The Network Time Synchronization page on the Whonix wiki says the following
Warning: The system clock inside Whonix ™ is set to UTC to prevent against time zone leaks. This means it may be a few hours ahead or behind the user’s host system clock (timezone). It is strongly recommended not to change this setting.
But the dom0 timezone can be viewed from inside a Whonix based qube by reading it from qubesdb.
qubesdb-read /qubes-timezone
I am able to mitigate it by adding this to the rc.local file inside the Whonix template
This isn’t a bulletproof mitigation.
The threat model here: malware with local code execution privileges.
But under that threat model, malware could stealthy run earlier and read the timezone before you’ve obfuscated it.
It’s the default Qubes design and I don’t think they had a VM Fingerprinting alike threat model in mind.
After looking at qubes-db; the keyboard-layout is also available as a data point for non-US keyboards. This is true for KVM as well if you change the layout, but is there a possibility of hiding it in Qubes while still allowing for special characters or keymaps to be used?
I doubt it but I also don’t know. This you need need to ask Qubes. Qubes-Whonix is an integration of Whonix into Qubes. Qubes-Whonix however will inherit all the advantages and disadvantages (such as this specific use case of qubesdb) from Qubes.
These issues can easily remain unresolved for years. See also: