Difference between revisions of "Real-Time Clock"
JeremyRand (talk | contribs) (→Ownership: Link to Whonix's docs on Time Attacks) |
JeremyRand (talk | contribs) (Add "Accuracy" section) |
||
| Line 2: | Line 2: | ||
For security reasons, by default, the [[BMC]] owns the RTC; the host has read-only access to the RTC via [[IPMI]]. Whonix has [https://www.whonix.org/wiki/Time_Attacks documented] a variety of security vulnerabilities that manifest if malware on the host is able to tamper with the RTC. | For security reasons, by default, the [[BMC]] owns the RTC; the host has read-only access to the RTC via [[IPMI]]. Whonix has [https://www.whonix.org/wiki/Time_Attacks documented] a variety of security vulnerabilities that manifest if malware on the host is able to tamper with the RTC. | ||
| + | |||
| + | == Accuracy == | ||
| + | |||
| + | Unfortunately, the RTC suffers from substantial drift. This is exacerbated by its default ownership by the BMC, making it inconvenient to correct. It would be interesting to explore running [http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Sdwdate sdwdate] ([https://www.kicksecure.com/wiki/Sdwdate clearnet link]), by the [[Kicksecure]] developers, on the BMC to improve security. | ||
== Setting the hardware real-time clock has no effect == | == Setting the hardware real-time clock has no effect == | ||
Revision as of 04:30, 15 April 2025
Ownership
For security reasons, by default, the BMC owns the RTC; the host has read-only access to the RTC via IPMI. Whonix has documented a variety of security vulnerabilities that manifest if malware on the host is able to tamper with the RTC.
Accuracy
Unfortunately, the RTC suffers from substantial drift. This is exacerbated by its default ownership by the BMC, making it inconvenient to correct. It would be interesting to explore running sdwdate (clearnet link), by the Kicksecure developers, on the BMC to improve security.
Setting the hardware real-time clock has no effect
If hwclock --systohtc has no effect (i.e. hwclock --get is unchanged), then:
1. From the BMC console, power off the host
2. Type busctl set-property xyz.openbmc_project.Settings /xyz/openbmc_project/time/owner xyz.openbmc_project.Time.Owner TimeOwner s xyz.openbmc_project.Time.Owner.Owners.Host (note the capitalization: Host, not HOST as the openbmc github issues tell you!)
3. Reboot the BMC
4. Power on the host
