One recent example of a firmware vulnerability is the processor microcode update for modern chips to address [https://security-tracker.debian.org/tracker/CVE-2018-3620 speculative] [https://security-tracker.debian.org/tracker/CVE-2018-3646 execution flaws]. The [https://www.debian.org/security/2018/dsa-4279 Debian package] is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in all {{project_name_short}} variants. <ref>Relevant Debian packages for processor microcode: [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/intel-microcode Intel] and [https://packages.debian.org/{{Stable_project_version_based_on_Debian_codename}}/amd64-microcode amd64].</ref> <ref>Installing these updates by default would require the Debian nonfree repository, and logically also make {{project_name_short}} images nonfree.</ref> {{project_name_short}} recommends to [[avoid nonfree software]] but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] and [[Qubes|{{q_project_name_long}}]] guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates <u>should</u> always be applied <u>on the host operating system</u> (for processors by Intel or AMD) <ref>ARM is less affected than Intel architecture.</ref> and baremetal configurations like [[Physical_Isolation|Physical Isolation]]. <ref>See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739</ref>

=== Microcode Package Check ===

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

==== Debian based ====
On the host. Run.

{{CodeSelect|code=
dpkg -l {{!}} grep microcode
}}

==== Qubes ====
In dom0. Run.

{{CodeSelect|code=
dnf list {{!}} grep microcode
}}

The Qubes check should confirm the <code>microcode_ctl.x86_64</code> package is already installed. <ref>This package is installed by default in Qubes to automatically protect users against hardware threats.</ref>

=== Install Microcode Package ===
==== Intel ====
{{Install Package|package=
intel-microcode
}}

==== AMD ====
{{Install Package|package=
amd64-microcode
}}

=== spectre-meltdown-checker ===
It is possible to check if the system is vulnerable to the [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ Spectre] and [https://meltdownattack.com/ Meltdown] attacks, which use flaws in modern chip design to bypass system protections.

==== Installation ====
{{Install Package
|package_name=Spectre Meltdown Checker
|package=spectre-meltdown-checker
}}

==== Usage ====
{{CodeSelect|code=
sudo spectre-meltdown-checker --paranoid ; echo $?
}}

=== Forum Discussion ===
See: https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739