CPUID - Security and Privacy Risks
CPUID is a processor function that allowing software to discover the model and capabilities of the processor. This can be a security or privacy risk.
To avoid confusion, it is being mentioned that there are two different things:
- CPUID: This wiki page.
Protected Processor Identification Number(
As for CPUID, there are two different cases.
- B) Local CPUID: Unfortunately, locally running applications can use the non-privileged CPU instruction CPUID. This cannot be prevented. This issue is unspecific to Kicksecure.
What information does CPUID give?
Any information that is related to Processor including the design of the Processor can be fetched using CPUID instructions. For example, we can get the following information using CPUID using different leaf values:
- Processor Vendor name
- Processor name, Serial number
- Number of Cores
- Features supported like AVX512
- L1, L2 and L3 Cache Size
- Cache Topology
- Thermal and Power Management
Author of screenshots: screenshots.debian.net/package/cpuid
cpuid Screenshot 1 / 4
cpuid Screenshot 2 / 4
cpuid Screenshot 3 / 4
cpuid Screenshot 4 / 4
CPUID Technical Background
- Importance of this wiki chapter: If the reader is time-poor, the rest of the text inside this box can be skipped.
- Affected operating systems: All. This issue is unspecific to Kicksecure.
- Affected computers: All Intel and AMD CPUs are affected since 1993.
- Workarounds available? None. There are also no virtualizers capable to hide this information. Perhaps emulators might be able to hide this information since the CPU is fully emulated (as opposed to be being virtualized) but these are too slow to be considered for production use.
- CPUID technical introduction: Quote cpuid man page (Underline added.):
The CPUID instruction can be directly executed by a program using inline assembler. However this device allows convenient access to all CPUs without changing process affinity. Most of the information in cpuid is reported by the kernel in cooked form either in /proc/cpuinfo or through subdirectories in /sys/devices/system/cpu. Direct CPUID access through this device should only be used in exceptional cases.
- Remote websites: Cannot fingerprint the user to remotely detect the the user's CPU model and capabilities. There are no test pages that claim to do it. One websites might make a first impression that it can be done, but it's not possible, see
- No live demonstration available: There is no hosted web service that demonstrates this feature. At least a few of the many Browser Tests would implement this. Specifically likely the popular Fingerprint.com improve their service with CPUID if this was possible.
- Alternative browser API: Since this is not possible, an alternative browser API feature
navigator.hardwareConcurrencywas implemented by browsers vendors.
- Alternative to CPUID: The closest alternative to CPU fingerprinting using CPUID that has been found is WebCPU .
- Non-solutions: Even security-misc's
hide-hardware-info.servicecannot hide CPUID.
- Future: The Kicksecure project will not be able to fix the CPUID issue. At author if this wiki page is not aware of any virtualizer or kernel project which is interested in "hardware privacy". Very few related bug reports / feature requests exist. Users, researchers and developers interested in getting this issue fixed are encouraged to use the principles of Generic Bug Reporting and Self Support First Policy, in short, reproduce, describe the issue without reference to Kicksecure and contact upstream projects (such as virtualizers, kernel) directly.
- Related: VM Fingerprinting
- Upstream bug reports / feature requests:
- Qubes unfixed, rejected bug report: Stop telling VMs the exact physical CPU model in the computer
- Forum discussions:
- For developers:
- The research paper Virtualization Detection: New Strategies and Their Effectiveness mentions CPUID several times and shares some ideas how leaking sensitive information using CPUID could be avoided.
- Upstream bug reports / feature requests:
cpuid is a program that uses the processor's cpuid function and shows its result.
Note, that the availability or unavailability of the
cpuid from the package repository is irrelevant. This is because the CPU's cupid function is a non-privileged instruction. Meaning, any other application could easily call the same CPU function.
Optional: Users interested to learn more or view their CPUID could use
1. Open a terminal.
If you are using Kicksecure ™ inside Qubes, complete the following steps.
Qubes App Launcher (blue/grey "Q") →
Kicksecure App Qube (commonly named kicksecure) →
If you are using a graphical Kicksecure with Xfce, run.
Start Menu →
2. Software installation
cpuid. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the
sudo apt install --no-install-recommends cpuid
The procedure of installing
cpuid is complete.
The process of showing information from the processor's cpuid function has been completed.
/proc/cpuinfo versus cpuid
On Linux systems, there are at least two ways to access CPU information.
/proc/cpuinfo: Is a virtual file provided by the kernel providing information about the CPU.
- To view, run: cat /proc/cpuinfo
hide-hardware-info.servicecan prevent access to this virtual file.
cpuid: Is a program that queries the CPU's cpuid function directly to get information about the CPU.
CPUID Spoofing Testing
This wiki chapter documents ways to check if any potential ways of CPUID spoofing are effective. It does not provide instructions on how to perform CPUID spoofing which might be impossible on the Intel / AMD64 platform.
run twice and compare method:
cpuid (or an alternative, if any is available) before making any attempts of CPUID spoofing. Store its output in a text file
2. Apply any possibly available steps to spoof the CPUID.
The user could experiment with emulators such as bochs, virtualizers such as VirtualBox and its settings  or other options.
cpuid again. Store its output in text file
4. Compare the two text files.
Due to the lengthy output of
cpuid with many different details, manually comparing the two files could be cumbersome and error-prone. Instead, using a file comparison tool of the user's choice is recommended.