Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Spectre/Meltdown security vulnerability caused by flaws in processors and how to patch them

systemcheck might have referred you to this page.

Note:

• systemcheck is a diagnostic tool which automates showing the diagnostic output of other diagnostic tools.
• Kicksecure is not the cause of the issue. Don't kill the messenger.
• Spectre/Meltdown is a security vulnerability caused by flaws in the hardware, specifically in CPUs (processors).
• This page explains the state of affairs on how to protect from this security vulnerability.

Introduction[edit]

A CPU is not just a dumb piece of hardware that can do basic calculations at high speed. Modern CPU from Intel / AMD have many "software alike" features built-in. To name a few of a plethora of examples:Open Source BIOS and Firmware Security Impact

Security issues have been discovered in CPUs.

One recent example of a firmware vulnerability is the processor microcode update for modern chips to address speculative execution flaws. ^[1]

Platform Specific[edit]

Host Operating System

If Kicksecure is run as a host operating system, then no further user action is required. This is because microcode packages are already installed by default and security-misc sets hardened kernel settings enabling all available mitigations.

VirtualBox

There is no solution for VirtualBox yet. The bug has been reported to the VirtualBox developers. See this and this ticket. ^[2] The Kicksecure developers depend on the VirtualBox developers for fixing this VirtualBox issue. Nevertheless:

• Apply Processor Microcode Updates on your host operating system. (Not required if using Kicksecure as host operating system, because already done by default.)
• Consider the following experimental instructions.

Testers only! For more information please press on expand on the right.

These experimental Spectre/Meltdown defenses are related to issues outlined in Firmware Security and Updates. Due to the huge performance penalty and unclear security benefits of applying these changes, it may not be worth the effort. The reason is VirtualBox is still likely vulnerable, even after:

1. A host microcode upgrade.
2. A host kernel upgrade.
3. A VM kernel upgrade.
4. A "not vulnerable" result from spectre-meltdown-checker run on the host.
5. Installation of the latest VirtualBox version. ^[3]
6. All Spectre/Meltdown-related VirtualBox settings are tuned for better security as documented below.

To learn more, see: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed and the associated VirtualBox forum discussion. ^[4] Users must patiently wait for VirtualBox developers to fix this bug.

On the host. ^{[5] [6] [7] [8] [9] [10] [11]}

VBoxManage modifyvm "Kicksecure" --ibpb-on-vm-entry on VBoxManage modifyvm "Kicksecure" --ibpb-on-vm-exit on VBoxManage modifyvm "Kicksecure" --l1d-flush-on-vm-entry on VBoxManage modifyvm "Kicksecure" --l1d-flush-on-sched on VBoxManage modifyvm "Kicksecure" --spec-ctrl on VBoxManage modifyvm "Kicksecure" --nestedpaging off VBoxManage modifyvm "Kicksecure" --mds-clear-on-vm-entry on VBoxManage modifyvm "Kicksecure" --mds-clear-on-sched on

These steps must be repeated for every VirtualBox VM, including multiple and custom VMs.

The above instructions only apply to the default VM names Kicksecure and Kicksecure. Therefore, if Multiple Kicksecures and/or Multiple Kicksecures are configured, then repeat these instructions using the relevant name/s.

• Check back later for updated instructions. Stay Tuned.

KVM

1. Processor Microcode Updates.

Apply Processor Microcode Updates on your host operating system. (Not required if using Kicksecure as host operating system, because already done by default.)

The updated mitigative host CPU instructions are passed through by default.

2. Done.

No further action is needed.

Qubes

If Qubes is run as a host operating system, then no further user action is required. This is because microcode packages are already installed by default by Qubes. This is unspecific to Kicksecure. Therefore, for additional information, check with upstream Qubes directly as per Self Support First Policy.

Documentation previously stated, see footnote. ^[12]

Processor Microcode Updates[edit]

Processor microcode is unfortunately non-freedom software, therefore only available in the Debian nonfree repository. ^{[13] [14]} Kicksecure recommends to avoid non-freedom software but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) ^{[15] [16]}.

Microcode Package Check[edit]

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

Debian based[edit]

On the host. Run.

dpkg -l | grep microcode

Qubes[edit]

In dom0. Run.

dnf list | grep microcode

The Qubes check should confirm the microcode_ctl.x86_64 package is already installed. ^[17]

Install Microcode Package[edit]

To install the microcode packages. ^[18]

Choose either Intel or AMD.

spectre-meltdown-checker[edit]

It is possible to check if the system is vulnerable to the Spectre and Meltdown attacks, which use flaws in modern chip design to bypass system protections.

Host versus VMs[edit]

Is spectre-meltdown-checker useful in VMs? Unreliable. ^[19]

spectre-meltdown-checker should be run on the host operating system.

Installation[edit]

Usage[edit]

sudo spectre-meltdown-checker --paranoid ; echo $?

Forum Discussion[edit]

See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739

Leak Tests[edit]

leaky.page -

Google's PoC is a Spectre V1 gadget that is a JS array speculatively accessed out of bounds. While the V1 gadget can be mitigated at the software level, Chrome's V8 team determined that other gadgets such as for Spectre Variant 4 to be "simply infeasible in software" for mitigating. The code caters to Intel Skylake CPUs and can potentially work on other architectures and browsers with minor modifications to the JavaScript. Google was successful in running this attack on Apple M1 ARM CPUs without any major changes. ^[20]

References[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!