Page MenuHomePhabricator
Create Task
Maniphest T408

--synthcpu was removed from VirtualBox, use --cpuid-portability-level or --cpuidremoveall?
Closed, ResolvedPublic
Actions

Description

--synthcpu was removed in VirtualBox 5?

Let's try some likely newly available options.

  • --cpuid-portability-level 3
  • --cpuid-portability-level 999
  • --cpuidremoveall

Info:

TODO:

  • Set the new option for exiting VMs.
    • See if it works.
    • See if there are any negative implications performance or stability wise (some applications no longer working).
  • Set the new option during build.
  • Test.

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Sep 28 2015, 4:10 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added a project: VirtualBox.
Patrick set Impact to Normal.
Patrick added a subscriber: Patrick.
Herald added a project: Whonix. · View Herald TranscriptSep 28 2015, 4:10 PM
Herald added subscribers: WhonixQubes, troubadour. · View Herald Transcript
Patrick updated the task description. (Show Details)Nov 29 2015, 4:24 PM
Patrick renamed this task from use cpuid-portability-level to --synthcpu was removed from VirtualBox, use --cpuid-portability-level or --cpuidremoveall?.Nov 29 2015, 4:58 PM
Patrick updated the task description. (Show Details)
Patrick removed a subscriber: WhonixQubes.
Patrick closed this task as Wontfix.Dec 5 2015, 1:25 PM
Patrick claimed this task.

TNT_BOM_BOM tested out in the forums, that --cpuidremoveall fails to result in the desired effect. Hence nothing can be done about this.

Patrick added a project: Whonix 14.Jan 17 2017, 10:02 AM

https://github.com/Whonix/Whonix/commit/6db3c345c80ee9841fcae57621cafbfcdd000a0f

dumbmouse reopened this task as Open.Jan 18 2017, 4:59 AM
dumbmouse added a subscriber: dumbmouse.

After much research this is the best way to hide the CPU using VirtualBox:

Set vendor_id to "GenuineIntel"

--cpuidset 00000000 0x00000005 0x756e6547 0x49656e69 0x6c65746e
--cpuidset 80000000 0x80000008 0x756e6547 0x49656e69 0x6c65746e

Set family/model/stepping (15/4/3), and feature flags (most are overridden by cpuid-portability-level any way)

--cpuidset 00000001 0x00000f43 0x00020800 0x0000649d 0xbfebfbff
--cpuidset 80000001 0x00000f43 0x00020800 0x0000649d 0xbfebfbff

Set model name to "Intel(R) Pentium(R) 4 CPU 3.00GHz"

--cpuidset 80000002 0x20202020 0x20202020 0x20202020 0x6e492020
--cpuidset 80000003 0x286c6574 0x50202952 0x69746e65 0x52286d75
--cpuidset 80000004 0x20342029 0x20555043 0x30302e33 0x007a4847

Remove most feature flags

--cpuid-portability-level 3

This should work on all host x86 CPUs. I have tested on only Intel. Performance impact should be the same as --synthcpu (no different to now).

Reference notes for anyone investigates this later:

--cpuid-portability-level is the successor of --synthcpu and does all/most of the same things

--cpuidremoveleaf and --cpuidremoveall modify the .vbox config file only. They remove CPUID overrides added by --cpuidset. Beside that they have no effect.

A better solution if it worked would be to set VBoxInternal/CPUM/GuestCpuName to "Intel(R) Pentium(R) 4 CPU 3.00GHz". GuestCpuName makes VirtualBox load all CPUID leaves and MSRs from its internal database of CPUs and their data, overriding all host CPU data. Unfortunately in testing only about 25% of CPUs actually work and whether they work or not probably depends on the host CPU so it is not suitable for general distribution. Maybe GuestCpuName will improve some time.

To change the vendor_id or model name hex use the scripts here:
https://superuser.com/questions/625648/virtualbox-how-to-force-a-specific-cpu-to-the-guest

Setting VBoxInternal/CPUM/HostCPUID/... has the same affect as --cpuidset but --cpuidset is documented and better to use.

Related source files:

Primary file. Reads host CPU info and configuration overrides and passes it through or masks it

VBox/VMM/VMMR3/CPUMR3CpuId.cpp

Related to GuestCpuName

VBox/VMM/VMMR3/CPUMR3Db.cpp
VBox/VMM/VMMR3/cpus/
VBox/VMM/VMMR3/cpus/Intel_Pentium_4_3_00GHz.h

Pretty obvious

VBox/Frontends/VBoxManage/VBoxManageHelp.cpp
VBox/Frontends/VBoxManage/VBoxManageModifyVM.cpp

Patrick added a comment.Jan 18 2017, 5:29 AM

Thanks! Without your research, this almost certainly would not have had a chance to make it into Whonix 14. Can you commit your changes to git please? (And/or create a github pull request?)

https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm

Then I can try out your suggested changes in the next build.

