We have just published Qubes Security Bulletin (QSB) 076: Intel microcode updates. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-076 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 076 ]===--- 2022-02-11 Intel microcode updates User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - microcode_ctl package, version 2.1-34.qubes1 For Qubes 4.1, in dom0: - microcode_ctl package, version 2.1-34.qubes1 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR19 will change due to the new microcode in the initramfs. Summary -------- On 2022-02-08, Intel published microcode updates  for some of their CPUs that fix security issues . INTEL-SA-00561 (CVE-2021-0145)  affects Qubes installations on hardware with affected CPU models. Red Hat provides a good overview : | A flaw was found in microcode. Fast store forwarding prediction in one | domain could be controlled by software previously executed in another | domain. Such control helps a malicious program running in user mode | (or guest VM) to trigger transient execution gadgets in supervisor | mode (or VMM), potentially leading to sensitive data disclosure. There is also a separate vulnerability -- INTEL-SA-00589 (CVE-2021-33120)  -- that seems to affect mainly low-power architecture CPUs, e.g., Atom. However, due to the sparse description of the issue, we cannot judge whether it affects Qubes OS. Impact ------- INTEL-SA-00561 (CVE-2021-0145) is another CPU vulnerability related to speculative execution (also called transient execution). If successfully exploited, it could allow an attacker to read information across security boundaries. In this case, the successful exploitation could allow an attacker-controlled VM to read information that should be accessible only to the hypervisor. This affects at least 10th generation mobile and 11th generation mobile and desktop Intel Core CPUs. For a full list of affected CPU models, see Intel's table  or Red Hat's summary . Credits -------- See the original security advisories. Additional thanks to Red Hat for their helpful overview of the microcode updates. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-2022027  https://www.intel.com/content/www/us/en/security-center/default.html  https://access.redhat.com/articles/6716541  https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html -- The Qubes Security Team https://www.qubes-os.org/security/