Qubes OS

From 15h.org
Revision as of 10:32, 24 February 2025 by Dodoid (talk | contribs) (Dodoid moved page QubesOS to Qubes OS: fix spacing to match name/article)
Jump to navigation Jump to search

Qubes OS is a reasonably secure operating system.[1]

There is some overlap with user-base when you have a security focused operating system and a opensource bios. This page aims to detail some specific issues one might face when using Qubes on the 15h platform.

Speculative execution mitigations

There are two Speculative execution vulnerabilities of intrest that is Inception and Retbleed the mitigations implemented in xen to patch these two vulnerabilities makes it impossible to run Qubes with a PCIe device attached to a qube[2]

Inception

Inception aka CVE-2023-20569 is a Speculative Return Stack Overflow vulnerability[3] Following xens XSA-434 advisory qubes published QSB 093[4] detailing the package versions containing the patches.

read more

https://xenbits.xen.org/xsa/advisory-434.html https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html https://comsec.ethz.ch/research/microarch/inception/ https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf https://github.com/comsec-group/inception https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/main/QSBs/qsb-093-2023.txt

Retbleed

Retbleed aka CVE-2022-23816 is a Branch Type Confusion vulnerability[5] Following xens XSA-407 advisory qubes published QSB 083[6] detailing the package versions containing the patches.

read more

https://xenbits.xen.org/xsa/advisory-407.html https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1037.html https://comsec.ethz.ch/research/microarch/retbleed/ https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf https://github.com/comsec-group/retbleed https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/master/QSBs/qsb-083-2022.txt

Workarounds

Fortunately there is workarounds that make the system usable without losing to much security and a limited performance impact. By setting the kernel paramter spec-ctrl[7] to spec-ctrl=ibpb-entry=no-pv as detailed under qubes issue 9150 will disable the mitigations for all pv qubes then all you would have to do is change the settings for any pcie dependent qube (ie sys-net and sys-usb) to be pv instead of hvm

performance impact

According to news media reporting mitigations hurt cpu performance by 14~39%[8].

Measurements conducted by 15h.org member Arha utilizing qubes 4.2.3 in combination with the Heads bios and 2x AMD Opteron 6282 SE's running on the Asus KGPE-D16 produced a performance impact of ~27% noting qubes os was still very usable.

  1. https://www.qubes-os.org/
  2. https://github.com/QubesOS/qubes-issues/issues/9150
  3. https://xenbits.xen.org/xsa/advisory-434.html
  4. https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/main/QSBs/qsb-093-2023.txt
  5. https://xenbits.xen.org/xsa/advisory-407.html
  6. https://raw.githubusercontent.com/QubesOS/qubes-secpack/refs/heads/master/QSBs/qsb-083-2022.txt
  7. https://xenbits.xen.org/docs/unstable/misc/xen-command-line.html#spec-ctrl-x86
  8. https://www.phoronix.com/review/retbleed-benchmark
Retrieved from "https://15h.org/index.php?title=Qubes_OS&oldid=849"