Recurring Time Error within Gateway 11 under VirtualBox 5 - ERROR: Unwanted PVClock kvm-clock tsc acpi_pm detected!

The user support answer would be:
Good enough for now. Might be fixed in Whonix 13. Don’t hold your breath for it.


Since you seem to be interested in the technical backgrounds, this will be the development discussion answer:
I keep it in the same topic, since otherwise this does not get attention anyhow, and I wouldn’t know who else would look into Whonix VirtualBox development.

Your Whonix KVM [real KVM on LInux, I suppose] results seems fine.

The terminology now gets difficult since VirtualBox 5 now also supports KVM as paravirtualization provider. ( [unsupported] VirtualBox now supports KVM and Hyper-V as paravirtualization providers)

Your Whonix VirtualBox results are not ideal development wise yet. The problem now is, that systemd-detect-virt detects kvm, even though you are running in VirtualBox.

I am wondering why you are the only one reporting this. Did you change System, Acceleration, Paravirtualization interface?

FYI, it’s related to:

If you set it to Paravirtualization interface to legacy, that whonixcheck error should varnish. Also the output of cat /sys/devices/system/clocksource/clocksource0/available_clocksource should change then.

I wonder what the optimal paravirtualization for Whonix 13 will be.

  • default is problematic, since as in your case, it does autodetection, then used VirtualBox KVM

  • none explicitly turns off exposing any paravirtualization interface sounds good security wise but could be really slow. Please test and leave feedback.

  • minimal sounds like a worthwhile alternative if none is too slow. But what technology is minimal actually using? VirtualBox legacy or kvm? However, documentation says, it lets the VM read the APIC frequency. To be researched how bad this would be.

  • legacy is good enough for now. That’s like VirtualBox 4.x. But since they now call it legacy, that code will rot, and probably should be avoided in long run.

  • kvm (VirtualBox) is problematic, since it provides unwanted pvclock kvm-clock. (Which allows a clock correlation attacks once VM is compromised.

  • Does not seem like pvclocks can be configured in VirtualBox. (With linux libvirt kvm it’s possible.)

  • TimeSync: Whonix ™ Time Synchronization Mechanism

  • However, this presupposes that users did read and apply Advanced Security Guide - Whonix beforehand, which probably few do.

  • Therefore probably not a big issues.

  • hyperv The microsoft thingy. No idea about that one. May or may not be great for Linux guests (Whonix).

Each virtualization platform should be reviewed for performance, security, pvclock interfaces and hardware identifiers readable by the vm ( Protocol Leak and Fingerprinting Protection‎ ).

Not sure you noticed the new Download table yet:

The point is, it introduces a security column. For your information: