netVM and ClockVM?

About ClockVM:

This setting tells dom0 which qube to take the time from and then distribute it to all the other qubes (so they all have the same time). Even if you set ClockVM to none, which means dom0 doesn’t get the time from anywhere … it will still use whatever time is kept locally to synchronize all the other qubes to the same time.

The fact that all your qubes use the exact same time can theoretically be used to correlate your qubes to each other. Think two online qubes interacting with the same server and communicating their local time. If both have the exact same time, it makes it more likely that the origin is the same.

Whonix has sdwdate, which first establishes a Tor connection and then uses multiple sources over Tor to get the time. It then also applies a random diff to it, so different Whonix instances on the same Qubes OS computer have slightly different times.

If you set ClockVM to sys-whonix, the time was gathered via Tor … but all your (non-Whonix) qubes will still have the same (randomly offset) time.

When it comes to time the much bigger concern is your timezone. If you want to reduce fingerprinting, use UTC in dom0 and all qubes instead of your local timezone. Whonix instances use UTC. Personally I do not see time correlation nor timezone as something I worry about (it’s really a privacy and not a security issue), but your situation might be different.

About sys-net, security/compartmentalization and clockvm/time

sys-net is where your PCI hardware (Ethernet and WiFi) are connected, which also means that the virt_mode used is HVM. Standard PVH mode is more secure but cannot be used to connect hardware. This means that it has more attack surface though the hardware interfaces, their firmware and also the virt_mode used (I suppose the last point is rather academic).

So in sys-net is where you compartmentalize the risk of dealing with direct hardware access. Some folks (like me) go so far to configure sys-net as disposable. This will rid any qube compromise after restart, but it will not protect against compromised firmware (nothing will). But as long as all traffic that hits sys-net is TLS encrypted, this is not different from any other network access point. Bottom-line: sys-net is absolutely untrusted.

When sys-net is set as clockvm, dom0 get’s its time from sys-net which in turn runs a standard systemd-timesyncd.service to get the time from the network. So the worst thing that could happen is that you get a wrong time if sys-net is compromised, which has some security implications (e.g. Tor won’t connect if your local time is off too much).

The advantage in selecting sys-net as clockvm, is that usually it’s one of the very first qubes that starts. So it already acquired the time over the network, when asked by dom0. Every other qube gets it’s time from dom0 at startup and then every 6 hours I believe.

About sys-firewall

sys-firewall typically uses the preferred PVH virt_mode, doesn’t contain any data and is not interacted with by the operator. It’s one and only job is to enforce firewall rules configured for the qubes that connect to it using it as netvm. So even if those qubes are compromised, sys-firewall will still enforce those rules. If you set it as clockvm, your time will be updated a few seconds later but the NTP/UDP traffic observable from the outside will still be the same.

3 Likes

Ideally you would have a hardware device setting the clock in Dom0. There are from USB to Bus to Radio to serial ports etc. If you do not want these devices from my experience the Whonix Gateway is your best bet. It is a one shot falling (when you turn it off). This was posted several times. Of course if you have independent VMs they should have there own clocks.

1 Like

thank you very kindly for the nice answer.

About ClockVM:
I do care about my privacy and reducing my fingerprint. so would you rather advice me to set UTC in dom0, or use sys-whonix for ClockVM?
i am possibly going to only use Whonix VMs if that matters.

Whonix instances use UTC

so if I set sys-whonix as ClockVM, all my Whonix VMs would be set on UTC? wouldn’t that be ideal in my situation?
i just wonder if Tor works for someone then whose local time zone isn’t UTC.

however, your quote:

When sys-net is set as clockvm, dom0 get’s its time from sys-net which in turn runs a standard systemd-timesyncd.service to get the time from the network. So the worst thing that could happen is that you get a wrong time if sys-net is compromised,

didn’t sound like it really needs to be adjusted if i got it right. if Tor doesn’t work, nothing will load and that’s actually not a security or privacy threat (because I cannot do anything anyway).
a different time zone for every whonix qube could be ideal for high privacy, though.
looking forward to another feedback.

About sys-firewall:
I didn’t intend to set sys-firewall as ClockVM. The Qubes standard is that sys-firewall is set as netVM and sys-net is set as ClockVM.

Regarding this whole topic I’d also want to add the thought, which could possibly be wrong, but I just want to add it:
The more I tweak, the more it could increase my fingerprint (if it does at all (?) because most people probably leave most things on default.
Possibly this could be another point to keep in mind, depending on what is visible or relevant for the fingerprint and what is not.

Hi @Melly21,

I would recommend you leave clockvm set to sys-net, which is the default. This will effect all your non-Whonix qubes. This could be offline qubes (no netvm) and online qubes that you use for things where you identify yourself anyway (login with real name, email, use credit card etc.). Also in dom0 and all non-Whonix qubes use your actual time zone for convenience.

For all activities you wish to do pseudo-anonymously only use whonix-ws based qubes and do not tweak them – live with the defaults. Whonix based qubes are configured to use UTC by default.

Further recommendations:

  • study the documentation on the Whonix website
  • join the Whonix forums
  • be careful what you share online
  • be careful about what you read (including this post :wink:
1 Like

thanks!

Whonix based qubes are configured to use UTC by default.

The time that is displayed on my desktop doesn’t tell me the UTC time, though. is the UTC still displayed to others?

About ClockVM: what advantages and disadvantages would it have to set it to (none) or to sys-whonix, and why wouldn’t you do that?

About netVM:
@ppc adviced me to set netVM from sys-firewall to sys-net. would you agree?

the Qubes documentation on “Data leaks” says the following:

Both Qubes firewall and an empty NetVM (i.e., setting the NetVM of an app qube to “none”) can fully protect against leaks of type 3 [Unintentional leaks].

PS: another reminder that I want to reduce my fingerprint and do not want to stand out due to any tweaked settings. not sure if those things are visible or relevant for my fingerprint.

I am mainly using Whonix VMs, aren’t they all UTC anyway?

You desktop is managed by dom0, not by Whonix. If you want to verify which time VMs have, you can enter date command in their terminal.

great, thanks! it should be UTC to have a small fingerprint, right?

Chances are you are not living in the UTC timezone. Also in a fictional universe, lots of people set their timezone to UTC and you can get lost in the crowd.

In practice this is close to irrelevant, especially if you are never active between 2 AM and 7 AM in the morning.

you should randomize your hostname (to DESKTOP-[random character] ) as the default one increase fingerprint

I have read a guide about it which says the this:

DHCP requests also leak your hostname to your LAN. Since your hostname is usually sys-net, other network users can easily spot that you’re using Qubes OS.

does that mean as long as I am the only user of the WiFi router I am currently using, it doesn’t matter at all?
are there any other reasons or scenarios why I should do it?

yes, actually you can’t force it to go though tor, so people set it to none

What can go wrong in regards to privacy if I leave it on sys-net? I am a Whonix-only user.