Patrick added subscribers: entr0py, Ego.Jan 18 2017, 5:30 AM
dumbmouse added a comment.Jan 18 2017, 6:04 AM

Actually I need to test this more. I will fine tune it and add another comment here in couple of days.

Patrick added a comment.Jan 18 2017, 6:35 AM

Alright, great!

dumbmouse added a comment.Jan 21 2017, 7:59 PM

Here is a more limited version, but better for general distribution:

# Clear existing (not necessary for initial install)
vboxmanage modifyvm <uuid> --cpuidremoveall

# GenuineIntel
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/00000000/ebx 0x756e6547
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/00000000/ecx 0x6c65746e
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/00000000/edx 0x49656e69
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000000/ebx 0x756e6547
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000000/ecx 0x6c65746e
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000000/edx 0x49656e69

# Model/Family/Stepping
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/00000001/eax 0x00000f43
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000001/eax 0x00000f43

# Pentium model name
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000002/eax 0x20202020
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000002/ebx 0x20202020
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000002/ecx 0x20202020
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000002/edx 0x6e492020
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000003/eax 0x286c6574
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000003/ebx 0x50202952
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000003/ecx 0x69746e65
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000003/edx 0x52286d75
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000004/eax 0x20342029
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000004/ebx 0x20555043
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000004/ecx 0x30302e33
vboxmanage setextradata <uuid> VBoxInternal/CPUM/HostCPUID/80000004/edx 0x007a4847

This version only changes registers controlling vendor, family/model/stepping and model name. The last version used --cpuidset which requires all registers be passed (eax...edx) which means overriding some flags and that makes problems.

Also --cpuid-portability-level even at 1 (the lowest level) removes too many flags and gives compatibility and performance problems.

With this version only text strings and family/model/stepping are changed. Flags are passed from host CPU but the likelyhood of profiling a user by looking at flags is low. VirtualBox sanitizes the flags and only passes those it supports. The host and guest CPU flags will be different and most guests will have the same or almost the same flags.

Most other CPU leaves are sanitized, removed or zero'd by VirtualBox. There will be differences in cache sizes, TLB and maybe a few others. I have not researched every single thing but I believe the most an attacker could determine would be a CPU series (i-3, Broadwell, Athlon, ..). I don't see anything indicating a specific model.

I mentioned in my last comment but for anyone researching later, test GuestCpuName and check if it has improved and is usable. If it works and is reliable that is a better choice than setting these registers.

Note: /proc/cpuinfo does not show all of the information. A tool like cpuid is needed.

Unfortunately I do not have a Whonix build set up and don't know anything about that. The build could either run the commands above or include the extra data in the configuration file like this:

<Machine ...>
    <ExtraData>
      ...
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/00000000/ebx" value="0x756e6547"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/00000000/ecx" value="0x6c65746e"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/00000000/edx" value="0x49656e69"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/00000001/eax" value="0x00000f43"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000000/ebx" value="0x756e6547"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000000/ecx" value="0x6c65746e"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000000/edx" value="0x49656e69"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000001/eax" value="0x00000f43"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000002/eax" value="0x20202020"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000002/ebx" value="0x20202020"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000002/ecx" value="0x20202020"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000002/edx" value="0x6e492020"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000003/eax" value="0x286c6574"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000003/ebx" value="0x50202952"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000003/ecx" value="0x69746e65"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000003/edx" value="0x52286d75"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000004/eax" value="0x20342029"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000004/ebx" value="0x20555043"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000004/ecx" value="0x30302e33"/>
      <ExtraDataItem name="VBoxInternal/CPUM/HostCPUID/80000004/edx" value="0x007a4847"/>
    <ExtraData>
</Machine>
anonymous1 added a subscriber: anonymous1.Jan 22 2017, 7:23 AM

Works for me, hid my cpu name

Patrick changed the task status from Open to Review.Mar 10 2017, 1:01 AM
Patrick reassigned this task from Patrick to dumbmouse.

Added. Not yet tested by me but will test in the next build.

https://github.com/Whonix/Whonix/commit/fb02a8a517fdea8f38613d0e43f90e5b334440fd

Patrick closed this task as Resolved.Mar 11 2018, 1:44 PM
Patrick added a subscriber: HulaHoop.Aug 27 2018, 6:32 PM

"Hiding CPU model is futile." Any reference for that? @HulaHoop

Patrick added a comment.Aug 27 2018, 6:32 PM

Regarding the spectre vulnerability and its effect on VirtualBox your input is desired. @dumbmouse

https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages/5739/22

Patrick reopened this task as Open.Nov 28 2018, 6:40 AM
Patrick closed this task as Resolved.Nov 28 2018, 6:44 AM

This will be undone. Ticket:

remove attempts to hide CPU information from VM in VirtualBox
T881

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer