Qubes OS
Qubes OS is a reasonably secure operating system.[1]
There is some overlap with user-base when you have a security focused operating system and a opensource bios. This page aims to detail some specific issues one might face when using Qubes on the 15h platform.
Speculative execution mitigations
There are two Speculative execution vulnerabilities of intrest that is Inception and Retbleed the mitigations implemented in xen to patch these two vulnerabilities makes it impossible to run Qubes with a PCIe device attached to a qube[2]
Inception
Inception aka CVE-2023-20569 is a Speculative Return Stack Overflow vulnerability[3] Following xens XSA-434 advisory qubes published QSB 093[4] detailing the package versions containing the patches.
read more
https://xenbits.xen.org/xsa/advisory-434.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
https://comsec.ethz.ch/research/microarch/inception/
https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf
https://github.com/comsec-group/inception
https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/main/QSBs/qsb-093-2023.txt
Retbleed
Retbleed aka CVE-2022-23816 is a Branch Type Confusion vulnerability[5] Following xens XSA-407 advisory qubes published QSB 083[6] detailing the package versions containing the patches.
read more
https://xenbits.xen.org/xsa/advisory-407.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1037.html
https://comsec.ethz.ch/research/microarch/retbleed/
https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf
https://github.com/comsec-group/retbleed
https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/master/QSBs/qsb-083-2022.txt
Workarounds
Fortunately there is workarounds that make the system usable without losing to much security and a limited performance impact. By setting the kernel paramter spec-ctrl[7] to spec-ctrl=ibpb-entry=no-pv as detailed under qubes issue 9150 will disable the mitigations for all pv qubes then all you would have to do is change the settings for any pcie dependent qube (ie sys-net and sys-usb) to be pv instead of hvm
instructions
in dom0 run the following commands
sudo echo 'GRUB_CMDLINE_XEN_DEFAULT="$GRUB_CMDLINE_XEN_DEFAULT spec-ctrl=ibpb-entry=no-pv" >> /etc/default/grub'
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
qvm-prefs sys-net virt_mode pv
qvm-prefs sys-usb virt_mode pv
qvm-prefs sys-net memory 4000
qvm-prefs sys-usb memory 4000
reboot
security impact
if an attacker gets code execution in sys-net or sys-usb it is theoretically possible to leak secrets from other vms so make sure you keep all pv qubes very secure!
performance impact
According to news media reporting mitigations hurt cpu performance by 14~39%[8].
Measurements conducted by 15h.org member Arha utilizing qubes 4.2.3 in combination with the Heads bios and 2x AMD Opteron 6282 SE's running on the Asus KGPE-D16 produced a performance impact of ~27% noting qubes os was still very usable.
- ↑ https://www.qubes-os.org/
- ↑ https://github.com/QubesOS/qubes-issues/issues/9150
- ↑ https://xenbits.xen.org/xsa/advisory-434.html
- ↑ https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/main/QSBs/qsb-093-2023.txt
- ↑ https://xenbits.xen.org/xsa/advisory-407.html
- ↑ https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/master/QSBs/qsb-083-2022.txt
- ↑ https://xenbits.xen.org/docs/unstable/misc/xen-command-line.html#spec-ctrl-x86
- ↑ https://www.phoronix.com/review/retbleed-benchmark