[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Restrict hardware information to root

#1

It seems that from this forum post that the guest can get information about the host’s hardware such as your CPU. I’ve also tested this on Virtualbox and the CPU is shown.

Would it make sense to restrict /proc/cpuinfo, lspci and some files in /sys to root?

Has anyone tested whether other hardware information is leaked? Like motherboards, network adapters, GPUs etc.

Motherboard information can be found by running

cat /sys/devices/virtual/dmi/id/board_{vendor,name,version}

Virtualbox doesn’t leak the motherboard information. I haven’t tested this on other hypervisors.

Certain hardware devices like audio controllers and SATA controllers can be found by running lspci. Virtualbox spoofs this info. I haven’t tested this on other hypervisors either.

1 Like
#2

This might make sense if it is possible.

This (change of default file permissions) should be reported as a bug or feature request upstream too (even if they don’t implement it - we benefit from their comments, perhaps would otherwise miss a good argument to not do this).

You suggested to hide from everyone but root, ok. (Edited)


Related, which was an attempt to hide hardware information even from root:

ticket on virtualbox hardware obfuscation - which was later reverted. The code is still here:

It could be enabled through an optional build parameter which would be easy to add but so far no one has asked for it.

ticket: remove attempts to hide CPU information from VM in VirtualBox

List here:

2 Likes
#3

I meant to hide from everyone but root. It wouldn’t have anything to do with the actual hypervisors themselves but to do with the permissions on certain files. Hiding it from root as well would be good but it doesn’t seem possible on certain hypervisors so hiding it from regular users would be the next best thing.

1 Like
#4

I misspoke.

Fixed.

You suggested to hide from everyone but root, ok. (Edited)

1 Like
#5

What package would that be in? I’ll file a bug on their bug tracker.

2 Likes
#6

I don’t know, either https://www.virtualbox.org and/or https://bugzilla.kernel.org.

1 Like
#7

I’m about to file the bug but don’t know which category to put it in.

Which one should it be? “Other”?

1 Like
#8

Other sounds good. I hope it would be re-assigned if need be.

1 Like
#9

Just created it.

https://bugzilla.kernel.org/show_bug.cgi?id=203541

1 Like
#10

I am not sure sound quite feature request alike / request for change of defaults alike. Let’s see what they say.

Alternatively, subject:

prevent non-root users from viewing hardware information from /proc/cpuinfo, /bin/lspci and /sys

text:

possibility of this being an identifier

Not sure they care. Can we make this a security argument? Principle of least privilege? What’s the use case for non-root users to view hardware information?

1 Like
#11

Hardware information may be useful for an attacker to know what exploits in some firmware to use.

They could probably detect the firmware by seeing what modules are loaded though.

If your adversary is one with lots of resources then knowing the hardware may help in utilizing potential hardware backdoors. A bit extreme but seems possible.

1 Like
#12

I don’t believe I was not aware of that.
What’s the situation with Qubes and KVM?

1 Like
#13

See:

1 Like
#14

From the comments,

KVM = Spoofed the CPU :white_check_mark:

Virtualbox = Failed to do that :heavy_multiplication_x:

Qubes = The most failure :x:

I am not sure if anything has changed.

#15

At the moment I pass thru all CPU flags from the host to the guest to allow the guest kernel spectre/meltdown protections to kick in. Restricting this info to root is a great step.

Also preventing unprivileged processes from enumerating info from /proc/pid does make it harder for rowhammer attacks:

1 Like
#16

https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection needs update then?

#17

Yes though I need someone who doesn’t mind posting their CPU info on there. @TNT_BOM_BOM can you please repeat the /proc/cpu tests and update the wiki?

2 Likes
#18

For all hyporvisors or kvm only ?

2 Likes
#19

KVM only.
VirtualBox when you get to it but I guess nothing changed.
In Qubes nothing changed either as far as I know.

1 Like