Hardware

To have an ‘HVM’ for gaming, you must have

• A dedicated GPU. By dedicated, it means: it is a secondary GPU, not the GPU used to display dom0. In 2023, ‘Nvidia’ and ‘Amd’ GPU work. Not tested with Intel GPUs. External GPU using thunderbolt work (Create a Gaming HVM - #8 by solene)

• A screen available for the gaming ‘HVM’. (It can be a physical monitor or just to have multiple cables connected to the screen and switching between input source) [Optional]

• Dedicated gaming mouse and keyboard [Optional] .

IOMMU Group

Goal

What

The goal of this step if to retrieve the default IOMMU Group (VFIO - “Virtual Function I/O” — The Linux Kernel documentation) of your hardware.

Why

It can help understanding potential issue with your setup (what devices live in the same IOMMU group as your GPU) / finding potential workaround.
If you feel lucky, skip this step.

How

You can’t see your IOMMU Group when you are using Xen (the information is hidden from dom0).

• Boot a live linux distribution
• In the grub, enable iommu: Add the parameters iommu=1 iommu_amd=on to the linux commandline
• Once you logged in your live linux distribution, you need to retrieve the folder structure of /sys/kernel/iommu_group.
  You can use the following script to do that:

#!/bin/bash
shopt -s nullglob
for g in /sys/kernel/iommu_groups/*; do
 echo "IOMMU Group ${g##*/}:"
 for d in $g/devices/*; do
  echo -e "\t$(lspci -nns ${d##*/})"
done
done

GRUB modification

You must hide your secondary GPU from dom0. To do that, you have to modify the GRUB. In a dom0 Terminal, type:

qvm-pci

Then find the devices id for your secondary GPU. In my case, it is dom0:0a_00.0. Edit /etc/default/grub, and add the PCI hiding.

GRUB_CMDLINE_LINUX="... rd.qubes.hide_pci=0a:00.0 "

then regenerate the grub

grub2-mkconfig -o /boot/grub2/grub.cfg

If you are using UEFI and Qubes OS 4.1 or earlier, the file to override with grub2-mkconfig is /boot/efi/EFI/qubes/grub.cfg.

Note: if after this step when you reboot the computer you get stuck in the QubesOS startup that means you are trying to use the GPU you just hid. Check your BIOS options. Also check the cables, BIOS have some GPU priority based on the type of cable. For example, DisplayPort can be favoured over HDMI.

Once you have rebooted, in dom0, type sudo lspci -vvn, you should see “Kernel driver in use: pciback” for the GPU you just hid.

Preparing the guest

As of 2023-2026, I recommend using a Linux guest instead of a window guest.

Windows

Install a window VM, you can use this qvm-create-windows-qube

Linux

Create a new template Qube based on the template of your choice, and a appvm based on this new template.

If you use DKMS drivers, you doesn’t need to use the guest provided kernel.

If not, you must run the kernel provided by the guest distribution, because we will use some non-default kernel module for the GPU driver. Just follow the doc: Redirecting….

Install the GPU drivers you need.

Pass the GPU

In qubes settings for the HVM, go to the ‘devices’ tab, pass the ID corresponding to your GPU.

qvm-pci attach gpu_gaming_archlinux dom0:0a_00.0 --persistent

You may or may not need to add the option “permissive” or “no-strict-reset”.
You may or may not need to passthrough additional devices depending on the result of the IOMMU script Create a Gaming HVM

Some word about the security implication of thoses parameters.

qvm-pci attach gpu_gaming_archlinux dom0:0a_00.0 -o permissive=True -o no-strict-reset=True --persistent

Starting the guest

This is where you will have a lot of issues to debug. Prepare for intense suffering

For Linux guests, run ‘sudo dmesg’ to have all the kernel log indicating you if there is a issue with your GPU driver. For some hardware, the MSI calls won’t work. You can work around that using for example pci=nomsi or NVreg_EnableMSI=0 or something else. Check your drivers options. Check if alternative drivers exist (amdgpu, nvidia, nouveau, nvidia-open, using drivers from the official website, …). Check multiple kernel version.

