Automated OS testing on physical laptops
https://www.qubes-os.org/news/2022/05/05/automated-os-testing-on-physical-laptops/
Our journey towards automating OS tests on physical laptops started a few years
ago with the idea of using Intel AMT to drive tests on physical machines. To
start, I got an initial
implementation (https://github.com/os-autoinst/os-autoinst/pull/983) working.
In particular, VNC for input/output and power control worked. I tried to get a
virtual CD working, but it turned out to be quite unstable. Worse — and more
importantly — it was really just a CD, not a CD/DVD, which meant that the
protocol couldn’t handle images larger than 2 GB. Some time later I abandoned
this approach, for two related reasons:
Many machines that we want Qubes OS to support intentionally do not have
Intel AMT.
The single AMT-enabled machine that I had been using to develop this feature
broke.
If anyone would like to resume this work, this
page (https://web.archive.org/web/20200926070850/senseless.info/amt.html)
includes a lot of useful info about Intel AMT on Linux.
Recently, I came back to the project with a new approach: to capture video from
HDMI output and use an emulated USB keyboard and mouse for input. Then, I added
power control to the mix, combined everything on a Raspberry Pi, and got a
working prototype (https://github.com/os-autoinst/os-autoinst/pull/1741) of an
openQA worker that runs the tests on a physical machine, instead of a virtual
one.
The whole setup includes several devices:
One “central” Raspberry Pi that controls a power strip and serves boot files.
One Raspberry Pi per laptop that runs an openQA worker for that laptop. It
emulates a USB device for that laptop and captures HDMI output from it.
All these elements are detailed below.
Base system
The goal was to run an openQA worker on a Raspberry Pi 4. Why a Raspberry Pi
(RPi)?
Their USB controllers can play the role of a device, not just that of USB
host.
They’re powerful enough to run the video processing required by openQA.
They’re (mostly) readily available and relatively cheap.
As a base system, I chose OpenSUSE, because that’s openQA’s native
distribution. Getting OpenSUSE to work on an RPi was rather
straightforward (https://en.opensuse.org/HCL:Raspberry_Pi4), but the choice did
lead to a few issues discussed later in this article.
Power control
Power control was the first stage of this project. I thought it looked like the
simplest part.
To reliably run unattended tests, I needed a way to interrupt a test when it
went into some unrecoverable state (kernel panic, hard hang, etc.). With AMT, I
had a built-in API for that, but now I needed something else. I chose a power
strip that was remotely controlled via USB. Then, I removed the batteries from
the laptops connected to the setup. This gave me a very reliable way to
interrupt whatever was running on the machines by simply powering them down.
But it turned out that powering them back on may not be that simple.
In the current setup, there are several laptops, each of them slightly
different, and each (sic!) requiring a slightly different approach to power
management. Here are some things I tried and that worked on some machines:
Setting the BIOS to automatically power on the machine when a power supply
was connected. This is the simplest method. Sadly, only one of the machines
supported it.
Sending a Wake-On-Lan packet. Here, reliability depends on the device. For
some, it just works, while others require enabling it in the network card
(with the ethtool -s eth0 wol g command), and some lose the setting either
on system startup or on disconnecting the power…
When all else fails, one can just press the physical power button. Of course
it would be too much work to do it manually, so I attached a servo motor in
the exact spot where the power button is. Then, I drove that servo motor
from an RPi.
https://www.qubes-os.org/news/2022/05/05/automated-os-testing-on-physical-laptops/
Our journey towards automating OS tests on physical laptops started a few years
ago with the idea of using Intel AMT to drive tests on physical machines. To
start, I got an initial
implementation (https://github.com/os-autoinst/os-autoinst/pull/983) working.
In particular, VNC for input/output and power control worked. I tried to get a
virtual CD working, but it turned out to be quite unstable. Worse — and more
importantly — it was really just a CD, not a CD/DVD, which meant that the
protocol couldn’t handle images larger than 2 GB. Some time later I abandoned
this approach, for two related reasons:
Many machines that we want Qubes OS to support intentionally do not have
Intel AMT.
The single AMT-enabled machine that I had been using to develop this feature
broke.
If anyone would like to resume this work, this
page (https://web.archive.org/web/20200926070850/senseless.info/amt.html)
includes a lot of useful info about Intel AMT on Linux.
Recently, I came back to the project with a new approach: to capture video from
HDMI output and use an emulated USB keyboard and mouse for input. Then, I added
power control to the mix, combined everything on a Raspberry Pi, and got a
working prototype (https://github.com/os-autoinst/os-autoinst/pull/1741) of an
openQA worker that runs the tests on a physical machine, instead of a virtual
one.
The whole setup includes several devices:
One “central” Raspberry Pi that controls a power strip and serves boot files.
One Raspberry Pi per laptop that runs an openQA worker for that laptop. It
emulates a USB device for that laptop and captures HDMI output from it.
All these elements are detailed below.
Base system
The goal was to run an openQA worker on a Raspberry Pi 4. Why a Raspberry Pi
(RPi)?
Their USB controllers can play the role of a device, not just that of USB
host.
They’re powerful enough to run the video processing required by openQA.
They’re (mostly) readily available and relatively cheap.
As a base system, I chose OpenSUSE, because that’s openQA’s native
distribution. Getting OpenSUSE to work on an RPi was rather
straightforward (https://en.opensuse.org/HCL:Raspberry_Pi4), but the choice did
lead to a few issues discussed later in this article.
Power control
Power control was the first stage of this project. I thought it looked like the
simplest part.
To reliably run unattended tests, I needed a way to interrupt a test when it
went into some unrecoverable state (kernel panic, hard hang, etc.). With AMT, I
had a built-in API for that, but now I needed something else. I chose a power
strip that was remotely controlled via USB. Then, I removed the batteries from
the laptops connected to the setup. This gave me a very reliable way to
interrupt whatever was running on the machines by simply powering them down.
But it turned out that powering them back on may not be that simple.
In the current setup, there are several laptops, each of them slightly
different, and each (sic!) requiring a slightly different approach to power
management. Here are some things I tried and that worked on some machines:
Setting the BIOS to automatically power on the machine when a power supply
was connected. This is the simplest method. Sadly, only one of the machines
supported it.
