Qubes OS 45 Published by

For Qubes OS, a new security bulletin regarding dom0 kernel version 6.6.x has been released.

             ---===[ Qubes Security Bulletin 098 ]===---


    CPU microcode updates not loaded with dom0 kernel version 6.6.x

User action

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.


Linux kernel version 6.6.0 removed the CONFIG_MICROCODE_INTEL and
CONFIG_MICROCODE_AMD options for loading Intel and AMD CPU microcode
updates, respectively, leaving only the generic CONFIG_MICROCODE option.
Dracut is the tool responsible for generating dom0's initramfs. It
determines whether the Linux kernel supports microcode loading by
checking for the presence of CONFIG_MICROCODE_INTEL or
CONFIG_MICROCODE_AMD in the kernel's config. If present, dracut includes
the appropriate microcode updates in the initramfs. In kernel versions
6.6.0 and later, where the CONFIG_MICROCODE_INTEL and
CONFIG_MICROCODE_AMD options have been removed, dracut concludes that
microcode loading is not supported and does not include microcode
updates in the initramfs. With the security updates described in the
"Patching" section below, dracut checks for the presence of
CONFIG_MICROCODE, which is also the case in an upcoming upstream dracut
version that has not yet been released.


On affected systems, CPU microcode updates are not loaded. CPU microcode
updates are sometimes necessary in order to address important security
vulnerabilities. If CPU microcode updates are not properly loaded, these
security vulnerabilities may remain exploitable.

Affected systems

All and only systems that satisfy both of the following conditions are

1. The system is running Linux kernel version 6.6.0 or later in dom0.
2. The system's microcode updates must be loaded by the operating system
   (as opposed to the firmware).


The following packages contain security updates that address the
vulnerabilities described in this bulletin:

  For Qubes 4.1, in dom0:
  - dracut-050-62.git20200529

  For Qubes 4.2, in dom0:
  - dracut-059-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
initramfs binaries.


Discovered by Marek Marczykowski-Górecki while debugging an issue
reported by Thierry Laurion [3].


[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://github.com/QubesOS/qubes-issues/issues/8763

The Qubes Security Team