Page MenuHomePhabricator

make sure Qubes-Whonix has no access to clocksource=xen
Open, NormalPublic

Description

cat /sys/devices/system/clocksource/clocksource0/current_clocksource
xen

Bad. Should not be set to xen. (--> Clock Correlation Attack)

cat /sys/devices/system/clocksource/clocksource0/available_clocksource 
xen tsc

Probably bad. We don't want compromised VMs being able to access dom0's or any other VMs clock. I.e we probably don't want clocksource xen.

Questions:

Related Qubes upstream bug:
libvirt domain validation error; virsh edit issue

Details

Impact
High

Event Timeline

Patrick created this task.Aug 5 2015, 7:43 PM
Patrick updated the task description. (Show Details)
Patrick raised the priority of this task from to High.
Patrick set Impact to High.
Patrick added subscribers: Patrick, nrgaway, marmarek.

clocksource xen is similar to clocksouce kvmclock.

Quote http://old-list-archives.xenproject.org/xen-devel/2010-03/msg00484.html in context of clocksource xen

in KVM when using its very similar pv clock interface

And kvmclock is bad in context of Whonix.

Quote https://rwmj.wordpress.com/tag/kvmclock/

kvmclock or KVM pvclock lets guests read the host’s wall clock time.

And we don't want that. We want time in Whonix-Gateway, Whonix-Workstation vs other VMs to slightly differ to prevent correlation attacks. [More info on the https://www.whonix.org/wiki/Dev/TimeSync page.]

In conclusion we ought to get rid of clocksource xen for Qubes-Whonix.

One way to approach this could be editing the libvirt xml. Similar how we solved this for kvm. I don't know yet. But while experimenting with it, I run into an issue. Posted on qubes-devel.
virsh edit issue:
https://groups.google.com/forum/#!topic/qubes-devel/aN3IOv6JmKw

In T389#6308, @Patrick wrote:

How to read clocksource xen as a [root] user?:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00020.html

Got an answer:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00035.html

To paraphrase it, "no, not easily possible".

In T389#6253, @Patrick wrote:

One way to approach this could be editing the libvirt xml. Similar how we solved this for kvm. I don't know yet. But while experimenting with it, I run into an issue. Posted on qubes-devel.
virsh edit issue:
https://groups.google.com/forum/#!topic/qubes-devel/aN3IOv6JmKw

Created https://github.com/QubesOS/qubes-issues/issues/1430 for it.

How to get a completely isolated virtual time using Xen?
http://lists.xen.org/archives/html/xen-users/2015-11/msg00114.html

Patrick updated the task description. (Show Details)

This may not be possible without linux kernel and/or xen patches. The independent_wallclock feature is no longer available in recent verisons. Source:
http://syslog.me/2011/01/05/independent-wallclock-in-xen-4/

[Xen-users] How to disable clocksource xen pvclock?:
http://lists.xen.org/archives/html/xen-users/2016-02/msg00069.html

Patrick updated the task description. (Show Details)Mar 13 2016, 1:39 AM
Patrick updated the task description. (Show Details)

An interesting point has been made by @HulaHoop.

haveged relies on the RDTSC instruction, that apparently is useless in some virtualized environments. Also, the quality of random numbers output by HAVEGE is unclear, and the topic of many discussions.

So if managed to somehow make clocksource tsc (high resolution (!) CPU timing information?) [and xen] unavailable to VMs, we would break entropy and haveged in Qubes. Which is bad, since Xen apparently does not come with VirtIO RNG like KVM does.

Patrick updated the task description. (Show Details)Aug 7 2018, 6:37 PM
Patrick lowered the priority of this task from High to Normal.Sun, Dec 9, 6:53 AM