Sending a Wake-On-Lan packet. Here, reliability depends on the device. For
some, it just works, while others require enabling it in the network card
(with the ethtool -s eth0 wol g command), and some lose the setting either
on system startup or on disconnecting the power…
When all else fails, one can just press the physical power button. Of course
it would be too much work to do it manually, so I attached a servo motor in
the exact spot where the power button is. Then, I drove that servo motor
from an RPi.
👍1
System startup
After achieving control over system power, the next step was taking control of
which operating system starts there. I considered two options:
A USB boot drive, emulated from an RPi
Network boot
The first option turned out to be problematic when combined with emulated USB
input devices (see below), at least on some laptops. While a single USB device
can have multiple interfaces (basically being sub-devices), many types of
system firmware do not like to boot from such devices. When I exposed a USB
device that has both a storage interface and a HID interface (keyboard/mouse),
the system didn’t consider it a bootable device. One solution would be to use
two separate devices, but that would require yet another RPi (or something
similar), since most (all?) such boards support emulating only a single device.
Another way around it could be emulating a USB hub and getting two virtual
devices this way, but Linux does not support USB hub emulation. Since I had an
alternative, I didn’t explore this option any further. On systems that are fine
with a single multi-function USB device, I can use that. On others, I use
network boot.
The second option turned out not to be that straightforward either. First of
all, not all systems support booting from the network to begin with. To solve
this problem, I got a USB stick and put iPXE (https://ipxe.org/) on it. Then, I
configured the system to boot from that USB stick. I couldn’t use Grub here to
gain network boot, because Grub supports only network devices via the system
firmware (BIOS/EFI) support, and this support is missing on systems not capable
of network booting. iPXE, on the other hand, supports a wide range of network
devices on its own, and also allows simple noscripting, like booting different
systems depending on various settings. Unfortunately, it cannot boot Xen via
the multiboot2 protocol (required to boot with full EFI support), it can only
do multiboot1. So, I did need Grub. Luckily, iPXE does register its drivers as
appropriate EFI services, so when I load Grub from iPXE, it can talk to the
network.
I prepared a Grub configuration that can boot different systems on different
laptops depending on a separate configuration file (loaded via the load_env
Grub command) and a tool to conveniently switch between them. This got me a
nice menu:
$ testbed-control 2 help
Selected target: 2
Available commands:
- reset - hard reset the target
- poweron - power on the target
- poweroff - (hard) power off the target
- wake - wake up the system (either wake-on-lan, or button press)
- rescue - switch next boot to rescue system (doesn't load anything from the disk)
- fallback - switch next boot to fallback system (loads /boot/efi/EFI/qubes/grub-fallback.cfg)
- normal - switch next boot to normal system
- custom - switch next boot to custom grub config (/srv/tftp/test2/grub.cfg)
The first four commands are about power control (see above), and the rest are
about choosing what to boot. The normal command simply starts the system
installed on the local disk, while rescue allows booting an initramfs-only
system to diagnose why the normal system doesn’t work. The custom option
allows, in practice, starting an arbitrary kernel (not necessarily from the
disk). That option is especially useful for debugging Linux and Xen issues,
including doing automatic bisection, although it requires a bit more in terms
of glue noscripts (but that’s a topic for another article).
Surprisingly, I had one case where booting the local system turned out to be
tricky. When the bootloader is loaded from the network, that particular UEFI
does not register services to access the local disk. As it turns out, Grub does
not support NVMe drives directly; it supports them only via UEFI services. I
could have switched to another disk, or to booting via USB, but neither of
those options felt appealing. I wanted to run tests on NVMe drives too, and
After achieving control over system power, the next step was taking control of
which operating system starts there. I considered two options:
A USB boot drive, emulated from an RPi
Network boot
The first option turned out to be problematic when combined with emulated USB
input devices (see below), at least on some laptops. While a single USB device
can have multiple interfaces (basically being sub-devices), many types of
system firmware do not like to boot from such devices. When I exposed a USB
device that has both a storage interface and a HID interface (keyboard/mouse),
the system didn’t consider it a bootable device. One solution would be to use
two separate devices, but that would require yet another RPi (or something
similar), since most (all?) such boards support emulating only a single device.
Another way around it could be emulating a USB hub and getting two virtual
devices this way, but Linux does not support USB hub emulation. Since I had an
alternative, I didn’t explore this option any further. On systems that are fine
with a single multi-function USB device, I can use that. On others, I use
network boot.
The second option turned out not to be that straightforward either. First of
all, not all systems support booting from the network to begin with. To solve
this problem, I got a USB stick and put iPXE (https://ipxe.org/) on it. Then, I
configured the system to boot from that USB stick. I couldn’t use Grub here to
gain network boot, because Grub supports only network devices via the system
firmware (BIOS/EFI) support, and this support is missing on systems not capable
of network booting. iPXE, on the other hand, supports a wide range of network
devices on its own, and also allows simple noscripting, like booting different
systems depending on various settings. Unfortunately, it cannot boot Xen via
the multiboot2 protocol (required to boot with full EFI support), it can only
do multiboot1. So, I did need Grub. Luckily, iPXE does register its drivers as
appropriate EFI services, so when I load Grub from iPXE, it can talk to the
network.
I prepared a Grub configuration that can boot different systems on different
laptops depending on a separate configuration file (loaded via the load_env
Grub command) and a tool to conveniently switch between them. This got me a
nice menu:
$ testbed-control 2 help
Selected target: 2
Available commands:
- reset - hard reset the target
- poweron - power on the target
- poweroff - (hard) power off the target
- wake - wake up the system (either wake-on-lan, or button press)
- rescue - switch next boot to rescue system (doesn't load anything from the disk)
- fallback - switch next boot to fallback system (loads /boot/efi/EFI/qubes/grub-fallback.cfg)
- normal - switch next boot to normal system
- custom - switch next boot to custom grub config (/srv/tftp/test2/grub.cfg)
The first four commands are about power control (see above), and the rest are
about choosing what to boot. The normal command simply starts the system
installed on the local disk, while rescue allows booting an initramfs-only
system to diagnose why the normal system doesn’t work. The custom option
allows, in practice, starting an arbitrary kernel (not necessarily from the
disk). That option is especially useful for debugging Linux and Xen issues,
including doing automatic bisection, although it requires a bit more in terms
of glue noscripts (but that’s a topic for another article).
