Concerns about sensitive information leakage: ProcessorId

eagle · November 2, 2023, 2:38pm

I know that qubes os tries to use compartmentalization to isolate different qubes from each other. But qubes os doesn’t seem to try to hide the information the hardware exposes to qubes.
Run the following commands in different windows qubes:

wmic cpu get ProcessorId

You can get output like this:

ProcessorId
0123456789ABCDEF

This id is the same in different windows qubes.
You can also get the reversed id in dom0:

[user@dom0 Desktop]$ sudo dmidecode
Processor Information
ID: EF CD AB 89 67 45 23 01

The worst thing is that, I also have windows installed on the same computer. I ran the command and get the same output.
My concern is whether it is possible for an attacker to associate different qubes based on this information and thus discover the user’s true identity?

EDIT:
But interestingly I can’t get it in linux qubes:

user@vault:~$ sudo dmidecode
# dmidecode 3.3
Scanning /dev/mem for entry point.
# No SMBIOS nor DMI entry point found, sorry.

Bearillo · November 2, 2023, 4:01pm

On Whonix workstation:

sudo dmidecode
# dmidecode 3.3
Scanning /dev/mem for entry point.
# No SMBIOS nor DMI entry point found, sorry.

QubesOS is a security oriented OS; anonymity is not the primary focus. If you want to do things anonymously within QubesOS, use the Whonix components (gateway and workstation). These can be chosen on installation already, so it’s conveniently available without much configuration.

adw · November 2, 2023, 11:20pm

Related FAQ entry: https://www.qubes-os.org/faq/#what-about-privacy-in-non-whonix-qubes

fsflover · November 3, 2023, 1:21pm

Stop telling VMs the exact physical CPU model in the computer

opened 12:21AM - 21 Aug 15 UTC

closed 11:45PM - 17 Oct 18 UTC

qubesuser

T: enhancement C: core C: Xen privacy R: won't do

Currently Qubes lets VMs execute CPUID and get the exact model and microcode rev…ision of the physical CPU installed in the system. This is bad for anonymity and unexpected. Already discussed in https://groups.google.com/forum/#!msg/qubes-devel/Q8h-RGH5YoA/fzWbi7c-kfoJ but there seems to be no open issue, and it's a critical issue at least for anonymous VMs. Possible solutions: 1. Run all VMs in Xen PVHVM mode, fix libvirt so that it allows to set the CPUID for Xen and do so 2. Run all VMs in Xen PVH mode, fix Xen so that CPUID hiding works in PVH mode and fix libvirt as well to support PVH and allow to set CPUID 3. Replace Xen with KVM and then it just works with no additional effort The CPUID chosen should be the default libvirt one for the physical CPU microarchitecture (i.e. one for Skylake, one for Haswell, one for Sandy Bridge, etc.) which allows using all CPU instruction set extensions while not giving any more information and should be changeable to a less featureful one (Core 2 or Athlon 64) for increased anonymity if desired. Ideally Qubes should wait until a few months have passed from the release of a new CPU architecture before it starts advertising it by default, to ensure that the anonymity set is big enough, and it should also wait a random amount of time before changing it on upgrades, to avoid leaking the exact time the user installed the new CPU or changed computers. It would also be nice to look at whether it's possible to prevent applications indirectly detecting the size of the cache, size of TLBs, the speed of the CPU and other characteristics, although it may not be practical to avoid those.