OK, but CPU information, specifically, is the special case I already mentioned knowing about.
I’m pretty sure that, by default, VirtualBox sets the CPU type identifier inside of the VM to match the CPU type outide of the VM (even if that creates a nonsensical configuration, like a combination of core type and core count that doesn’t correspond to any processor you can actually buy). I definitely know that KVM does that by default.
But you can also configure the hypervisor to try to emulate a specific CPU of your choice, at which point /sys/devices/cpu (and /proc/cpuinfo) should reflect what you told the hypervisor to emulate, rather than the actual hardware. And the hypervisor will at least try to emulate the right instruction set, too (otherwise tons of user programs would bomb). It still can’t do anything about weird timing and errata attacks, but it should keep the contents of /sys from just giving the CPU type away for free.
Do you know of anything that passes through an actual serial number? That’s where things would really get nasty.
Here’s a user-mode program that will get the CPU model without opening anything in /proc or /sys and withouth asking the kernel (link munged so the software will let me post it): https: // gist-dot-github-dot-com /9prady9/a5e1e8bdbc9dc58b3349
No, it uses the CPUID instruction. It’s not a privileged instruction; the CPU doesn’t think the information is secret in any way. The WIkipedia entry is “CPUID”.
It works for me. I looked at the code and it does indeed seem to be using the instruction, not making any call to the kernel. I ran it under strace and didn’t see it do anything else.
In fact, in the man page for the cpuid kernel module, it says “The CPUID instruction can be directly executed by a program using nline assembler. However this device allows convenient access to all CPUs without changing process affinity”.
I am not an Intel processor guru and I don’t even play one on TV… but I can’t imagine how else you could keep a program from getting information that’s handed out directly by an unprivileged CPU instruction.