates for SSBD. On
2018-05-23, Intel Corporation announced that microcode updates would be
available soon [3]:

| Variant 3a is mitigated in the same processor microcode updates as
| Variant 4, and Intel has released these updates in beta form to OEM
| system manufacturers and system software vendors. They are being
| readied for production release, and will be delivered to consumers
| and IT Professionals in the coming weeks.

However, as of 2018-06-11, we are not aware of any available microcode
updates that address this issue for Intel processors. This bulletin will
be updated once the Intel microcode updates are available.

There are several important things to note about SSBD:

1. On both Intel and AMD processors, SSBD is globally disabled by
   default. If the user wishes to enable SSBD globally, the user must do
   so manually with the Xen boot option `spec-ctrl=ssbd=true`. However,
   enabling this option carries a performance penalty.

2. We concur with the analysis in XSA-263 that this vulnerability
   presents minimal risk to Xen itself and minimal risk of inter-guest
   attacks. Therefore, we believe that proper compartmentalization is
   sufficient for Qubes users to mitigate this issue without having to
   enable SSBD globally.

3. For Intel (but not AMD) processors, SSBD can be enabled locally by
   Xen guests without the user having to manually enable it globally.

4. For AMD (but not Intel) processors, SSBD cannot be enabled locally by
   Xen guests. The user must manually enable it globally for it to have
   any effect at all.

5. The guest kernel determines whether SSBD is automatically enabled for
   guests on systems with Intel processors.  As of 2018-06-11, the
   kernels we currently offer in our repositories do not enable SSBD.