Surprisingly, I had one case where booting the local system turned out to be
tricky. When the bootloader is loaded from the network, that particular UEFI
does not register services to access the local disk. As it turns out, Grub does
not support NVMe drives directly; it supports them only via UEFI services. I
could have switched to another disk, or to booting via USB, but neither of
those options felt appealing. I wanted to run tests on NVMe drives too, and
while USB booting works, it is a bit fragile, because one needs to be careful
not to overwrite that boot drive (especially when testing system
installations). So, I developed a workaround: setting a BootNext EFI variable
(selecting the alternative boot option for just the next startup) and
rebooting. Unfortunately, Grub itself does not have a function to set EFI
variables (it can only read them), but building Linux + minimal initrd with
relevant tools is rather easy. By the way, if I were starting Linux anyway, I
could simply kexec the target kernel from the NVMe disk using Linux’s drivers,
but I wanted the actual startup to remain closer to the “normal” startup,
including respecting the relevant Grub configuration.
There was one final problem to solve. When installing Qubes OS, it will set
itself as the default boot target. This means that all of the above boot
options will be overridden by the installer. To solve this issue, I passed a
kickstart file to the installer that restores the original boot order at the
very last step (%post noscript).
To summarize, I now had:
A way to load Grub2 on each test system (either via PXE or via iPXE loaded
from a USB stick)
A way to conveniently control which OS Grub2 will start
A way to load a local kernel even if Grub2 does not see the disk
not to overwrite that boot drive (especially when testing system
installations). So, I developed a workaround: setting a BootNext EFI variable
(selecting the alternative boot option for just the next startup) and
rebooting. Unfortunately, Grub itself does not have a function to set EFI
variables (it can only read them), but building Linux + minimal initrd with
relevant tools is rather easy. By the way, if I were starting Linux anyway, I
could simply kexec the target kernel from the NVMe disk using Linux’s drivers,
but I wanted the actual startup to remain closer to the “normal” startup,
including respecting the relevant Grub configuration.
There was one final problem to solve. When installing Qubes OS, it will set
itself as the default boot target. This means that all of the above boot
options will be overridden by the installer. To solve this issue, I passed a
kickstart file to the installer that restores the original boot order at the
very last step (%post noscript).
To summarize, I now had:
A way to load Grub2 on each test system (either via PXE or via iPXE loaded
from a USB stick)
A way to conveniently control which OS Grub2 will start
A way to load a local kernel even if Grub2 does not see the disk
Video capture
I started experimenting with HDMI-over-IP extenders. Some turned out to use a
rather standard video
format (https://blog.danman.eu/new-version-of-lenkeng-hdmi-over-ip-extender-lkv373a/)
for streaming. It worked fine… with one little inconvenience: handling the
network stream put a significant load on the Raspberry Pi that handled it. I
could use a different system for video processing than the RPi responsible for
USB emulation, but that would make the whole setup even more complex. Anyway,
that’s just a minor inconvenience that requires some more cooling on the RPi,
not a deal breaker.
About the time I got all of this working, I came across
PiKVM (https://pikvm.org/), which looked almost exactly like what I needed. It
uses a TC358743 chip connected directly to an RPi (via camera interface)
instead of a separate HDMI-to-IP encoder. Setting it up presented some
challenges, but the PiKVM project (or, I should say, Maxim Davaev, the guy
behind the project) had all of this figured out already.
The first issue I encountered was getting a TC358743 device initialized and
detected at all. There were several parts to this:
The default kernel from OpenSUSE does not include all the necessary drivers
(in particular, bcm2835-unicam). They’re currently available only in a
kernel from the Raspberry Pi
Foundation (https://www.raspberrypi.com/documentation/accessories/camera.html#v4l2).
I chose to compile it myself with a config based on the one from the PiKVM
project. There could be something I’m missing here, but this approach got me
a working setup, and I didn’t want to spend too much time on debugging video
drivers.
Several modifications to config.txt were required:
dtoverlay=tc358743 — let the kernel know where the device is
start_x=1 — load GPU firmware with video input processing included
gpu_mem=128 — required by start_x=1
The latter two must be in config.txt specifically, not a file
included (https://www.raspberrypi.com/documentation/computers/config_txt.html#include)
from there, which is a bit problematic on OpenSUSE, because config.txt is
forcefully overridden on each update and only the included extraconfig.txt
is meant for user modification. I worked around the issue by mounting the
bootloader partition under an alternative mountpoint to disarm the
config.txt override. This issue is in OpenSUSE’s bug
tracker (https://bugzilla.opensuse.org/show_bug.cgi?id=1192047). I have yet
to test the upstream fix for the issue.
After fixing the above, I had a /dev/video0 device. Then, it was just a
matter of configuring
it (https://forums.raspberrypi.com/viewtopic.php?f=38&t=281972). Specifically:
Loading an appropriate EDID: v4l2-ctl --set-edid=.... The EDID describes
the capabilities of this “monitor”. There is a catch if you want to use Full
HD resolution: the interface bandwidth is a bit too low for 1920x1080 with a
60Hz refresh rate, but it is enough for 50Hz (yes, unfortunately). This had
to be described in the EDID. The author of the tutorial linked above
provided some examples (https://github.com/6by9/CSI2_device_config).
Setting digital video timings: v4l2-ctl --set-dv-bt-timings query. This
can be done only when the system connected to the HDMI port starts and
chooses a resolution, and it needs to be repeated each time the resolution
changes.
I’ve integrated (https://github.com/os-autoinst/os-autoinst/pull/1741) both of
the above into the openQA driver.
For the openQA integration, using 1920x1080 resolution was not perfect. OpenQA
operates on images at 1024x768. If it receives anything else, it scales it. The
result of a 1920x1080 screen capture downscaled to 1024x768 was not nice, to
put it mildly. It not only made some text unreadable, but the difference in
aspect ratios heavily distorted the image. For example, this made it impossible
to reuse reference images made in other tests. I am considering enhancing
I started experimenting with HDMI-over-IP extenders. Some turned out to use a
rather standard video
format (https://blog.danman.eu/new-version-of-lenkeng-hdmi-over-ip-extender-lkv373a/)
for streaming. It worked fine… with one little inconvenience: handling the
network stream put a significant load on the Raspberry Pi that handled it. I
could use a different system for video processing than the RPi responsible for
USB emulation, but that would make the whole setup even more complex. Anyway,
that’s just a minor inconvenience that requires some more cooling on the RPi,
not a deal breaker.
About the time I got all of this working, I came across
PiKVM (https://pikvm.org/), which looked almost exactly like what I needed. It
uses a TC358743 chip connected directly to an RPi (via camera interface)
instead of a separate HDMI-to-IP encoder. Setting it up presented some
challenges, but the PiKVM project (or, I should say, Maxim Davaev, the guy
behind the project) had all of this figured out already.
The first issue I encountered was getting a TC358743 device initialized and
detected at all. There were several parts to this:
The default kernel from OpenSUSE does not include all the necessary drivers
(in particular, bcm2835-unicam). They’re currently available only in a
kernel from the Raspberry Pi
Foundation (https://www.raspberrypi.com/documentation/accessories/camera.html#v4l2).
I chose to compile it myself with a config based on the one from the PiKVM
project. There could be something I’m missing here, but this approach got me
a working setup, and I didn’t want to spend too much time on debugging video
drivers.
Several modifications to config.txt were required:
dtoverlay=tc358743 — let the kernel know where the device is
start_x=1 — load GPU firmware with video input processing included
gpu_mem=128 — required by start_x=1
The latter two must be in config.txt specifically, not a file
included (https://www.raspberrypi.com/documentation/computers/config_txt.html#include)
from there, which is a bit problematic on OpenSUSE, because config.txt is
forcefully overridden on each update and only the included extraconfig.txt
is meant for user modification. I worked around the issue by mounting the
bootloader partition under an alternative mountpoint to disarm the
config.txt override. This issue is in OpenSUSE’s bug
tracker (https://bugzilla.opensuse.org/show_bug.cgi?id=1192047). I have yet
to test the upstream fix for the issue.
After fixing the above, I had a /dev/video0 device. Then, it was just a
matter of configuring
it (https://forums.raspberrypi.com/viewtopic.php?f=38&t=281972). Specifically:
Loading an appropriate EDID: v4l2-ctl --set-edid=.... The EDID describes
the capabilities of this “monitor”. There is a catch if you want to use Full
HD resolution: the interface bandwidth is a bit too low for 1920x1080 with a
60Hz refresh rate, but it is enough for 50Hz (yes, unfortunately). This had
to be described in the EDID. The author of the tutorial linked above
provided some examples (https://github.com/6by9/CSI2_device_config).
Setting digital video timings: v4l2-ctl --set-dv-bt-timings query. This
can be done only when the system connected to the HDMI port starts and
chooses a resolution, and it needs to be repeated each time the resolution
changes.
I’ve integrated (https://github.com/os-autoinst/os-autoinst/pull/1741) both of
the above into the openQA driver.
For the openQA integration, using 1920x1080 resolution was not perfect. OpenQA
operates on images at 1024x768. If it receives anything else, it scales it. The
result of a 1920x1080 screen capture downscaled to 1024x768 was not nice, to
put it mildly. It not only made some text unreadable, but the difference in
aspect ratios heavily distorted the image. For example, this made it impossible
to reuse reference images made in other tests. I am considering enhancing
openQA to support other resolutions too, but for now I have set the resolution
on the tested system to 1024x768 (and used an EDID that lists that resolution).
on the tested system to 1024x768 (and used an EDID that lists that resolution).
On the test system, something needs to actually enable HDMI output. For this
purpose, I passed a kickstart file to the Qubes OS installer that includes
commands to execute before installation (the %pre section). While at it, I
could use the same kickstart file for other test-related customizations, like
restoring the default boot order at the end or enabling SSH access for
collecting logs.
HID input
Recording video output is not everything. To run tests, one also needs to send
commands to the system under test (SUT). This can be done in several ways,
including via serial console and SSH connection. In order to have the most
realistic setup, I chose to emulate USB input devices. With this, we could
interact with the system in the same way a user would. To emulate USB input
device(s), I used the Linux USB Gadget subsystem. To emulate HID devices, I had
to prepare a HID denoscriptor — a denoscription for the driver, listing what kind
of device it is and what events it can send.
I wanted the device(s) to meet the following requirements:
Have two interfaces (which in practice is two separate HID devices): keyboard
and pointer (mouse/tablet)
Be properly categorized by udev (so the input
proxy (https://github.com/QubesOS/qubes-app-linux-input-proxy) picks it up
properly)
Be properly categorized by Xorg
Support both absolute pointer position events (like “move mouse to a specific
point” instead of “move mouse a bit to the right”) and normal mouse buttons
I searched for a denoscriptor meeting the above requirements. The one for
keyboards is rather standard, but the one for mouse/tablet devices is not. So,
I took the Device Class Definition for HID 1.11 together with HID Usage Tables
1.22 (https://www.usb.org/hid) and crafted one myself. This was a bit of a
challenge, because both udev and Xorg have a set of heuristics to categorize
devices, and they differ in subtle ways.
Then, I wrote a
noscript (https://gist.github.com/marmarek/5c44ffeb2f36e106b4d34e7e8780c208)
that sets this all up and controls the device(s) according to what openQA
requests.
The last detail is about connecting an RPi to the target system. The RPi4 has a
single USB-C port used both for powering the RPi itself as well as for USB
device emulation. Generally, this would be fine, with the exception that the
target system is going to be disconnected from power from time to time. If the
RPi were powered this way, it would lose power too, and there would be nothing
capable of turning it back on. This is yet another case where the PiKVM project
provided an inspiration (https://github.com/pikvm/pikvm#setting-up-the-v2): a
Y-split cable that connects the VBUS pin to only one end and the data pins to
the other.
Serial console
Several openQA functions require some kind of console access. This includes
retrieving command outputs (and exit codes), waiting for various events, etc.
Unfortunately, a real serial console is very rare in modern laptops. I could
restructure the tests not to use those functions, but that would be rather
disappointing in terms of test result quality. As a solution, I added a small
qrexec service in dom0 that reads a pipe that pretends to be a serial console,
then I used qvm-connect-tcp in sys-net to redirect the TCP port to that
service. This isn’t as reliable as a real serial console (especially for things
like restarting sys-net), but it does work in the majority of cases. In the
future, I will restructure the tests not to rely on this functionality in order
to account for the few rare cases where it doesn’t work.
