Boot Clock Randomization

From Kicksecure
Jump to navigation Jump to search
Documentation Previous page: Tor Browser Index page: Documentation Next page: sdwdate Boot Clock Randomization

Randomizes clock when systems boots.

Randomizes clock at boot time. Moves clock a few seconds and nanoseconds to past or future to prevent time based fingerprinting / linkablity.

Introduction[edit]

The TimeSync page notes:

Using Boot Clock Randomization, i.e. after boot, the clock is set randomly between 0 and 180 seconds into the past or future. This is useful to enforce the design goal, that the host clock and VM clock should always slightly differ. It is also useful to obfuscate the clock when sdwdate itself is running, because naturally at this time, sdwdate hasn't finished. sdwdate runs after booting.

By randomly moving the system clock a few seconds (and nanseconds) in the past or future during boot, this enforces the design goal of a slightly different host clock and any VMs clock, even before secure timesync has succeeded. This prevents time-based fingerprinting and linkability issues, thereby improving security and privacy. [1]

For technical discussion on the Boot Clock Randomization design, see herearchive.org iconarchive.today icon. [2]

Log Inspection[edit]

sudo journalctl -b --no-pager -u bootclockrandomization

Disable[edit]

Info Disabling Boot Clock Randomization is discouraged because it is not usually required. However, it may be useful for offline (vault) VMs.

1. Platform specific notice.

  • Qubes: Use a StandaloneVM or a separate Template.
  • Non-Qubes: No extra steps are required.

2. Open a terminal.

Select your platform.

Kicksecure

If you are using a graphical Kicksecure with Xfce, run.

Start menuApplicationsSystemTerminal

Kicksecure-Qubes

If you are using Kicksecure-Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q")Kicksecure App Qube (commonly named kicksecure)Xfce Terminal

3. Disable Boot Clock Randomization.

Run the following command.

sudo systemctl mask bootclockrandomization

Boot Clock Randomization will no longer be applied after reboot.

4. Optional. Consider disabling sdwdate.

The user might also be interested in disabling Disable sdwdate Autostart.

See Also[edit]

Footnotes[edit]

  1. https://github.com/Kicksecure/bootclockrandomizationarchive.org iconarchive.today icon
  2. Notably, one recent change is the 0-5 second time window is no longer excluded in the process, as it was found to aid fingerprinting.

Documentation Previous page: Tor Browser Index page: Documentation Next page: sdwdate

Notification image

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!