mask sdwdate when using kicksecure templates

I decided to convert all my debian-11-minimal templates over to kicksecure. Worked like a charm. Enabled AppArmor. Ready to learn more.

However, it quickly became apparent that all of my running qubes, including the offline qubes where eating up CPU time trying to make TOR connections in the context of sdwdate.

My solution was to “mask” sdwdate in the respective templates and set “clockvm” to sys-whonix (I did not modify Whonix templates in any way).

I understand that an accurate untampered date/time is important and that’s why sdwdate exists. It is running in sys-whonix and Qubes OS then takes that time and provides it to dom0 and all the other domU’s.

This looks acceptable to me. Anything I overlooked?

Qubes-Whonix-Gateway as ClockVM
https://phabricator.whonix.org/T387

Some recent related discussion how this could be sorted out here: whonix-ws-16 Template fails to update due to timing issue

Thank you @Patrick!

I will instead unmask and start sdwdate via /rw/config/rc.local in one of the kicksecure based qubes and set it as clockvm.

It appears qubes-sync-time runs as intended in my kicksecure qubes.