To pick up on what @Sven covered, Fedora also runs systemd-timesyncd in your global-settings-configured clockVM; look at /etc/systemd/timesyncd.conf (or timesyncd.conf(5) man page) for configuration.
The defaults/fallbacks are under .pool.ntp.org, where may be debian, fedora, etc.
If you want to allow any ntp server, allow udp port 123 of any host.
To take the paranoia up you can use a separate AppVM if you wanted; you don’t have to use your updateVM:
- Create an AppVM
- Set firewall rules to only allow udp port 123 [or specific hosts]
- Enable the
clocksync service in Services
- Activate it as the clockvm (
qubes-prefs clockvm myclockvm)
- Allow it to boot at startup and dom0 will sync time from the clockvm every hour (/etc/cron.d/qubes-sync-clock.cron)
- Or, take paranoia even further by not allowing it to boot and run the clockvm on-demand. Once the clockvm has accurate time, force a dom0 sync in dom0 with
sudo qvm-sync-time. Sync in dom0 will set your hwclock as well. But note that other VMs only sync their time from the clockvm (via dom0) every 6 hours. If you want all the VMs to have the right time, you’d have to restart them after a dom0 sync.
One other thing I’d add to what @Sven mention about Whonix - it tries to avoid having accurate time as an anti-correlation defense. It applies a random offset to the time it determined via hidden services.