mask sdwdate when using kicksecure templates

I decided to convert all my debian-11-minimal templates over to kicksecure. Worked like a charm. Enabled AppArmor. Ready to learn more.

However, it quickly became apparent that all of my running qubes, including the offline qubes where eating up CPU time trying to make TOR connections in the context of sdwdate.

My solution was to “mask” sdwdate in the respective templates and set “clockvm” to sys-whonix (I did not modify Whonix templates in any way).

I understand that an accurate untampered date/time is important and that’s why sdwdate exists. It is running in sys-whonix and Qubes OS then takes that time and provides it to dom0 and all the other domU’s.

This looks acceptable to me. Anything I overlooked?

Qubes-Whonix-Gateway as ClockVM

Some recent related discussion how this could be sorted out here: Whonix-ws-16 fails to update due to timing issue

Thank you @Patrick!

I will instead unmask and start sdwdate via /rw/config/rc.local in one of the kicksecure based qubes and set it as clockvm.

It appears qubes-sync-time runs as intended in my kicksecure qubes.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]