search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
541 stars 48 forks source link

Use Spectre V1 scanner to scan all Qubes code #4106

Open adrelanos opened 6 years ago

adrelanos commented 6 years ago

Just leaving that here. Hopefully this is useful.

https://www.phoronix.com/scan.php?page=news_item&px=Red-Hat-Spectre-V1-Scanner

lunarthegrey commented 6 years ago

This is not an issue or bug report. Should be posted in the community forum or subreddit.

https://groups.google.com/forum/#!forum/qubes-users https://www.reddit.com/r/Qubes/

adrelanos commented 6 years ago

The feature request here is "use Spectre V1 scanner to scan all of Qubes code".

lunarthegrey commented 6 years ago

@adrelanos Gotcha. Original post didn't hint at that. Thanks for explaining.

esote commented 6 years ago

@adrelanos While this should definitely be pursued for all Qubes binaries, unfortunately Qubes does use quite a few Python scripts, which this tool wouldn't be helpful with. So in this way, we wouldn't be able to "scan all of Qubes code" -- just scan Qubes' binaries.

esote commented 6 years ago

I've investigated this tool further. It seems fairly self-explanatory. I had to download binutils, and edit the makefile to compile it correctly. The tool is very fast (scanned all binaries in /usr/bin in 47 seconds).

In order to scan binaries, you have to use --binary because by default it expects them in ELF format.

From scanning vmlinuz* and /usr/bin/* binaries (inside a DispVM) it showed no problems, which is a good sign.

This tool does not seem finalized:

it is not sufficient to just install the binutils package or the binutils-devel package, as the scanner uses header files that are internal to the binutils sources. This requirement is an artifact of how the scanner evolved and it will be removed one day.

— Original RedHad article: SPECTRE Variant 1 scanner tool

As well, it seems the only place to download the source code is provided by a person's web home page:

https://people.redhat.com/~nickc/Spectre_Scanner/scanner.tar.xz

@marmarek How useful do you see this tool being? Right now, to me, it seems more like a tool for users to verify their installation's security. I don't see a good place for it, until it becomes an actual package provided from Fedora's repositories (or others).