Information
ID: 397
PHID: PHID-TASK-527plg47z3qm2z6x2vf6
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal
Description
We do not want dom0 telling Qubes-Whonix VMs the time. Because in case of a compromised Whonix VM, we do not want the adversary replace/restore the /etc/qubes-rpc/qubes.SetDateTime script. To avoid time related deanoymization. We need to stop dom0’s /usr/bin/qvm-sync-clock from running that hook for Qubes-Whonix VMs.
In T384#6287 @marmarek said we should use the mgmt stack for that.
mgmt should keep configuring qvm-sync-clock disabled for Qubes-Whonix VMs. For freshly downloaded templates as well as for user custom created new Whonix VMs based on Qubes-Whonix templates.
Comments
Patrick
2018-08-07 16:12:20 UTC