Bonus: remote-controlled test laptops for developers
Remote power and boot control is useful not only for automatic tests, but also
for ordinary developers. There are several cases where it is useful:
Additional machines to develop and test features on different versions of
Qubes
Access to specific hardware
I’ve prepared the whole setup to be usable not only with openQA, but also to
purpose, I passed a kickstart file to the Qubes OS installer that includes
commands to execute before installation (the %pre section). While at it, I
could use the same kickstart file for other test-related customizations, like
restoring the default boot order at the end or enabling SSH access for
collecting logs.
HID input
Recording video output is not everything. To run tests, one also needs to send
commands to the system under test (SUT). This can be done in several ways,
including via serial console and SSH connection. In order to have the most
realistic setup, I chose to emulate USB input devices. With this, we could
interact with the system in the same way a user would. To emulate USB input
device(s), I used the Linux USB Gadget subsystem. To emulate HID devices, I had
to prepare a HID denoscriptor — a denoscription for the driver, listing what kind
of device it is and what events it can send.
I wanted the device(s) to meet the following requirements:
Have two interfaces (which in practice is two separate HID devices): keyboard
and pointer (mouse/tablet)
Be properly categorized by udev (so the input
proxy (https://github.com/QubesOS/qubes-app-linux-input-proxy) picks it up
properly)
Be properly categorized by Xorg
Support both absolute pointer position events (like “move mouse to a specific
point” instead of “move mouse a bit to the right”) and normal mouse buttons
I searched for a denoscriptor meeting the above requirements. The one for
keyboards is rather standard, but the one for mouse/tablet devices is not. So,
I took the Device Class Definition for HID 1.11 together with HID Usage Tables
1.22 (https://www.usb.org/hid) and crafted one myself. This was a bit of a
challenge, because both udev and Xorg have a set of heuristics to categorize
devices, and they differ in subtle ways.
Then, I wrote a
noscript (https://gist.github.com/marmarek/5c44ffeb2f36e106b4d34e7e8780c208)
that sets this all up and controls the device(s) according to what openQA
requests.
The last detail is about connecting an RPi to the target system. The RPi4 has a
single USB-C port used both for powering the RPi itself as well as for USB
device emulation. Generally, this would be fine, with the exception that the
target system is going to be disconnected from power from time to time. If the
RPi were powered this way, it would lose power too, and there would be nothing
capable of turning it back on. This is yet another case where the PiKVM project
provided an inspiration (https://github.com/pikvm/pikvm#setting-up-the-v2): a
Y-split cable that connects the VBUS pin to only one end and the data pins to
the other.
Serial console
Several openQA functions require some kind of console access. This includes
retrieving command outputs (and exit codes), waiting for various events, etc.
Unfortunately, a real serial console is very rare in modern laptops. I could
restructure the tests not to use those functions, but that would be rather
disappointing in terms of test result quality. As a solution, I added a small
qrexec service in dom0 that reads a pipe that pretends to be a serial console,
then I used qvm-connect-tcp in sys-net to redirect the TCP port to that
service. This isn’t as reliable as a real serial console (especially for things
like restarting sys-net), but it does work in the majority of cases. In the
future, I will restructure the tests not to rely on this functionality in order
to account for the few rare cases where it doesn’t work.
Bonus: remote-controlled test laptops for developers
Remote power and boot control is useful not only for automatic tests, but also
for ordinary developers. There are several cases where it is useful:
Additional machines to develop and test features on different versions of
Qubes
Access to specific hardware
I’ve prepared the whole setup to be usable not only with openQA, but also to
👍2🤮1
allow for the delegation of specific test machines to individual trusted
developers. More importantly, this allows not only for manually testing
software on those machines, but also for automating several tasks, such as the
Git bisection mentioned earlier.
Final thoughts
Testing a whole operating system is a challenging task, because there are a lot
of moving parts. OpenQA is a great tool for that, but its main target is
running tests in a virtualized environment. This works fine for several
components (like Qubes Manager and GUI virtualization) but not for
hardware-related features (sys-net, sys-usb, system suspend, and several
others). Before this work, we ran tests on actual laptops manually, but that
was time-consuming and thus not all updates or configurations were tested.
Automation allows our testing to be much more comprehensive, including ensuring
ongoing compatibility with Qubes OS certified hardware.
developers. More importantly, this allows not only for manually testing
software on those machines, but also for automating several tasks, such as the
Git bisection mentioned earlier.
Final thoughts
Testing a whole operating system is a challenging task, because there are a lot
of moving parts. OpenQA is a great tool for that, but its main target is
running tests in a virtualized environment. This works fine for several
components (like Qubes Manager and GUI virtualization) but not for
hardware-related features (sys-net, sys-usb, system suspend, and several
others). Before this work, we ran tests on actual laptops manually, but that
was time-consuming and thus not all updates or configurations were tested.
Automation allows our testing to be much more comprehensive, including ensuring
ongoing compatibility with Qubes OS certified hardware.
👍3👏3🤮1
Fedora 34 approaching EOL; Fedora 35 templates available
https://www.qubes-os.org/news/2022/05/26/fedora-34-approaching-eol-fedora-35-templates-available/
Fedora 34 is scheduled to reach EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)) on 2022-06-07, and
new Fedora 35 templates are now available for both Qubes 4.0 and 4.1.
We strongly recommend that all Qubes users upgrade (https://www.qubes-os.org/doc/templates/fedora/#upgrading) their Fedora 34
templates and standalones to Fedora 35 before Fedora 34 reaches EOL.
We provide fresh Fedora 35 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/templates/fedora/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
https://www.qubes-os.org/news/2022/05/26/fedora-34-approaching-eol-fedora-35-templates-available/
Fedora 34 is scheduled to reach EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)) on 2022-06-07, and
new Fedora 35 templates are now available for both Qubes 4.0 and 4.1.
We strongly recommend that all Qubes users upgrade (https://www.qubes-os.org/doc/templates/fedora/#upgrading) their Fedora 34
templates and standalones to Fedora 35 before Fedora 34 reaches EOL.
We provide fresh Fedora 35 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/templates/fedora/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
🎉3
Fedora 34 has reached EOL
https://www.qubes-os.org/news/2022/06/07/fedora-34-eol/
As a reminder following our previous announcement (https://www.qubes-os.org/news/2022/05/26/fedora-34-approaching-eol-fedora-35-templates-available/), Fedora 34 has now
reached EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)). If you have not already done so, we
strongly recommend upgrading (https://www.qubes-os.org/doc/templates/fedora/#upgrading) all remaining Fedora 34 templates and
standalones to Fedora 35 immediately.
We provide fresh Fedora 35 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
https://www.qubes-os.org/news/2022/06/07/fedora-34-eol/
As a reminder following our previous announcement (https://www.qubes-os.org/news/2022/05/26/fedora-34-approaching-eol-fedora-35-templates-available/), Fedora 34 has now
reached EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)). If you have not already done so, we
strongly recommend upgrading (https://www.qubes-os.org/doc/templates/fedora/#upgrading) all remaining Fedora 34 templates and
standalones to Fedora 35 immediately.
We provide fresh Fedora 35 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
XSAs released on 2022-06-09
https://www.qubes-os.org/news/2022/06/09/xsas-released-on-2022-06-09/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-401
XSA-402
Please see QSB-080 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2022/06/09/qsb-080/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
(none)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2022/06/09/xsas-released-on-2022-06-09/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-401
XSA-402
Please see QSB-080 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2022/06/09/qsb-080/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
(none)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
QSB-080: Issues with PV domains and PCI passthrough (XSA-401, XSA-402)
https://www.qubes-os.org/news/2022/06/09/qsb-080/
We have just published Qubes Security Bulletin (QSB) 080:
Issues with PV domains and PCI passthrough (XSA-401, XSA-402).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-080 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-080-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 080 ]===---
2022-06-09
Issues with PV domains and PCI passthrough (XSA-401, XSA-402)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-40
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.5-2
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
The following security advisories were published on 2022-06-09:
XSA-401 [3] "x86 pv: Race condition in typeref acquisition":
| Xen maintains a type reference count for pages, in addition to a
| regular reference count. This scheme is used to maintain invariants
| required for Xen's safety, e.g. PV guests may not have direct
| writeable access to pagetables; updates need auditing by Xen.
|
| Unfortunately, the logic for acquiring a type reference has a race
| condition, whereby a safely TLB flush is issued too early and creates
| a window where the guest can re-establish the read/write mapping
| before writeability is prohibited.
XSA-402 [4] "x86 pv: Insufficient care with non-coherent mappings":
| Xen maintains a type reference count for pages, in addition to a
| regular reference count. This scheme is used to maintain invariants
| required for Xen's safety, e.g. PV guests may not have direct
| writeable access to pagetables; updates need auditing by Xen.
|
| Unfortunately, Xen's safety logic doesn't account for CPU-induced
| cache non-coherency; cases where the CPU can cause the content of the
| cache to be different to the content in main memory. In such cases,
| Xen's safety logic can incorrectly conclude that the contents of a
| page is safe.
Impact
-------
These vulnerabilities, if exploited, could allow malicious PV domains
with assigned PCI devices to escalate their privileges to that of the
host. However, in the default Qubes OS configuration, these
vulnerabilities affect only the stubdomains for sys-net and sys-usb.
Therefore, in order to exploit these vulnerabilities in a default Qubes
installation, an adversary would first have to discover and exploit an
independent vulnerability in QEMU in order to gain control of an
appropriate stubdomain. Only after having done so would the adversary be
in a position to attempt to exploit the vulnerabilities discussed in
this bulletin.
XSA-402 affects only AMD systems and Intel systems before Ivy Bridge
(the third generation of the Intel Core processors). Newer Intel systems
are not affected.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
https://www.qubes-os.org/news/2022/06/09/qsb-080/
We have just published Qubes Security Bulletin (QSB) 080:
Issues with PV domains and PCI passthrough (XSA-401, XSA-402).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-080 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-080-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 080 ]===---
2022-06-09
Issues with PV domains and PCI passthrough (XSA-401, XSA-402)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-40
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.5-2
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
The following security advisories were published on 2022-06-09:
XSA-401 [3] "x86 pv: Race condition in typeref acquisition":
| Xen maintains a type reference count for pages, in addition to a
| regular reference count. This scheme is used to maintain invariants
| required for Xen's safety, e.g. PV guests may not have direct
| writeable access to pagetables; updates need auditing by Xen.
|
| Unfortunately, the logic for acquiring a type reference has a race
| condition, whereby a safely TLB flush is issued too early and creates
| a window where the guest can re-establish the read/write mapping
| before writeability is prohibited.
XSA-402 [4] "x86 pv: Insufficient care with non-coherent mappings":
| Xen maintains a type reference count for pages, in addition to a
| regular reference count. This scheme is used to maintain invariants
| required for Xen's safety, e.g. PV guests may not have direct
| writeable access to pagetables; updates need auditing by Xen.
|
| Unfortunately, Xen's safety logic doesn't account for CPU-induced
| cache non-coherency; cases where the CPU can cause the content of the
| cache to be different to the content in main memory. In such cases,
| Xen's safety logic can incorrectly conclude that the contents of a
| page is safe.
Impact
-------
These vulnerabilities, if exploited, could allow malicious PV domains
with assigned PCI devices to escalate their privileges to that of the
host. However, in the default Qubes OS configuration, these
vulnerabilities affect only the stubdomains for sys-net and sys-usb.
Therefore, in order to exploit these vulnerabilities in a default Qubes
installation, an adversary would first have to discover and exploit an
independent vulnerability in QEMU in order to gain control of an
appropriate stubdomain. Only after having done so would the adversary be
in a position to attempt to exploit the vulnerabilities discussed in
this bulletin.
XSA-402 affects only AMD systems and Intel systems before Ivy Bridge
(the third generation of the Intel Core processors). Newer Intel systems
are not affected.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-401.html
[4] https://xenbits.xen.org/xsa/advisory-402.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
[4] https://xenbits.xen.org/xsa/advisory-402.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
Qubes Canary 031
https://www.qubes-os.org/news/2022/06/12/canary-031/
We have published Qubes Canary 031. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 031 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-031-2022.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 031 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is June 11, 2022.
2. There have been 80 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of September 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
None.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Sat, 11 Jun 2022 16:02:15 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
The Artillery War in the Donbas: Ukraine Relying Heavily on Heavy Weapons from the West
Ongoing Dependence on Russian Energy: The Natural Gas Continues to Flow
Europe's Top Prosecutor Brings In More Money than She Spends
The Courageous Women of Kabul: Standing Up to the Taliban's Burqa Decree
Kremlin Threats: Europe Has To Learn To Defend Itself, But How?
