[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

kvm-clock instead of timesync on install in gateway

#1

Installed Whonix (13.0.0.1.1) in KVM on debian 8.5 following https://www.whonix.org/wiki/KVM quite closely. But after starting the Whonix gateway and running whonix check I get the error:

[quote]PVClock Test Result:
Unwanted PVClock kvm-clock acpi_pm detected! Using this PVClock together with whonix is recommended against, because it conflicts with Whonix’s TimwAnc design [1].

If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:

    whonixcheck_skip_functions+="pvclock_unwanted_detected'

Recommand action:

  • If you are using KVM, you probably did not follow Whonix’s KVM instructions. [2]
    [/quote]

The Gateway does indeed has kvm-time installed/active and no timesync installed. The Workstation does has timesync and it works as was used to with VirtualBox.

Wondering what went wrong with the install and how this problem can be fixed in a safe/secure manner. KVM-time instead of the normal timesync seems to be a serious risk for anonymity (linking host time to Gateway).

#2

What you are seeing is caused by a bug in Whonixcheck. Please update the packages on the gateway and the warning should go away.

There are no risks from the changes made to return to kvmclock in the gateway. All time leaks have been eliminated and no untrusted or misbehaving apps run there. The benefit is you no longer have to restart the gateway after suspending your machine for a long time for it to connect to Tor and for timesync to then connect.

#3

Thanks for your replay, didn’t run update/upgrade yet since I believed this would be a serious error.

But I still had some concerns about kvm-time, I understood it has access to the host time (possibly with an offset?). This seem like a risk if the Gateway would get compromised, even if this is unlikely/ more trusted then Workstation.

EDIT: sudo apt-get update && apt-get dist-upgrade only updated about 45 packages and no new packages where installed in the KVM Gateway. Of the updated packages I did not recognize them as being time related (but I do not know all packages by heart). The same error stayed after running whonixcheck and timesync is still nowhere on my Gateway. I used the Whonix Stable Repository and have installed or deleted anything in this Gateway.

Should I manually install timesync in the Gateway?

#4

The update is in the stable-proposed repo and not stable yet. Follow steps here to enable this branch.

You shouldn’t have any concerns. You should trust I made the correct decision after a lot of research and thinking. Please re-read my explanation in my last post about this.

#5

Now in all repos.