I want to disable clocksync for my vault qube so that the dom0 does not sync the clock for that specific qube on every reboot or at six hour intervals.
I tried disabling qubes-sync-time.service and qubes-sync-time.timer, but after a reboot, the time was synced again.
I suspect the solution lies in qvm-features, but there’s nothing about it in man page for qvm-features, unless it is in qvm-features vm-config, since I can’t find a detailed list of vm-config commands.
There is also nothing about this in the documentation.
For regular App qubes, the very low update frequency and use of date instead of adjtimex causes very obvious steps in kernel time, which appear able to jump backwards in time if the hardware runs fast. Looks very naughty.
There is good information in an old thread:
…but I did not find the answer to this question.
Unsetting clockvm for the qube seems plausible. I did not test.
I considered setting the timer to a many year interval, using the file suggested, but this does not remove initial setting at qube startup and after suspend. Did not test.
I also considered using a policy change to block update, but it seems “wrong” to do that. Also not tested.
Will be very pleased to know the best method.
A warning: I did test all my system clocks using chronyd -x - some of them have very characteristic frequency errors - up to >10ppm, giving 0.25 second time jumps. I think this could allow de-anonymisation. It is not a problem for Whonix, I think.
If you disable the updates, then I think your qube will become even more easily identifiable online as its clock runs free, unless you will run a ntp-type or other synchronisation client on it. (not necessarily a problem for vault, but any time-based OTP will stop working at some time)
My sys-net (clock qube) is based on Kicksecure, and its time randomization feature is causing issues with my offline vault qube. The vault qube is based on Fedora minimal and is used as a TOTP authenticator with KeePassXC.
AFAIK, you cannot assign a separate clock qube to an individual qube. I also don’t want to change Kicksecure as my sys-net or clock qube, because I need it for everything else, just not for my vault qube.
So the only solution I can think of is to disable periodic clock sync from dom0 to the vault qube, so that its time wont randomize.
That’s great, thats exactly what I originally needed but thought that its not possible.
Kicksecure shifts the system clock by a random amount into the past or future, with an offset between -180 and +180 seconds. If the randomization is within a few seconds of the actual time, TOTP works fine. However, when the difference is larger, issues arise. I’m not sure exactly at what threshold the problem starts, but currently, my vault qube is experiencing issues when its time differs from the actual time by plus or minus two minutes.
Wow! I thought maybe a few seconds, to look like a random PC with a free-running clock, but that just seems like a “hey, look at me, over heeeerrrre” signal.