Fingerprinting protections

PostedPortal · October 10, 2024, 5:37pm

Are there any hardware specific fingerprinting differences between an AppVm and a standalone linux vm with kernel provided by qubes (HVM vs PV vs PVH) ?

If i wanted to prevent a debian app from having access to my hardware informaton what approaches are available

apparatus · October 10, 2024, 5:58pm

github.com/QubesOS/qubes-issues

Stop telling VMs the exact physical CPU model in the computer

opened 12:21AM - 21 Aug 15 UTC

closed 11:45PM - 17 Oct 18 UTC

qubesuser

T: enhancement C: core C: Xen privacy R: declined

Currently Qubes lets VMs execute CPUID and get the exact model and microcode rev…ision of the physical CPU installed in the system. This is bad for anonymity and unexpected. Already discussed in https://groups.google.com/forum/#!msg/qubes-devel/Q8h-RGH5YoA/fzWbi7c-kfoJ but there seems to be no open issue, and it's a critical issue at least for anonymous VMs. Possible solutions: 1. Run all VMs in Xen PVHVM mode, fix libvirt so that it allows to set the CPUID for Xen and do so 2. Run all VMs in Xen PVH mode, fix Xen so that CPUID hiding works in PVH mode and fix libvirt as well to support PVH and allow to set CPUID 3. Replace Xen with KVM and then it just works with no additional effort The CPUID chosen should be the default libvirt one for the physical CPU microarchitecture (i.e. one for Skylake, one for Haswell, one for Sandy Bridge, etc.) which allows using all CPU instruction set extensions while not giving any more information and should be changeable to a less featureful one (Core 2 or Athlon 64) for increased anonymity if desired. Ideally Qubes should wait until a few months have passed from the release of a new CPU architecture before it starts advertising it by default, to ensure that the anonymity set is big enough, and it should also wait a random amount of time before changing it on upgrades, to avoid leaking the exact time the user installed the new CPU or changed computers. It would also be nice to look at whether it's possible to prevent applications indirectly detecting the size of the cache, size of TLBs, the speed of the CPU and other characteristics, although it may not be practical to avoid those.

PostedPortal · October 11, 2024, 2:50am

It’s unfortunate that neither the Qubes nor Whonix teams have taken action to resolve this issue.

If I choose to move forward, would using PVH mode along with editing the CPUID and libvirt settings be effective?

Here’s what I’m considering:

EDIT:

Create a standaloneVM in PVH mode
Dom0 terminal: sudo virsh edit
add/modify cpu section

<cpu mode='host-passthrough'> <feature policy='disable' name='vmx'/> <feature policy='disable' name='svm'/> <feature policy='disable' name='sse4_2'/> <feature policy='disable' name='avx'/> <feature policy='disable' name='avx2'/> <feature policy='disable' name='popcnt'/> <feature policy='disable' name='aes'/> <feature policy='disable' name='fma'/> <feature policy='require' name='invtsc'/> </cpu>

How many Qubes users do you think mask their CPUID? Would I stand out significantly if I did?

PostedPortal · October 11, 2024, 3:40am

… this didnt seem to work

robertford · October 11, 2024, 6:06am

Those configs set with virsh are not persistant. There used to be a place in which you can put templates. Not sure if that is still true in 4.2.

aronowski · October 11, 2024, 10:11am

The linked issue does shed some light on this matter. If it’s to be done at all, it should be good, rather than a security theater.

We were discussing something similar during the Qubes summit 2024 hackathon in regard to Secure Boot support - unless there’s a good handling of lockdown in Xen, and other tweaks to support the Microsoft requirements, a mere checking off of some points in a list won’t make the thing reasonably secure.

For instance, a lot of information can be deduced, that a mere mortal like me can’t even imagine and a healthy amount of humbleness does help with considering that.
What I can deduce is something that gets printed from tools that others wrote, and they likely don’t account for everything out there, especially with how tracking methods get better and better. See a sneak peek here (I recommend reading that whole thread).

apparatus · October 11, 2024, 8:49pm

You should edit the libvirt config instead of using sudo virsh edit:
https://dev.qubes-os.org/projects/core-admin/en/latest/libvirt.html