Actions

Firmware Security and Updates


Introduction[edit]


Due to the difficulty of this topic and the specificity of hardware and host OS firmware, this issue is generally outside the scope of Whonix documentation. The links provided further below may not be the most relevant to the end user, necessitating further individual research.

Firmware on Personal Computers[edit]

Firmware is generally defined as the type of software that provides control, monitoring and data manipulation of engineered products. [1] In the case of computers, firmware is held in non-volatile memory devices such as ROM, EPROM or flash memory and is associated with: [2] [3] [4] [5]

Firmware Updating and Security Problems[edit]

Introduction[edit]

The major problem with updating firmware is that it cannot be done automatically in most cases. Therefore, it is difficult to fix functionality or security issues after the hardware has shipped. While utility programs are often available to update BIOS, firmware in other devices is rarely updated and mechanisms for detecting and updating firmware is not standardized. [2]

If firmware can be upgraded, this is usually possible via a program created by the provider. Old firmware should always be saved before upgrading. If the process fails or the newer version performs worse, the process can be reverted. [6] Updating firmware may or may not improve security. On the one hand it may fix vulnerabilities, but on the other hand an update may introduce a new backdoor.

Unfortunately most end users must blindly trust the hardware producer, so it probably better to install non-free updates rather than risk being vulnerable to known attacks in the wild. [7] Until these re-writable firmware areas are locked down or the code is open-sourced and vastly simplified, it is likely to remain a rich environment for malicious adversaries. [8] [9]

The reality is that advanced adversaries are routinely hacking the firmware of Internet routers, switches and firewalls, along with harddrive firmware, and UEFI/EFI and ethernet adapters. The number of targets is already in the tens of thousands on an annual basis. Subverting firmware in this manner provides a stealthy and persistent presence that can eavesdrop on or re-route all network data, or access information in invisible storage areas that are unecrypted (bypassing disk encryption). Worst of all, firmware sabotage is believed to survive software updates or complete OS re-installations. Attacks may also be designed to corrupt firmware so machines are prevented from booting, even with an external drive. [10]

Processor Microcode Updates[edit]

One recent example of a firmware vulnerability is the processor microcode update for modern chips to address speculative execution flaws. The Debian package is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in all Whonix variants. [11] [12] Whonix recommends to avoid nonfree software but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard Non-Qubes-Whonix and Qubes-Whonix guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) [13] and baremetal configurations like Physical Isolation. [14]

Microcode Package Check[edit]

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

Debian based[edit]

On the host. Run.

dpkg -l | grep microcode

Qubes[edit]

In dom0. Run.

dnf list | grep microcode

The Qubes check should confirm the microcode_ctl.x86_64 package is already installed. [15]

Install Microcode Package[edit]

Intel[edit]

For Debian hosts

Package intel-microcode can be installed from Debian backports. This is non-ideal, see footnote. [16]

Note: the following instructions apply only to the Debian stretch host operating system using Whonix 14.0.0.7.4. Other host operating systems and other Whonix versions may use a codename different to stretch.

1. Open a terminal on the host.

2. Add the current Debian stable backports codename stretch-backports to Debian apt sources. [17]

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the selected software.

sudo apt-get -t stretch-backports install intel-microcode

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian stretch to buster. [18] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

AMD[edit]

For Debian hosts

Package amd64-microcode can be installed from Debian backports. This is non-ideal, see footnote. [16]

Note: the following instructions apply only to the Debian stretch host operating system using Whonix 14.0.0.7.4. Other host operating systems and other Whonix versions may use a codename different to stretch.

1. Open a terminal on the host.

2. Add the current Debian stable backports codename stretch-backports to Debian apt sources. [19]

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the selected software.

sudo apt-get -t stretch-backports install amd64-microcode

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian stretch to buster. [20] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

spectre-meltdown-checker[edit]

It is possible to check if the system is vulnerable to the Spectre and Meltdown attacks, which use flaws in modern chip design to bypass system protections.

Installation[edit]

Package spectre-meltdown-checker can be installed from Debian backports. This is non-ideal, see footnote. [16]

1. Boot Whonix-Workstation (whonix-ws-14) TemplateVM.

2. Add the current Debian stable backports codename stretch-backports to Debian apt sources.

Note: this applies to Whonix 14.0.0.7.4. Later Whonix versions may use a codename different to stretch.

In Whonix-Workstation (whonix-ws-14) TemplateVM, run.

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t stretch-backports install spectre-meltdown-checker

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian stretch to buster. [21] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

Usage[edit]

sudo spectre-meltdown-checker --paranoid ; echo $?

Forum Discussion[edit]

See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739

References[edit]

  1. https://en.wikipedia.org/wiki/Firmware
  2. 2.0 2.1 https://en.wikipedia.org/wiki/Firmware#Personal_computers
  3. https://en.wikipedia.org/wiki/Firmware#Examples
  4. http://www.darkreading.com/partner-perspectives/intel/raising-the-stakes-when-software-attacks-hardware/a/d-id/1319423
  5. https://www.fsf.org/campaigns/priority-projects/hardware-firmware-drivers
  6. https://en.wikipedia.org/wiki/Firmware#Flashing
  7. Also see this debian-security mailing list thread: How secure is an installation with no non-free packages?
  8. http://www.darkreading.com/partner-perspectives/intel/raising-the-stakes-when-software-attacks-hardware/a/d-id/1319423
  9. Mark Shuttleworth, founder of the Ubuntu Linux distribution, has described proprietary firmware as a security risk, stating "firmware on your device is the NSA's best friend" and calling firmware "a trojan horse of monumental proportions".
  10. http://www.darkreading.com/partner-perspectives/intel/raising-the-stakes-when-software-attacks-hardware/a/d-id/1319423
  11. Relevant Debian packages for processor microcode: Intel and amd64.
  12. Installing these updates by default would require the Debian nonfree repository, and logically also make Whonix images nonfree.
  13. ARM is less affected than Intel architecture.
  14. See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739
  15. This package is installed by default in Qubes to automatically protect users against hardware threats.
  16. 16.0 16.1 16.2 Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix users might want to consider using Multiple Whonix-Workstations and Qubes-Whonix users might want to consider using Multiple Qubes-Whonix TemplateVMs or Software Installation in a TemplateBasedVM.
  17. Or alternatively use the .onion mirror.
    sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
  18. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  19. Or alternatively use the .onion mirror.
    sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
  20. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  21. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).

License[edit]

Whonix Firmware Security and Updates wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Firmware Security and Updates wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)