Qubes OS 40 Published by

A RFDS security update is available for Qubes OS to address an issue with certain Atom cores from Intel:

QSB-101: Register File Data Sampling (XSA-452)

QSB-101: Register File Data Sampling (XSA-452)

We have published Qubes Security Bulletin 101: Register File Data Sampling (XSA-452). The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.

Qubes Security Bulletin 101

---===[ Qubes Security Bulletin 101 ]===---


Register File Data Sampling (XSA-452)

User action

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.


On 2024-03-12, the Xen Project published XSA-452, "x86: Register File
Data Sampling" [3]:
| Intel have disclosed RFDS, Register File Data Sampling, affecting some
| Atom cores.
| This came from internal validation work. There is no information
| provided about how an attacker might go about inferring data from the
| register files.

For more details, see [4].


An attacker might be able to infer the contents of data held previously
in floating point, vector, and/or integer register files on the same
core, including data from a more privileged context.

Affected systems

At present, RFDS is known to affect only certain Atom cores from Intel.
Other Intel CPUs and CPUs from other hardware vendors are not known to
be affected.

RFDS affects Atom cores between the Goldmont and Gracemont
microarchitectures. This includes Alder Lake and Raptor Lake hybrid
client systems that have a mix of Gracemont and other types of cores.


The following packages contain security updates that address the
vulnerabilities described in this bulletin:

For Qubes 4.1, in dom0:
- Xen packages version 4.14.6-7
- microcode_ctl 2.1-57.qubes1

For Qubes 4.2, in dom0:
- Xen packages version 4.17.3-4
- microcode_ctl 2.1-57.qubes1

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


See the original Xen Security Advisory.


[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-452.html
[4] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html

The Qubes Security Team

Source: https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-101-2024.txt

Marek Marczykowski-Górecki’s PGP signature