Page MenuHomePhabricator
Create Task
Maniphest T389

make sure Qubes-Whonix has no access to clocksource=xen
Open, NormalPublic
Actions

Description

cat /sys/devices/system/clocksource/clocksource0/current_clocksource
xen

Bad. Should not be set to xen. (--> Clock Correlation Attack)

cat /sys/devices/system/clocksource/clocksource0/available_clocksource 
xen tsc

Probably bad. We don't want compromised VMs being able to access dom0's or any other VMs clock. I.e we probably don't want clocksource xen.

Questions:

Related Qubes upstream bug:
libvirt domain validation error; virsh edit issue

Details

Impact
High

Related Objects

Event Timeline

Patrick created this task.Aug 5 2015, 5:43 PM
Patrick raised the priority of this task from to High.
Patrick updated the task description. (Show Details)
Patrick added projects: Qubes, qubes-whonix 12, security, Whonix 12, research.
Patrick set Impact to High.
Patrick added subscribers: Patrick, nrgaway, marmarek.
Herald added a project: Whonix. · View Herald TranscriptAug 5 2015, 5:43 PM
Herald added subscribers: WhonixQubes, troubadour. · View Herald Transcript
Patrick added a comment.Aug 5 2015, 6:30 PM

clocksource xen is similar to clocksouce kvmclock.

Quote http://old-list-archives.xenproject.org/xen-devel/2010-03/msg00484.html in context of clocksource xen

in KVM when using its very similar pv clock interface

And kvmclock is bad in context of Whonix.

Quote https://rwmj.wordpress.com/tag/kvmclock/

kvmclock or KVM pvclock lets guests read the host’s wall clock time.

And we don't want that. We want time in Whonix-Gateway, Whonix-Workstation vs other VMs to slightly differ to prevent correlation attacks. [More info on the https://www.whonix.org/wiki/Dev/TimeSync page.]

In conclusion we ought to get rid of clocksource xen for Qubes-Whonix.

Patrick added a comment.Aug 5 2015, 6:55 PM

One way to approach this could be editing the libvirt xml. Similar how we solved this for kvm. I don't know yet. But while experimenting with it, I run into an issue. Posted on qubes-devel.
virsh edit issue:
https://groups.google.com/forum/#!topic/qubes-devel/aN3IOv6JmKw

Patrick added a comment.Aug 6 2015, 12:38 AM

[Xen-users] clocksource xen documentation?:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00018.html

Patrick added a comment.Aug 6 2015, 12:39 PM
In T389#6254, @Patrick wrote:

[Xen-users] clocksource xen documentation?:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00018.html

Answer:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00019.html

Patrick added a comment.Aug 6 2015, 7:13 PM

How to read clocksource xen as a [root] user?:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00020.html

Patrick added a comment.Aug 10 2015, 12:59 PM

Is it possible to read PVclock from user space?:
http://unix.stackexchange.com/questions/222287/is-it-possible-to-read-pvclock-from-user-space

Patrick added a comment.Aug 12 2015, 2:54 PM
In T389#6308, @Patrick wrote:

How to read clocksource xen as a [root] user?:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00020.html

Got an answer:
http://lists.xen.org/archives/html/xen-users/2015-08/msg00035.html

To paraphrase it, "no, not easily possible".

Patrick edited projects, added Whonix 13; removed Whonix 12, qubes-whonix 12.Sep 8 2015, 3:54 PM
Patrick added a comment.Nov 15 2015, 7:25 PM
In T389#6253, @Patrick wrote:

One way to approach this could be editing the libvirt xml. Similar how we solved this for kvm. I don't know yet. But while experimenting with it, I run into an issue. Posted on qubes-devel.
virsh edit issue:
https://groups.google.com/forum/#!topic/qubes-devel/aN3IOv6JmKw

Created https://github.com/QubesOS/qubes-issues/issues/1430 for it.

Patrick mentioned this in T437: sort out clocksource and wall clock for VirtualBox to prevent Clock Correlation Attack.Nov 24 2015, 2:11 PM
Patrick added a comment.Nov 24 2015, 11:32 PM

How to get a completely isolated virtual time using Xen?
http://security.stackexchange.com/questions/106406/how-to-get-a-completely-isolated-virtual-time-using-xen

Patrick added a comment.Nov 25 2015, 2:49 PM

How to get a completely isolated virtual time using Xen?
http://lists.xen.org/archives/html/xen-users/2015-11/msg00114.html

Patrick added a project: mgmt.Nov 25 2015, 5:52 PM
Patrick updated the task description. (Show Details)
Patrick mentioned this in T440: set random clock offset for Qubes-Whonix VMs using mgmt to prevent clock correlation attacks.Nov 25 2015, 6:10 PM
Patrick added a comment.Feb 17 2016, 12:47 AM

This may not be possible without linux kernel and/or xen patches. The independent_wallclock feature is no longer available in recent verisons. Source:
http://syslog.me/2011/01/05/independent-wallclock-in-xen-4/

[Xen-users] How to disable clocksource xen pvclock?:
http://lists.xen.org/archives/html/xen-users/2016-02/msg00069.html

Patrick removed a project: Whonix 13.Mar 8 2016, 9:09 PM
Patrick updated the task description. (Show Details)Mar 13 2016, 12:39 AM
Patrick updated the task description. (Show Details)
Patrick added a subscriber: HulaHoop.Sep 29 2016, 6:47 PM

An interesting point has been made by @HulaHoop.

haveged relies on the RDTSC instruction, that apparently is useless in some virtualized environments. Also, the quality of random numbers output by HAVEGE is unclear, and the topic of many discussions.

So if managed to somehow make clocksource tsc (high resolution (!) CPU timing information?) [and xen] unavailable to VMs, we would break entropy and haveged in Qubes. Which is bad, since Xen apparently does not come with VirtIO RNG like KVM does.

Patrick updated the task description. (Show Details)Aug 7 2018, 4:37 PM
Patrick lowered the priority of this task from High to Normal.Dec 9 2018, 5:53 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer