Audio qube

mattmccutchen · August 22, 2025, 1:09pm

In case anyone else is looking for a more official source for the RPC policy for an audio qube, I found this one in the qubes-mgmt-salt-dom0-virtual-machines repository. You can switch to the branch for your Qubes OS version if it makes a difference.

Tezeria · August 22, 2025, 2:15pm

But did you test it?

mattmccutchen · August 22, 2025, 3:50pm

Yes, on my Qubes 4.2 system, I followed most of the guide but with the RPC policy from the repository in place of the one from the guide. In a simple test, I was able to both play and record audio in a VM other than the AudioVM, despite some RPC denial notifications. I experienced some glitches that I haven’t investigated, but I don’t think they were related to RPC policy. Because my motivation for using an AudioVM was to use Bluetooth headphones, not concern about the attack surface of audio in dom0, I decided to revert to audio in dom0 so I don’t have to live with the glitches unless/until I need the AudioVM again.

The two policy files are very similar, as you can see if you diff them (it helps to sort the lines first). AFAICT the only things allowed by the policy in the guide and not in the repository are admin.vm.feature.CheckWithTemplate +audio-low-latency and +supported-service.pipewire; those might be relevant to features I didn’t test. The policy in the guide also suppresses the denial notifications for admin.vm.property.GetAll. The policy in the repository provides an alternative for security-conscious users who feel it’s sufficiently clear that most of the guide is harmless but aren’t sure about the policy, which was my case.

tempmail · August 23, 2025, 11:12pm

So, my HVM owns dGPU and its audio device. HVM is sent to TV via HDMI/DP. HVM’s audiovm is set to sys-audio, but naturally no sound there, because sys-audio doesn’t own sound device and the only way to get the audio is on TV’s speakers.

Can I get this HVM’s audio via sys-audio at all? I am not sure I can split dGPU to HVM and its audio device to sys-audio and HVM to start successfully.

tempmail · August 23, 2025, 11:27pm

For the sake of clarity, I’m replying to myself:

Actually it is possible to split audio device from its dGPU and to assign it to sys-audio and everything works smoothly!

Jesus, and I tortured myself for so long with a shitty TV sound, so thanks @solene for an inspiration!

Now, new idea: does it make sense to create separate sys-audio for each audio device for the goal of compartmentalization?