time sync?
43 views
Skip to first unread message
Oleg Artemiev
May 10, 2015, 9:59:45 PM5/10/15
to qubes...@googlegroups.com
Hello.
I understand that correct time is in many cases the base for
security-related comparisions.. but:
is it possible from dom0 to force ignore tyme sync error for some VM
or even dom0?
And what exact security concerns I ignore if below is true:
*) "I feel lucky" in google terms - no direct-connected-lan attacker
around assumed to replacce updates after my default gw.
*) it is okay for me to get only "today" or "yesterday" updates but
not okay to get no updates when I want them manually and regardless
whatever clock vm thinks about time sync.
*) I trust the update source in terms of not providing fake packages
(meaning them still sign them, sign is correct, binary trust is the
same as trust for package distributor, i.e. fedora or debian or
whatever)
*) I know exact local time +/- 5 minutes.
*) I want to hide real time of update from remote in GMT meaning (i.e.
my GMT offset should be treated as secret for each of VMs running and
updating at the moment of treating GMT offset as a "secret")
I've no need to hide it really, but since I once got abort asking for
updating.. need to know how to override it and why I should NOT do it.
:)
--
Bye.Olli.
gpg --search-keys grey_olli
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (mostly in russian): http://grey-olli.livejournal.com/tag/
I understand that correct time is in many cases the base for
security-related comparisions.. but:
is it possible from dom0 to force ignore tyme sync error for some VM
or even dom0?
And what exact security concerns I ignore if below is true:
*) "I feel lucky" in google terms - no direct-connected-lan attacker
around assumed to replacce updates after my default gw.
*) it is okay for me to get only "today" or "yesterday" updates but
not okay to get no updates when I want them manually and regardless
whatever clock vm thinks about time sync.
*) I trust the update source in terms of not providing fake packages
(meaning them still sign them, sign is correct, binary trust is the
same as trust for package distributor, i.e. fedora or debian or
whatever)
*) I know exact local time +/- 5 minutes.
*) I want to hide real time of update from remote in GMT meaning (i.e.
my GMT offset should be treated as secret for each of VMs running and
updating at the moment of treating GMT offset as a "secret")
I've no need to hide it really, but since I once got abort asking for
updating.. need to know how to override it and why I should NOT do it.
:)
--
Bye.Olli.
gpg --search-keys grey_olli
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (mostly in russian): http://grey-olli.livejournal.com/tag/
Marek Marczykowski-Górecki
May 11, 2015, 4:51:15 PM5/11/15
to Oleg Artemiev, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, May 11, 2015 at 04:59:43AM +0300, Oleg Artemiev wrote:
> Hello.
>
> I understand that correct time is in many cases the base for
> security-related comparisions.. but:
>
> is it possible from dom0 to force ignore tyme sync error for some VM
> or even dom0?
Qubes uses very primitive time synchronization method - every 6 minutes
qvm-sync-clock tool is called. It first call 'ntpdate' in one selected
VM ("ClockVM"), then using qrexec set this time in all the VMs. It isn't
very accurate, can lead to differences of few seconds.
If you want to disable time sync - just set "ClockVM" to "none" (Qubes
Manager -> global settings, or qubes-prefs).
> And what exact security concerns I ignore if below is true:
>
> *) "I feel lucky" in google terms - no direct-connected-lan attacker
> around assumed to replacce updates after my default gw.
>
> *) it is okay for me to get only "today" or "yesterday" updates but
> not okay to get no updates when I want them manually and regardless
> whatever clock vm thinks about time sync.
You should get updates information whenever you check for it, regardless
of your local time correctness (in reasonable range).
> *) I trust the update source in terms of not providing fake packages
> (meaning them still sign them, sign is correct, binary trust is the
> same as trust for package distributor, i.e. fedora or debian or
> whatever)
>
> *) I know exact local time +/- 5 minutes.
>
> *) I want to hide real time of update from remote in GMT meaning (i.e.
> my GMT offset should be treated as secret for each of VMs running and
> updating at the moment of treating GMT offset as a "secret")
I'm not sure if update send such information, but I guess not.
> I've no need to hide it really, but since I once got abort asking for
> updating.. need to know how to override it and why I should NOT do it.
> :)
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVURY6AAoJENuP0xzK19csbO4H/1YgS3YUsoqr3T6hwjsmorMu
DlPeeC9e05a0pMSCTs7aeKlYY8199sCOWSSj5YK7MezcXTy8dhQ8xO0HxDypJ6RO
JRanjEGDPrzw/qUuciG58SH5+4slPe08jYbRvxU+r4gYw5iiolOg8IpM61NtfQnM
DTqXuSoyyTdBeBZh1gTAc8NB3LWl5ksmihB5/LnLv5cWEysUj2U2lmfQ5WDMLR3J
Gr39WRBWkLwUJ0n60ZyadP/lxzCF8tiM2pmL/P6ag9AtMM1F1p+M+Mz+xIgmYndT
l5XCTbyPXLblEAmv3rNQmMv96BuLgTYMS/3+3o1EllYCecDAmYM/I4K7ff35IgQ=
=5erE
-----END PGP SIGNATURE-----
Hash: SHA1
On Mon, May 11, 2015 at 04:59:43AM +0300, Oleg Artemiev wrote:
> Hello.
>
> I understand that correct time is in many cases the base for
> security-related comparisions.. but:
>
> is it possible from dom0 to force ignore tyme sync error for some VM
> or even dom0?
qvm-sync-clock tool is called. It first call 'ntpdate' in one selected
VM ("ClockVM"), then using qrexec set this time in all the VMs. It isn't
very accurate, can lead to differences of few seconds.
If you want to disable time sync - just set "ClockVM" to "none" (Qubes
Manager -> global settings, or qubes-prefs).
> And what exact security concerns I ignore if below is true:
>
> *) "I feel lucky" in google terms - no direct-connected-lan attacker
> around assumed to replacce updates after my default gw.
>
> *) it is okay for me to get only "today" or "yesterday" updates but
> not okay to get no updates when I want them manually and regardless
> whatever clock vm thinks about time sync.
of your local time correctness (in reasonable range).
> *) I trust the update source in terms of not providing fake packages
> (meaning them still sign them, sign is correct, binary trust is the
> same as trust for package distributor, i.e. fedora or debian or
> whatever)
>
> *) I know exact local time +/- 5 minutes.
>
> *) I want to hide real time of update from remote in GMT meaning (i.e.
> my GMT offset should be treated as secret for each of VMs running and
> updating at the moment of treating GMT offset as a "secret")
> I've no need to hide it really, but since I once got abort asking for
> updating.. need to know how to override it and why I should NOT do it.
> :)
>
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVURY6AAoJENuP0xzK19csbO4H/1YgS3YUsoqr3T6hwjsmorMu
DlPeeC9e05a0pMSCTs7aeKlYY8199sCOWSSj5YK7MezcXTy8dhQ8xO0HxDypJ6RO
JRanjEGDPrzw/qUuciG58SH5+4slPe08jYbRvxU+r4gYw5iiolOg8IpM61NtfQnM
DTqXuSoyyTdBeBZh1gTAc8NB3LWl5ksmihB5/LnLv5cWEysUj2U2lmfQ5WDMLR3J
Gr39WRBWkLwUJ0n60ZyadP/lxzCF8tiM2pmL/P6ag9AtMM1F1p+M+Mz+xIgmYndT
l5XCTbyPXLblEAmv3rNQmMv96BuLgTYMS/3+3o1EllYCecDAmYM/I4K7ff35IgQ=
=5erE
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages