{{Header}}
{{#seo:
|description=Spectre/Meltdown security vulnerability caused by flaws in processors and how to patch them
}}
{{intro|
Spectre/Meltdown security vulnerability caused by flaws in processors and how to patch them
}}
[[systemcheck|systemcheck]] might have referred you to this page.

Note:

* systemcheck is a diagnostic tool which automates showing the diagnostic output of other diagnostic tools.
* {{project_name_long}} is not the cause of the issue. Don't kill the messenger.
* Spectre/Meltdown is a security vulnerability caused by flaws in the hardware, specifically in CPUs (processors).
* This page explains the state of affairs on how to protect from this security vulnerability.

= Introduction =

{{quotation
|quote=A CPU is not just a dumb piece of hardware that can do basic calculations at high speed. Modern CPU from Intel / AMD have many "software alike" features built-in. To name a few of a plethora of examples:
|context=[[Open-source_Hardware#Open_Source_BIOS_and_Firmware_Security_Impact|Open Source BIOS and Firmware Security Impact]]
}}

Security issues have been discovered in CPUs.

One recent example of a firmware vulnerability is the processor microcode update for modern chips to address [https://security-tracker.debian.org/tracker/CVE-2018-3620 speculative] [https://security-tracker.debian.org/tracker/CVE-2018-3646 execution flaws]. <ref>
https://www.debian.org/security/2018/dsa-4279
</ref>

= Platform Specific =
{{Tab
|type=controller
|content=
{{Tab
|title= == Host Operating System ==
|image=[[File:Gnu_operating_system.png|25px]]
|addToClass=info-box
|active=true
|content=
If {{project_name_long}} is run as a host operating system, then no further user action is required. This is because microcode packages are already installed by default and [[security-misc]] sets hardened kernel settings enabling all available mitigations.
}} <!-- close tab: Host Operating System -->

{{Tab
|title= == VirtualBox ==
|image=[[File:Logo-virtualbox.png|25px]]
|addToClass=info-box
|content=
There is no solution for [[VirtualBox]] yet. The bug has been reported to the VirtualBox developers. See [https://www.virtualbox.org/ticket/17987 this] and [https://www.virtualbox.org/ticket/18477 this] ticket. <ref>
https://security.stackexchange.com/questions/211265/virtualbox-spectre-v4
</ref> The {{project_name_short}} developers depend on the VirtualBox developers for fixing this VirtualBox issue. Nevertheless:

* Apply [[#Processor Microcode Updates|Processor Microcode Updates]] on your host operating system. (Not required if using {{project_name_short}} as host operating system, because already done by default.)
* Consider the following experimental instructions.
<div class="toccolours mw-collapsible mw-collapsed">
Testers only! For more information please press on expand on the right.
<div class="mw-collapsible-content">
These [https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739/22 experimental] Spectre/Meltdown defenses are related to issues outlined in [[Firmware Security and Updates]]. Due to the huge performance penalty and unclear security benefits of applying these changes, it may not be worth the effort. The reason is VirtualBox is still likely vulnerable, even after:

# A [[Firmware_Security_and_Updates#Processor_Microcode_Updates|host microcode upgrade]].
# A host kernel upgrade.
# A VM kernel upgrade.
# A "not vulnerable" result from [[Firmware_Security_and_Updates#spectre-meltdown-checker|spectre-meltdown-checker]] run on the host.
# Installation of the latest VirtualBox version. <ref>
VirtualBox version <code>5.2.18</code> or above is required since only that version comes with Spectre/Meltdown defenses. See https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739/22.
</ref>
# All Spectre/Meltdown-related VirtualBox settings are tuned for better security as documented below.

To learn more, see: [https://www.virtualbox.org/ticket/17987 VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed] and the associated [https://forums.virtualbox.org/viewtopic.php?f=7&t=89395 VirtualBox forum discussion]. <ref>
Also see the following forum discussion: [https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages-spectre-meltdown-retpoline-l1-terminal-fault-l1tf/5739 vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF)]
</ref> Users must patiently wait for VirtualBox developers to fix this bug.

