[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

kvm-clock instead of timesync on install in gateway

KVM
#1

Installed Whonix (13.0.0.1.1) in KVM on debian 8.5 following https://www.whonix.org/wiki/KVM quite closely. But after starting the Whonix gateway and running whonix check I get the error:

[quote]PVClock Test Result:
Unwanted PVClock kvm-clock acpi_pm detected! Using this PVClock together with whonix is recommended against, because it conflicts with Whonix’s TimwAnc design [1].

If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:

    whonixcheck_skip_functions+="pvclock_unwanted_detected'

Recommand action:

  • If you are using KVM, you probably did not follow Whonix’s KVM instructions. [2]
    [/quote]

The Gateway does indeed has kvm-time installed/active and no timesync installed. The Workstation does has timesync and it works as was used to with VirtualBox.

Wondering what went wrong with the install and how this problem can be fixed in a safe/secure manner. KVM-time instead of the normal timesync seems to be a serious risk for anonymity (linking host time to Gateway).

#2

What you are seeing is caused by a bug in Whonixcheck. Please update the packages on the gateway and the warning should go away.

There are no risks from the changes made to return to kvmclock in the gateway. All time leaks have been eliminated and no untrusted or misbehaving apps run there. The benefit is you no longer have to restart the gateway after suspending your machine for a long time for it to connect to Tor and for timesync to then connect.

#3

Thanks for your replay, didn’t run update/upgrade yet since I believed this would be a serious error.

But I still had some concerns about kvm-time, I understood it has access to the host time (possibly with an offset?). This seem like a risk if the Gateway would get compromised, even if this is unlikely/ more trusted then Workstation.

EDIT: sudo apt-get update && apt-get dist-upgrade only updated about 45 packages and no new packages where installed in the KVM Gateway. Of the updated packages I did not recognize them as being time related (but I do not know all packages by heart). The same error stayed after running whonixcheck and timesync is still nowhere on my Gateway. I used the Whonix Stable Repository and have installed or deleted anything in this Gateway.

Should I manually install timesync in the Gateway?

#4

The update is in the stable-proposed repo and not stable yet. Follow steps here to enable this branch.

You shouldn’t have any concerns. You should trust I made the correct decision after a lot of research and thinking. Please re-read my explanation in my last post about this.

#5

Now in all repos.

#6

Hi, I am new to using Whonix and KVM. When I enter the command “whonixcheck” in the Workstation terminal, I get the following error…

[WARNING] [whonixcheck] PVClock Test Result:

Unwanted PVClock kvm-clock tsc acpi_pm  detected! Using this PVClock together with Whonix is recommended against, because it conflicts with Whonix's TimeSync design [1].

If you know what you are doing, feel free to disable this check.
Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:
whonixcheck_skip_functions+=" pvclock_unwanted_detected "

Recommended action:
- If you are using KVM, you probably did not follow Whonix's KVM instructions. [2]
- Or use a different supported Whonix platform. [3]

[1] https://www.whonix.org/wiki/Dev/TimeSync
[2] https://www.whonix.org/wiki/KVM
[3] https://www.whonix.org/wiki/Supported_Platforms

I don’t get any such error in the Gateway.
Can anyone advise how to fix this? Thank you.

#7

One reason might either be a too old KVM version or newer version than Whonix KVM was tested with.

What’s your host operating system and version?

What’s your KVM version?

Did you make any modifications to the KVM XML files?

To debug, please run these commands.

sudo cat /sys/devices/system/clocksource/clocksource0/available_clocksource

sudo cat /sys/devices/system/clocksource/clocksource0/current_clocksource

And post the output here.

Maybe also Convert Libvirt Templates to QEMU Commands would help with debugging. Share the contents of the resulting Whonix-Gateway.args file here so @HulaHoop can compare with how these should look like.

#8

Thanks for replying.

One reason might either be a too old KVM version or newer version than Whonix KVM was tested with.

I Installed it last week by running the command “sudo apt install virt-manager”.

What’s your host operating system and version?

Linux Mint 20 Cinnamon (Cinnamon version 4.6.7).
Kernel: Linux 5.4.0-60-generic.

What’s your KVM version?

When I run “apt show -a qemu-system-x86” it says:
Package: qemu-system-x86
Version: 1:4.2-3ubuntu6.10

Did you make any modifications to the KVM XML files?`

I think the only commands I ran related to XML files were:
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml

To debug, please run these commands.
sudo cat /sys/devices/system/clocksource/clocksource0/available_clocksource

kvm-clock tsc acpi_pm

sudo cat /sys/devices/system/clocksource/clocksource0/current_clocksource

kvm-clock

Maybe also [Convert Libvirt Templates to QEMU Commands] would help with debugging. Share the contents of the resulting Whonix-Gateway.args file here so @HulaHoop can compare with how these should look like.

I have two “Whonix-Gateway.xml” and “Whonix-Workstation.xml” files in directories “/etc/libvirt/qemu” and “/run/libvert/qemu”. In which directory should I Convert Libvirt Templates to QEMU?

Thank you.

#9

According to instructions: neither. The Whonix-Workstation.xml file is generated by running the sudo virsh dumpxml [...] command.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]