Hiding CPUID from AppVM (why is this not default)?

rjo74618 · April 8, 2021, 10:43am

as time goes on i’m learning qubes isn’t as private and secure as i originally belived
while this sepsific issue is less important to me personally (since i care more about security then privacy…) you’d think that by principal the hardware id should be hidden from vm’s by default…

and while yes it is hard to believe any entity less powerfull then maybe a full blowen government would be able to use such a “meaningless” piece of information
think of the journalists using qubes and tyranical goverments such as china’s… to give and example

anyway

i’ve found this after a quick search Setting the CPUID of a XEN guest - Intrbiz Blog

but the link given is old

wayback machin gets me to 2012 and not much usefull information either
https://web.archive.org/web/20121212121757/https://zhigang.org/wiki/XenCPUID

and well most lickly that anything from 2012 is very very outdated
if anyone can direct me to a patch or instruction/… anything like that i’d appreciate it

no need to really dig into the matter it’s just “general discussion”

(it’s not that important to me as i said i’m not in the business of upsetting governments/ paranoid to the degree where a attacker would have the ability to identify who am i from the device…
and if i were i would’ve got my self a cheap second hand laptop for cash anyway so…
or paid someone in cash to buy me a good cpu/… not to step foot in a store with cameras or credit card or…)

but i mean…
u get the point it’s a matter of principal

deeplow · April 8, 2021, 11:23am

(Adjusted your title for clarity, but fell free to tweak it if it is not adequate)

I think this will answer your question (marmarek is the lead developer of Qubes):

xkailey · December 23, 2021, 5:19am

if this kind of thing surprises you, you should definitely be aware of other limitations (and benefits) from Qubes. For anyone else reading this in the future too, check the Whonix forum for the entry “Qubes-Whonix security disadvantages,” (.onion) in summary, some modules like kloak (keystroke timing anonymization), lkrg (linux kernel runtime guard), and tirdad (TCP ISN CPU information leak protection) do not work on Qubes-Whonix. also i talk about whonix here because you mentioned journalists hiding from oppressive governments (and nothing else on qubes besides the deprecated TorVM)
fyi there’s a lot of other modules i didn’t mention, so go give the forum post a read
however, qubes offers a lot of other security benefits over virtualbox, see the whonix wiki entry on why qubes is better than other virtualizers (.onion) (benefits in security, anonymity, and privacy)

fsflover · December 23, 2021, 10:25am

github.com/QubesOS/qubes-issues

Stop telling VMs the exact physical CPU model in the computer

opened 12:21AM - 21 Aug 15 UTC

closed 11:45PM - 17 Oct 18 UTC

qubesuser

T: enhancement C: core C: Xen privacy R: won't do

Currently Qubes lets VMs execute CPUID and get the exact model and microcode rev…ision of the physical CPU installed in the system. This is bad for anonymity and unexpected. Already discussed in https://groups.google.com/forum/#!msg/qubes-devel/Q8h-RGH5YoA/fzWbi7c-kfoJ but there seems to be no open issue, and it's a critical issue at least for anonymous VMs. Possible solutions: 1. Run all VMs in Xen PVHVM mode, fix libvirt so that it allows to set the CPUID for Xen and do so 2. Run all VMs in Xen PVH mode, fix Xen so that CPUID hiding works in PVH mode and fix libvirt as well to support PVH and allow to set CPUID 3. Replace Xen with KVM and then it just works with no additional effort The CPUID chosen should be the default libvirt one for the physical CPU microarchitecture (i.e. one for Skylake, one for Haswell, one for Sandy Bridge, etc.) which allows using all CPU instruction set extensions while not giving any more information and should be changeable to a less featureful one (Core 2 or Athlon 64) for increased anonymity if desired. Ideally Qubes should wait until a few months have passed from the release of a new CPU architecture before it starts advertising it by default, to ensure that the anonymity set is big enough, and it should also wait a random amount of time before changing it on upgrades, to avoid leaking the exact time the user installed the new CPU or changed computers. It would also be nice to look at whether it's possible to prevent applications indirectly detecting the size of the cache, size of TLBs, the speed of the CPU and other characteristics, although it may not be practical to avoid those.

brendanhoar · December 23, 2021, 1:10pm

There are pragmatic reasons for not masking information about the CPU from VMs. E.g. a lot of programs, particularly compilers/linkers, use the information to assist in giving correct/optimal output.

B