On the host. <ref>
<blockquote>
--ibpb-on-vm-[enter|exit] on|off: Enables flushing of the indirect branch prediction buffers on every VM enter or exit respectively. This could be enabled by users overly worried about possible spectre attacks by the VM. Please note that these options may have severe impact on performance.
<br />
https://www.virtualbox.org/manual/ch08.html
</blockquote>

There is a mistake in the VirtualBox manual stating <code>enter</code> which does not work. It is actually <code>entry</code>.
</ref> <ref>
https://www.virtualbox.org/manual/ch08.html
<blockquote>
--l1d-flush-on-vm-enter on|off: Enables flushing of the level 1 data cache on VM enter. See Section 13.4.1, “CVE-2018-3646”.
</blockquote>
</ref> <ref>
<blockquote>
--l1d-flush-on-sched on|off: Enables flushing of the level 1 data cache on scheduling EMT for guest execution. See Section 13.4.1, [https://www.virtualbox.org/manual/ch13.html#sec-rec-cve-2018-3646 “CVE-2018-3646”].
<br />
https://www.virtualbox.org/manual/ch08.html
</blockquote>
</ref> <ref>
https://www.virtualbox.org/manual/ch13.html#sec-rec-cve-2018-3646
<blockquote>
For users not concerned by this security issue, the default mitigation can be disabled using<br />
<br />
{{CodeSelect|code=
VBoxManage modifyvm name --l1d-flush-on-sched off
}}
</blockquote>
Since we want to enable the security feature we set <code>--l1d-flush-on-sched on</code>.
</ref> <ref>
<blockquote>
--spec-ctrl on|off: This setting enables/disables exposing speculation control interfaces to the guest, provided they are available on the host. Depending on the host CPU and workload, enabling speculation control may significantly reduce performance.
<br />
https://www.virtualbox.org/manual/ch08.html
</blockquote>
</ref> <ref>
According to this [https://www.virtualbox.org/ticket/17987 VirtualBox ticket] <code>--spec-ctrl</code> should be set to <code>on</code>.
</ref> <ref>
<blockquote>
--nestedpaging on|off: If hardware virtualization is enabled, this additional setting enables or disables the use of the nested paging feature in the processor of your host system; see Section 10.7, “Nested paging and VPIDs” and Section 13.4.1, “CVE-2018-3646”.
</blockquote>
</ref>

{{CodeSelect|code=
VBoxManage modifyvm "{{project_name_gateway_short}}" --ibpb-on-vm-entry on
VBoxManage modifyvm "{{project_name_gateway_short}}" --ibpb-on-vm-exit on
VBoxManage modifyvm "{{project_name_gateway_short}}" --l1d-flush-on-vm-entry on
VBoxManage modifyvm "{{project_name_gateway_short}}" --l1d-flush-on-sched on
VBoxManage modifyvm "{{project_name_gateway_short}}" --spec-ctrl on
VBoxManage modifyvm "{{project_name_gateway_short}}" --nestedpaging off
VBoxManage modifyvm "{{project_name_gateway_short}}" --mds-clear-on-vm-entry on
VBoxManage modifyvm "{{project_name_gateway_short}}" --mds-clear-on-sched on
}}

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = These steps must be repeated for every VirtualBox VM, including [[Multiple_{{project_name_workstation_short}}|multiple]] and custom VMs.
}}
The above instructions only apply to the default VM names {{project_name_gateway_long}} and {{project_name_workstation_long}}. Therefore, if [[Multiple {{project_name_workstation_short}}|Multiple {{project_name_workstation_long}}s]] and/or [[Multiple_{{project_name_workstation_short}}#Multiple_{{project_name_gateway_short}}|Multiple {{project_name_gateway_long}}s]] are configured, then repeat these instructions using the relevant name/s.
</div>
</div>
* Check back later for updated instructions. [[Stay Tuned]].

}} <!-- close tab: VirtualBox -->

{{Tab
|title= == KVM ==
|image=[[File:Logo-kvm.png|25px]]
|addToClass=info-box
|content=
'''1.''' Processor Microcode Updates.

Apply [[#Processor Microcode Updates|Processor Microcode Updates]] on your host operating system. (Not required if using {{project_name_short}} as host operating system, because already done by default.)

The updated mitigative host CPU instructions are passed through by default.

'''2.''' Done.

No further action is needed.
}} <!-- close tab: KVM -->

{{Tab
|title= = Qubes =
|image=[[File:Logo-qubes.png|25px]]
|addToClass=info-box
|content=
If Qubes is run as a host operating system, then no further user action is required. This is because microcode packages are already installed by default by Qubes. This is [[Unspecific|unspecific to {{project_name_short}}]]. Therefore, for additional information, check with upstream Qubes directly as per [[Self Support First Policy]].

Documentation previously stated, see footnote. <ref>
After [https://www.qubes-os.org/doc/how-to-install-software-in-dom0/ getting all dom0 host upgrades] and reboot this should be OK.

{{Qubes_upgrade_dom0}}

'''4.''' Reboot.

{{CodeSelect|code=
reboot
}}
</ref>
}} <!-- close tab: Qubes -->
}} <!-- close Controller: Everything -->

= Processor Microcode Updates =
Processor microcode is unfortunately non-freedom software, therefore only available in the Debian <code>nonfree</code> repository. <ref>
Relevant Debian packages for processor microcode: [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/intel-microcode Intel] and [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/amd64-microcode amd64].
</ref> <ref>
Installing these updates by default would require the Debian nonfree repository, and logically also make {{project_name_short}} images nonfree.
</ref> {{project_name_short}} recommends to [[Avoid_nonfreedom_software|avoid non-freedom software]] but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates <u>should</u> always be applied <u>on the host operating system</u> (for processors by Intel or AMD) <ref>
ARM is less affected than Intel architecture.
</ref> <ref>
See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739
</ref>.

=== Microcode Package Check ===

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

==== Debian based ====
On the host. Run.

{{CodeSelect|code=
dpkg -l {{!}} grep microcode
}}

==== Qubes ====
In dom0. Run.

{{CodeSelect|code=
dnf list {{!}} grep microcode
}}

The Qubes check should confirm the <code>microcode_ctl.x86_64</code> package is already installed. <ref>
This package is installed by default in Qubes to automatically protect users against hardware threats.
</ref>

=== Install Microcode Package ===

To install the microcode packages. <ref>
Strictly speaking, installing the microcode package for your actual CPU (Intel or AMD) would suffice. {{project_name_long}} installs both packages by default. The other package will not have any effect, is however useful to have installed if migrating to another CPU vendor.
</ref>

Choose either Intel or AMD.

{{Tab
|type=controller
|content=
{{Tab
|title= = Intel =
|image=
|addToClass=info-box
|active=true
|content=
{{Install_Package_Host|package=
intel-microcode
}}
}} <!-- close tab: Intel -->
{{Tab
|title= = AMD =
|image=
|addToClass=info-box
|content=
{{Install_Package_Host|package=
amd64-microcode
}}
}} <!-- close tab: AMD -->
}} <!-- close Controller: Everything -->

= spectre-meltdown-checker =
It is possible to check if the system is vulnerable to the [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ Spectre] and [https://meltdownattack.com/ Meltdown] attacks, which use flaws in modern chip design to bypass system protections.

== Host versus VMs ==
Is spectre-meltdown-checker useful in VMs? Unreliable. <ref>
https://github.com/QubesOS/qubes-issues/issues/4262#issuecomment-579388171

<blockquote>
most automated tests we run are in virtualized environment (Qubes inside KVM) - results there will be even more unreliable.
</blockquote>

spectre-meltdown-checker bug report: [https://github.com/speed47/spectre-meltdown-checker/issues/343 False positives inside Xen (PVH) domU]
</ref>

spectre-meltdown-checker should be run on the host operating system.

== Installation ==
{{Install_Package_Host
|package_name=Spectre Meltdown Checker
|package=spectre-meltdown-checker
}}

== Usage ==
{{CodeSelect|code=
sudo spectre-meltdown-checker --paranoid ; echo $?
}}

== Forum Discussion ==
See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739

= Leak Tests =

[https://leaky.page leaky.page] -

Google's PoC is a Spectre V1 gadget that is a JS array speculatively accessed out of bounds. While the V1 gadget can be mitigated at the software level, Chrome's V8 team determined that other gadgets such as for Spectre Variant 4 to be "simply infeasible in software" for mitigating. The code caters to Intel Skylake CPUs  and can potentially work on other architectures and browsers with minor modifications to the JavaScript. Google was successful in running this attack on Apple M1 ARM CPUs without any major changes.
<ref>
https://www.phoronix.com/scan.php?page=news_item&px=Google-Leaky.Page-Spectre
</ref>

= References =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]