Page MenuHomePhabricator
Create Task
Maniphest T397

prevent dom0 telling Qubes-Whonix VMs the time by using the mgmt stack for that / disable Qubes dom0 /etc/qubes-rpc/qubes.SetDateTime
Open, NormalPublic
Actions

Description

We do not want dom0 telling Qubes-Whonix VMs the time. Because in case of a compromised Whonix VM, we do not want the adversary replace/restore the /etc/qubes-rpc/qubes.SetDateTime script. To avoid time related deanoymization. We need to stop dom0's /usr/bin/qvm-sync-clock from running that hook for Qubes-Whonix VMs.

In T384#6287 @marmarek said we should use the mgmt stack for that.

mgmt should keep configuring qvm-sync-clock disabled for Qubes-Whonix VMs. For freshly downloaded templates as well as for user custom created new Whonix VMs based on Qubes-Whonix templates.

Details

Impact
High

Related Objects

Event Timeline

Patrick created this task.Aug 16 2015, 1:55 AM
Patrick assigned this task to nrgaway.
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: bug, security, Qubes, Whonix.
Patrick set Impact to High.
Patrick mentioned this in T384: disable qubes.SetDateTime / qubes.SyncNtpClock in Qubes-Whonix VMs.
Patrick added subscribers: marmarek, nrgaway, troubadour and 2 others.
Patrick mentioned this in T398: Qubes-Whonix whonixcheck sanity test for 'prevent dom0 telling Qubes-Whonix VMs the time'.Aug 16 2015, 2:10 AM
Patrick mentioned this in T401: make Qubes-Whonix-Gateway able to function as UpdateVM out of the box.Sep 3 2015, 5:13 PM
Patrick renamed this task from prevent dom0 telling Qubes-Whonix VMs the time to prevent dom0 telling Qubes-Whonix VMs the time by using the mgmt stack for that.Nov 25 2015, 5:21 PM
Patrick updated the task description. (Show Details)
Patrick added projects: mgmt, Whonix 13.
Patrick edited projects, added Whonix 14; removed Whonix 13.EditedMar 22 2016, 10:47 AM

Waiting for Qubes 4, feature Template policy, services->features, core plugins to be implemented.

Patrick removed nrgaway as the assignee of this task.Jan 25 2017, 9:40 PM
Patrick edited projects, added Whonix 15; removed Whonix 14.Mar 14 2017, 8:24 PM
Patrick renamed this task from prevent dom0 telling Qubes-Whonix VMs the time by using the mgmt stack for that to prevent dom0 telling Qubes-Whonix VMs the time by using the mgmt stack for that / disable Qubes dom0 /etc/qubes-rpc/qubes.SetDateTime.Aug 7 2018, 4:43 PM
Patrick removed a project: Whonix 15.Dec 7 2018, 10:57 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer