QSB-091: Windows PV drivers potentially compromised
We have published Qubes Security Bulletin 091: Windows PV drivers potentially compromised. The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.
Qubes Security Bulletin 091
---===[ Qubes Security Bulletin 091 ]===---
Windows PV drivers potentially compromised
User action required
At the time of writing, no fix is available, so no user action is
required. However, users may wish to consider discontinuing the use of
Qubes Windows Tools (QWT) in security-sensitive Windows qubes until a
fix is available. Users with especially high security requirements may
wish to consider recreating existing Windows qubes without QWT or
replacing existing Windows qubes with qubes running a different
On 2023-07-24, the Xen Project published "Xen Security Notice 1:
winpvdrvbuild.xenproject.org potentially compromised" , which states:
| Software running on the Xen Project hosted subdomain
| winpvdrvbuild.xenproject.org is outdated and vulnerable to several
| CVEs. Some of the reported issues include remote code execution. The
| affected host was running the Jenkins build system for the Windows PV
| Drivers subproject.
| Since the list of CVEs reported include remote code execution we no
| longer have confidence that binaries previously available at:
| are trustworthy. This includes binaries signed with Xen Project's EV
| key that is cross-signed by Microsoft.
Qubes Windows Tools includes the Xen Project's Windows PV Drivers.
If the Xen Project's Windows PV Drivers were compromised at build time,
all Windows qubes that have Qubes Windows Tools (QWT) installed may also
be compromised. If the drivers were not compromised at build time, then
there is no known vulnerability.
Dom0 is not affected, even though the `qubes-windows-tools` package is
installed in dom0, since neither the dom0 package build process nor dom0
itself interprets these driver files. Rather, the purpose of this
package is merely to make the driver files available to the Windows
qubes in which QWT are installed.
We decided to use the Xen Project's official Windows PV Driver binaries
in Qubes Windows Tools (QWT) (rather than building our own binaries from
source) because the Xen Project's official binaries are signed by a
special key that Windows accepts by default, which avoids the need to
enable test-signing mode in Windows when installing the drivers. (We
have no such key.) We used this approach for all versions of QWT
released for Qubes 4.0 (driver version 8.2.1, May 2017), Qubes 4.1
(driver version 8.2.2, April 2019), and Qubes 4.2 (same as Qubes 4.1).
While we have no way to know whether driver versions 8.2.1 or 8.2.2 have
actually been compromised, it is worth noting that if the binaries were
not compromised at build time, they could not have been tampered with
after that time, since they were stored on another system and signed
with a timestamped signature proving they were not modified afterward.
At the time of writing, the Xen Project has not published replacement
binaries signed by a Microsoft-approved key. The process for doing this
has changed since the last version of Windows PV Drivers was released,
and we have no information as to whether or when new signed binaries
will be available. 
In order to avoid similar problems in the future, we are working on a
more permanent solution regarding the need for signed PV drivers in QWT.
In the meantime, we will replace the `qubes-windows-tools` package with
a dummy package containing only warning text.
See the original Xen Security Notice.
The Qubes Security Team
Marek Marczykowski-Górecki’s PGP signature
A new security bulletin has been published for Qubes OS.