Core: Support system clock synchronisation with NTP

[travier-anssi]

Core changes

• [X] Choose between chrony, ConnMan, ntpd, OpenNTPD, systemd-timesyncd, etc. (for a non exhaustive list, see https://wiki.archlinux.org/index.php/System_time#Time_synchronization). This choice should preferably be based on a factual comparison with security taken into account.
  • [X] chrony is currently the preferred choice. This is based on the following security evaluation: https://www.coreinfrastructure.org/blogs/securing-network-time/.
• [x] Harden the daemon's systemd unit:
  • [x] Must not run as root, etc.
  • [x] NTP traffic must transit inside an IPsec tunnel
• [x] Harden the daemon's configuration:
  • [x] NTP packet authentication must be enabled
  • [x] the default servers from the ntp pool must not be used
• [x] Select which options may be changed at runtime by the system administrator.

Testing infrastructure

• [x] Sample configuration for the QEMU test target.
• [x] Sample configuration to provision the remote test server:
  • [x] NTP traffic must transit inside an IPsec tunnel
  • [x] NTP packet authentication must be enabled

[withdark]

I was working on it

[madaidan]

Why bother with NTP at all? It's unencrypted and unauthenticated which allows for MITM attacks and clock skew fingerprinting.

Connecting to a website over https and extracting the time out of the http header would be better. This would also result in far less attack surface as a full NTP client isn't required. All you'd need is

date -s $(curl -sI --tlsv1.2 --proto =https https://clip-os.org | grep "date:" | sed -e 's/date: //')

[travier-anssi]

Why bother with NTP at all? It's unencrypted and unauthenticated which allows for MITM attacks and clock skew fingerprinting.

I forgot to specify three important conditions in the initial issue:

• all NTP traffic must transit inside an IPsec tunnel;
• NTP packet authentication must be enabled;
• the default servers from the ntp pool must not be used.

This accounts for the fact that the protocol is indeed unencrypted and unauthenticated by default.

Connecting to a website over https and extracting the time out of the http header would be better. This would also result in far less attack surface as a full NTP client isn't required. All you'd need is

date -s $(curl -sI --tlsv1.2 --proto =https https://clip-os.org | grep "date:" | sed -e 's/date: //')

Using date directly may create big jumps in system time that my not be desirable on a live system and HTTPS connection establishment might also require some prior time synchronisation.

Alternatives to NTP (such as NTS (1, 2) or Roughtime (1, 2)) may also be investigated, especially if time synchronisation turns out to be required before an IPsec tunnel can be established.

[travier-anssi]

This has been completed successfully as of:

• https://github.com/clipos/src_portage_clipos/commit/9f25567d24012edbec530e700674a8f5f4eb708b
• https://github.com/clipos/products_clipos/commit/8eba00622923d43d903ab503b35c8f115d5833dc
• https://github.com/clipos/testbed/commit/b362cff5606ffc9ec594bdcdbe4170e7f47db623