Actions

Template

Processor Microcode Updates

From Whonix

One recent example of a firmware vulnerability is the processor microcode update for modern chips to address speculative [archive] execution flaws [archive]. The Debian package [archive] is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in all Whonix variants. [1] [2] Whonix recommends to avoid nonfree software but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard Non-Qubes-Whonix ™ and Qubes-Whonix ™ guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) [3] and baremetal configurations like Physical Isolation. [4]

Microcode Package Check

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

Debian based

On the host. Run.

dpkg -l | grep microcode

Qubes

In dom0. Run.

dnf list | grep microcode

The Qubes check should confirm the microcode_ctl.x86_64 package is already installed. [5]

Install Microcode Package

Intel

For Debian hosts

Package intel-microcode [archive] can be installed from Debian backports. This is non-ideal, see footnote. [6]

Note: the following instructions apply only to the Debian buster host operating system using Whonix 15.0.0.4.9. Other host operating systems and other Whonix versions may use a codename different to buster.

1. Open a terminal on the host.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources. [7]

sudo su -c "echo -e 'deb http://http.debian.net/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the selected software.

sudo apt-get -t buster-backports install intel-microcode

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [8] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

AMD

For Debian hosts

Package amd64-microcode [archive] can be installed from Debian backports. This is non-ideal, see footnote. [6]

Note: the following instructions apply only to the Debian buster host operating system using Whonix 15.0.0.4.9. Other host operating systems and other Whonix versions may use a codename different to buster.

1. Open a terminal on the host.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources. [9]

sudo su -c "echo -e 'deb http://http.debian.net/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the selected software.

sudo apt-get -t buster-backports install amd64-microcode

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [10] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

spectre-meltdown-checker

It is possible to check if the system is vulnerable to the Spectre [archive] and Meltdown [archive] attacks, which use flaws in modern chip design to bypass system protections.

Installation

Package spectre-meltdown-checker [archive] can be installed from Debian backports. This is non-ideal, see footnote. [11]

1. Boot Whonix-Workstation ™ (whonix-ws-15) TemplateVM.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources.

Note: this applies to Whonix 15.0.0.4.9. Later Whonix versions may use a codename different to buster.

In Whonix-Workstation ™ (whonix-ws-15) TemplateVM, run.

sudo su -c "echo -e 'deb https://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t buster-backports install spectre-meltdown-checker

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [12] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

Usage

sudo spectre-meltdown-checker --paranoid ; echo $?

Forum Discussion

See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739 [archive]

  1. Relevant Debian packages for processor microcode: Intel [archive] and amd64 [archive].
  2. Installing these updates by default would require the Debian nonfree repository, and logically also make Whonix images nonfree.
  3. ARM is less affected than Intel architecture.
  4. See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739 [archive]
  5. This package is installed by default in Qubes to automatically protect users against hardware threats.
  6. 6.0 6.1 Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix ™ users might want to consider using Multiple Whonix-Workstation ™ and Qubes-Whonix ™ users might want to consider using Multiple Qubes-Whonix ™ TemplateVMs or Software Installation in a TemplateBasedVM.
  7. Or alternatively use the .onion mirror.
    sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
  8. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  9. Or alternatively use the .onion mirror.
    sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
  10. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  11. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix ™ users might want to consider using Multiple Whonix-Workstation ™ and Qubes-Whonix ™ users might want to consider using Multiple Qubes-Whonix ™ TemplateVMs or Software Installation in a TemplateBasedVM.
  12. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).