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
‘We Buried Him and Kept Walking’: Children Die as Somalis Flee Hunger
Rumbling Through Modern Jordan, a Railway From the Past
McDonald’s Is Reinvented in Russia as the Economy Stumbles On
Newly United, French Left Hopes to Counter President in Upcoming Vote
Recording India’s Linguistic Riches as Leaders Push Hindi as Nation’s Tongue
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Russia hands out passports in occupied Ukraine cities
Putin and Peter the Great: Russian leader likens himself to 18th Century tsar
China warns Taiwan independence would trigger war
Qatar World Cup 2022: German ex-football star says host's treatment of gay people is unacceptable
China: Footage of women attacked in restaurant sparks outrage
Source: Blockchain.info
https://www.qubes-os.org/news/2022/06/12/canary-031/
We have published Qubes Canary 031. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 031 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-031-2022.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 031 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is June 11, 2022.
2. There have been 80 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of September 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
None.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Sat, 11 Jun 2022 16:02:15 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
The Artillery War in the Donbas: Ukraine Relying Heavily on Heavy Weapons from the West
Ongoing Dependence on Russian Energy: The Natural Gas Continues to Flow
Europe's Top Prosecutor Brings In More Money than She Spends
The Courageous Women of Kabul: Standing Up to the Taliban's Burqa Decree
Kremlin Threats: Europe Has To Learn To Defend Itself, But How?
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
‘We Buried Him and Kept Walking’: Children Die as Somalis Flee Hunger
Rumbling Through Modern Jordan, a Railway From the Past
McDonald’s Is Reinvented in Russia as the Economy Stumbles On
Newly United, French Left Hopes to Counter President in Upcoming Vote
Recording India’s Linguistic Riches as Leaders Push Hindi as Nation’s Tongue
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Russia hands out passports in occupied Ukraine cities
Putin and Peter the Great: Russian leader likens himself to 18th Century tsar
China warns Taiwan independence would trigger war
Qatar World Cup 2022: German ex-football star says host's treatment of gay people is unacceptable
China: Footage of women attacked in restaurant sparks outrage
Source: Blockchain.info
000000000000000000032e9b82971c2ef2eb1362c65e01f1db5f60fa81fd5eef
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
--
The Qubes Security Team
https://www.qubes-os.org/security/
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
--
The Qubes Security Team
https://www.qubes-os.org/security/
👍1
QSB-081: x86: MMIO Stale Data vulnerabilities (XSA-404)
https://www.qubes-os.org/news/2022/06/17/qsb-081/
We have just published Qubes Security Bulletin (QSB) 081:
x86: MMIO Stale Data vulnerabilities (XSA-404).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-081 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-081-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 081 ]===---
2022-06-17
x86: MMIO Stale Data vulnerabilities (XSA-404)
User action required
---------------------
Users with appropriate hardware (see the "affected hardware" section
below) must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-41
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.5-3
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
On 2022-06-14, the Xen Project published XSA-404, "x86: MMIO Stale
Data vulnerabilities" [3]:
| This issue is related to the SRBDS, TAA and MDS vulnerabilities.
| Please see:
|
| https://xenbits.xen.org/xsa/advisory-320.html (SRBDS)
| https://xenbits.xen.org/xsa/advisory-305.html (TAA)
| https://xenbits.xen.org/xsa/advisory-297.html (MDS)
|
| Please see Intel's whitepaper:
|
| https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
Impact
-------
An adversary who controls a VM with an assigned PCI device can infer
the memory content of other guests or Xen itself. This could allow the
adversary to read information that should be accessible only to Xen or
another VM and to use that information to launch further attacks. In
the default Qubes OS configuration, only sys-net and sys-usb can be
used to perform this attack.
Affected hardware
------------------
All Intel systems are affected. While mitigations are available, they
are available only for some Intel CPU models. Normally, it should be a
simple matter to look up a given CPU model number in a table to see
whether it is affected and whether it is eligible for any mitigations.
Indeed, Intel has published a table [4] that claims to serve this
purpose. Unfortunately, however, we have found several inaccuracies in
this table. Since we cannot rely on the table, we have had to devise an
alternative method using other published Intel technical documents that
appear to be more accurate. This has turned out to be quite complex.
Our best evidence indicates that mitigations are available for all and
only those CPUs that are both eligible for and updated with the Intel
microcode update released in May 2022. [5] Since going through all the
complicated technical steps of checking this manually would be
excessively cumbersome for most users, we have written a tool that does
it for you. Please note that this tool is entirely optional and is *not*
required for any security updates to take effect. Rather, its intended
purpose is to satisfy the curiosity of users who wish to know whether
their own CPUs are eligible for mitigations and who would struggle to
https://www.qubes-os.org/news/2022/06/17/qsb-081/
We have just published Qubes Security Bulletin (QSB) 081:
x86: MMIO Stale Data vulnerabilities (XSA-404).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-081 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-081-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 081 ]===---
2022-06-17
x86: MMIO Stale Data vulnerabilities (XSA-404)
User action required
---------------------
Users with appropriate hardware (see the "affected hardware" section
below) must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-41
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.5-3
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
On 2022-06-14, the Xen Project published XSA-404, "x86: MMIO Stale
Data vulnerabilities" [3]:
| This issue is related to the SRBDS, TAA and MDS vulnerabilities.
| Please see:
|
| https://xenbits.xen.org/xsa/advisory-320.html (SRBDS)
| https://xenbits.xen.org/xsa/advisory-305.html (TAA)
| https://xenbits.xen.org/xsa/advisory-297.html (MDS)
|
| Please see Intel's whitepaper:
|
| https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
Impact
-------
An adversary who controls a VM with an assigned PCI device can infer
the memory content of other guests or Xen itself. This could allow the
adversary to read information that should be accessible only to Xen or
another VM and to use that information to launch further attacks. In
the default Qubes OS configuration, only sys-net and sys-usb can be
used to perform this attack.
Affected hardware
------------------
All Intel systems are affected. While mitigations are available, they
are available only for some Intel CPU models. Normally, it should be a
simple matter to look up a given CPU model number in a table to see
whether it is affected and whether it is eligible for any mitigations.
