Page MenuHomePhabricator
Create Task
Maniphest T695

Whonix running as Qubes DispVM uses saved clock
Closed, WontfixPublic
Actions

Description

Description:

When running as Qubes DispVM, whonix-ws sometimes (often) does not set the clock correctly, but instead seems to restore the date/time from when the DispVM savefile was created.

I have seen this often, over a very long period, but always assumed it had to do with my DispVM customisation. This time, I set up a clean Qubes R3.2, updated whonix-gw template and created a DispVM without customisation. The problem still occurs.

I usually don't find out until I start getting OCSP errors due signatures being in the future. But this means that most likely a lot of earlier browsing has been correlateable since it all had the same wrong clock, therefore I set the priority of this ticket to high since it is a possible anonymity leak.

Recreating the DispVM savefile gets a more up-to-date clock in DispVMs launched afterwards.

Steps to reproduce:

  • Install Whonix templateVM on Qubes
  • Update the template (through qubes manager GUI action) and shut it down
  • qvm-create-default-dvm whonix-ws
  • Wait a couple of days
  • Launch DispVM, start getting OCSP time errors on browsing. Note that system time is wrong.

Details

Impact
High

Event Timeline

anon5577 created this task.Jun 22 2017, 11:17 AM
Herald added a project: Whonix. · View Herald TranscriptJun 22 2017, 11:17 AM
Herald added subscribers: entr0py, WhonixQubes, Patrick. · View Herald Transcript
Patrick edited projects, added Whonix 13, Whonix 14; removed Whonix 12.Jun 22 2017, 11:31 AM
Patrick added subscribers: marmarek, JasonJAyalaP.
Patrick added a comment.Jun 29 2017, 4:56 PM

@marmarek this is probably due to Qubes current DispVM savefile implementation? It should fix itself in Qubes R4.0 since DispVM implementation changed there?

anon5577 added a comment.Jul 7 2017, 2:28 PM

This does not seem to happen every time, strangely enough. It seems sdwdate should call qubes.GetRandomizedTime as a post-suspend action if I read this correctly. So I guess under some circumstances that step does not run.

I am currently investigating this issue further, running a loop on dom0 that creates DVMs, checks time and leaves it running if the time is outside acceptable range.

I'll comment here if something comes of it.

marmarek added a comment.Jul 7 2017, 6:13 PM

Yes to both of you:

  • should just work on Qubes 4.0 (savefiles are not used there anymore)
  • calling qubes.GetRandomizedTime as post-suspend action would fix that too
Patrick closed this task as Wontfix.Jul 23 2017, 4:06 PM
Patrick claimed this task.

Unless someone else will be taking this one...

Time wise only possible solution currently: wait for Qubes 4.0.

awokd added a subscriber: awokd.Oct 31 2017, 5:04 PM

I didn't notice this bug earlier but caught a reference in one of the Qubes mailing list discussions. For what it's worth, I got this to function under Qubes 3.2 by deleting the sdwdate systemd unit files. It has been a while but I think I did that in the whonix-ws template. The dispvm appears to call bootclockrandomization on every start so time correlation is avoided and I no longer encounter times off by 2+ weeks.

Would it be helpful if I started from a fresh whonix-ws template and documented the exact steps I followed for 3.2? It's possible there's some attack I haven't thought of.

Patrick added a comment.Oct 31 2017, 8:29 PM

Qubes-Whonix DispVMs won't get any more development attention in Qubes
R3.2 because so much has changed. Please look into Qubes R4.

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer