One recent example of a firmware vulnerability is the processor microcode update for modern chips to address [https://security-tracker.debian.org/tracker/CVE-2018-3620 speculative] [https://security-tracker.debian.org/tracker/CVE-2018-3646 execution flaws]. The [https://www.debian.org/security/2018/dsa-4279 Debian package] is non-free software, therefore only available in the Debian nonfree repository. Relevant Debian packages for processor microcode: [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/intel-microcode Intel] and [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/amd64-microcode amd64]. Installing these updates by default would require the Debian nonfree repository, and logically also make {{project_name_short}} images nonfree. {{project_name_short}} recommends to [[avoid nonfree software]] but in this case idealism would result in insecurity. It is unnecessary to apply these updates in standard guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) ARM is less affected than Intel architecture. See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739. === Microcode Package Check === In the following checks, the package is not installed if there is no output. To check whether the microcode package is installed. ==== Debian based ==== On the host. Run. {{CodeSelect|code= dpkg -l {{!}} grep microcode }} ==== Qubes ==== In dom0. Run. {{CodeSelect|code= dnf list {{!}} grep microcode }} The Qubes check should confirm the microcode_ctl.x86_64 package is already installed. This package is installed by default in Qubes to automatically protect users against hardware threats. === Install Microcode Package === ==== Intel ==== {{Install_Package_Host|package= intel-microcode }} ==== AMD ==== {{Install_Package_Host|package= amd64-microcode }} === spectre-meltdown-checker === It is possible to check if the system is vulnerable to the [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ Spectre] and [https://meltdownattack.com/ Meltdown] attacks, which use flaws in modern chip design to bypass system protections. ==== Installation ==== {{Install_Package_Host |package_name=Spectre Meltdown Checker |package=spectre-meltdown-checker }} ==== Usage ==== {{CodeSelect|code= sudo spectre-meltdown-checker --paranoid ; echo $? }} === Forum Discussion === See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739