Indeed, Intel has published a table [4] that claims to serve this
purpose. Unfortunately, however, we have found several inaccuracies in
this table. Since we cannot rely on the table, we have had to devise an
alternative method using other published Intel technical documents that
appear to be more accurate. This has turned out to be quite complex.
Our best evidence indicates that mitigations are available for all and
only those CPUs that are both eligible for and updated with the Intel
microcode update released in May 2022. [5] Since going through all the
complicated technical steps of checking this manually would be
excessively cumbersome for most users, we have written a tool that does
it for you. Please note that this tool is entirely optional and is *not*
required for any security updates to take effect. Rather, its intended
purpose is to satisfy the curiosity of users who wish to know whether
their own CPUs are eligible for mitigations and who would struggle to
make that determination manually. This tool is included in the
`qubes-core-dom0-linux-4.0.35` package for Qubes 4.0 and the
`qubes-core-dom0-linux-4.1.23` package for Qubes 4.1. These packages
will migrate from the security-testing repository to the current
(stable) repository over the next two weeks after being tested by the
community. [1] Once available, the packages are to be installed via the
Qubes Update tool or its command-line equivalents. [2]
After installing the required updates, you will be able to execute `sudo
cpu-microcode-info` in a dom0 terminal. This will output a table of
information about the logical CPUs (aka CPU "cores") in your system. The
"F-M-S/PI" column lists the "Family-Model-Stepping/Platform ID" codes
that Intel uses in its microcode documentation, [5] which is explained
in further detail in Intel's README. [6] (The manual process of checking
would involve extracting your CPU information, converting it to
hexadecimal, and looking it up in the appropriate table in this
document.) The "Loaded microcode version" column lists the microcode
versions currently loaded for each CPU. The "20220510 update available"
column lists whether the required May 2022 microcode update is
*available* for each CPU. The "20220510 update installed" column lists
whether the required May 2022 microcode update is *installed* in each
CPU.
In order for the updates associated with this bulletin to successfully
mitigate XSA-404, a value of "yes" is required in both of these last two
"20220510 update" columns. If the "available" column has a "yes" while
the "installed" column has a "no," then the May 2022 microcode update
must be installed first. If both columns have "no" values, then this CPU
remains vulnerable, and there is no known mitigation available. If your
system has such a CPU, then installing The Xen packages listed in the
"user action required" section above is *not* expected to mitigate the
problem described in this bulletin. Unfortunately, there is simply
nothing we can do for these CPUs in terms of patching unless we receive
a fix from Intel or receive new information about which CPUs are
affected. Nonetheless, we still recommend installing the updates anyway
(once available), since they will not make the problem any worse,
keeping up-to-date with all security updates is a general best practice,
and future updates will be based on the latest version.
However, hope is not entirely lost for users whose CPUs are not eligible
for software mitigations. Since the vulnerability discussed in this
bulletin does not affect VMs without PCI passthrough devices, users
still have the option of altering their habits to treat VMs like sys-usb
and sys-net as more trusted. While this can be especially challenging in
the case of sys-net, it at least affords users *some* latitude in
working around the problem by being mindful of when such VMs are
running, how trusted their templates are, and similar considerations.
Further plans regarding PCI passthrough
----------------------------------------
This is yet another issue affecting only VMs with access to PCI devices.
This pattern of vulnerabilities has prompted us to research more secure
ways of handling such VMs in future Qubes releases. Eventually, we plan
to treat them as more privileged VMs that require additional protection.
Specific protective measures will be discussed with the community as
part of our ongoing research and development efforts.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-404.html
[4] https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20220510
`qubes-core-dom0-linux-4.0.35` package for Qubes 4.0 and the
`qubes-core-dom0-linux-4.1.23` package for Qubes 4.1. These packages
will migrate from the security-testing repository to the current
(stable) repository over the next two weeks after being tested by the
community. [1] Once available, the packages are to be installed via the
Qubes Update tool or its command-line equivalents. [2]
After installing the required updates, you will be able to execute `sudo
cpu-microcode-info` in a dom0 terminal. This will output a table of
information about the logical CPUs (aka CPU "cores") in your system. The
"F-M-S/PI" column lists the "Family-Model-Stepping/Platform ID" codes
that Intel uses in its microcode documentation, [5] which is explained
in further detail in Intel's README. [6] (The manual process of checking
would involve extracting your CPU information, converting it to
hexadecimal, and looking it up in the appropriate table in this
document.) The "Loaded microcode version" column lists the microcode
versions currently loaded for each CPU. The "20220510 update available"
column lists whether the required May 2022 microcode update is
*available* for each CPU. The "20220510 update installed" column lists
whether the required May 2022 microcode update is *installed* in each
CPU.
In order for the updates associated with this bulletin to successfully
mitigate XSA-404, a value of "yes" is required in both of these last two
"20220510 update" columns. If the "available" column has a "yes" while
the "installed" column has a "no," then the May 2022 microcode update
must be installed first. If both columns have "no" values, then this CPU
remains vulnerable, and there is no known mitigation available. If your
system has such a CPU, then installing The Xen packages listed in the
"user action required" section above is *not* expected to mitigate the
problem described in this bulletin. Unfortunately, there is simply
nothing we can do for these CPUs in terms of patching unless we receive
a fix from Intel or receive new information about which CPUs are
affected. Nonetheless, we still recommend installing the updates anyway
(once available), since they will not make the problem any worse,
keeping up-to-date with all security updates is a general best practice,
and future updates will be based on the latest version.
However, hope is not entirely lost for users whose CPUs are not eligible
for software mitigations. Since the vulnerability discussed in this
bulletin does not affect VMs without PCI passthrough devices, users
still have the option of altering their habits to treat VMs like sys-usb
and sys-net as more trusted. While this can be especially challenging in
the case of sys-net, it at least affords users *some* latitude in
working around the problem by being mindful of when such VMs are
running, how trusted their templates are, and similar considerations.
Further plans regarding PCI passthrough
----------------------------------------
This is yet another issue affecting only VMs with access to PCI devices.
This pattern of vulnerabilities has prompted us to research more secure
ways of handling such VMs in future Qubes releases. Eventually, we plan
to treat them as more privileged VMs that require additional protection.
Specific protective measures will be discussed with the community as
part of our ongoing research and development efforts.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-404.html
[4] https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20220510