For nvidia GPU, I recommand using “nvidia-open” drivers instead of “nvidia”

Some links that could help you to debug the issues you will have

• https://forum.qubes-os.org/t/ryzen-7000-serie/

• https://dri.freedesktop.org/docs/drm/gpu/amdgpu.html

For windows guests you will probably have the same issues but it will be harder to debug. I recommend using the drivers from Windows Update instead of the official drivers from the website of the constructor.

Some things that may be useful for debugging:

• Virsh (start, define, …)

• /etc/libvirt/libxl/

• xl

• /etc/qubes/templates/libvirt/xen/by-name/

• /usr/lib/xen/boot/

• virsh -c xen:/// domxml-to-native xen-xm /etc/libvirt/libxl/…

Issues with the drivers could be related to ‘qubes-vmm-xen-stubdom-linux’, ‘qubes-vmm-xen’, and the Linux kernel you will be using.

[Case: No dedicated screen, mouse or keyboard] VirtualGL and vulkan

In some cases, it will just work out of the box (application will automatically detect the GPU and will be able to use it without modification.

In some cases, an additionnal layer is required: using VirtualGL, mentionned here: Seamless GPU passthrough on Qubes OS with VirtualGL
In that case you may need to specify a new variable LD_LIBRARY_PATH=/usr/lib

You may have issue with how the mouse is handled by the game. AFAIK, no one tried to solve this issue.

Or, if using NVIDIA GPU, you could use the environnement variables specific to nvida, as mentionned before by others people in this forum.

In my setup, I export the following environment variable when I want to avoid using a dedicated keyboard/mouse and screen:

export VGL_DISPLAY=egl 
export __NV_PRIME_RENDER_OFFLOAD=1 
export __VK_LAYER_NV_optimus=NVIDIA_only 
export __GLX_VENDOR_LIBRARY_NAME=nvidia

[Case: Dedicated Screen, mouse and keyboard] Linux guest — Integration with QubesOS

Xorg

Now Xorg. From XKCD:

Things you need to install:

• The Xorg input driver to support your mouse and keyboard

• Your favorite Windows Manager

In my case, it is:

archlinux version:

pacman -S xorg i3

debian version:

apt install xserver-xorg-input-kbd xserver-xorg-input-libinput xserver-xorg-input-mouse i3

Then create a XORG configuration file for your GPU and screen. My file named ‘xorg.conf’:

Section "ServerLayout"
Identifier "Passthrough Layout"
Screen 0 "Passthrough Screen" Absolute 0 0
EndSection

Section "Device"
Identifier  "Passthrough GPU"
# name of the driver to use. Can be "amdgpu", "nvidia", or something else
Driver      "driver"
Option "Coolbits" "4"
# The BusID value will change after each qube reboot. 
BusID       "PCI:0::0"
EndSection

Section "Monitor"
Identifier "Passthrough monitor"
EndSection

Section "Screen"
Identifier "Passthrough Screen"
Device     "Passthrough GPU"
Monitor    "Passthrough Monitor"
EndSection

We can’t know what is the correct BusID before the qube is started. And it change after each reboot. So let’s write a script — named “xorgX1.sh” — that update this configuration file with the correct value, then start a binary on the Xorg X screen n°1.

#!/bin/bash
binary=${1:?binary required}

# Find the correct BusID of the AMD GPU, then set it in the Xorg configuration file
lspci | grep "VGA" | grep -E "NVIDIA" && sed -i 's/^Driver .*/Driver "nvidia"/g' /opt/xorg.conf
lspci | grep "VGA" | grep -E "AMD/ATI" && sed -i 's/^Driver .*/Driver "amdgpu"/g' /opt/xorg.conf
pci=$(lspci | grep "VGA" | grep -E "NVIDIA|AMD/ATI" | cut -d " " -f 1 | cut -d ":" -f 2 | cut -d "." -f 1 | cut -d "0" -f 2)
sed -i 's/"PCI:[^"]*"/"PCI:0:'$pci':0"/g' /opt/xorg.conf

# Start the Xorg server for the X screen number 1.
# The X screen n__0 is already used for QubesOS integration
sudo startx "$binary" -- :1 -config /opt/xorg.conf

Audio

• Create a script to launch your favorite Windows Manager and force it to use a specific pulse server.
  Example “i3.sh”:

#!/bin/bash
/bin/sudo -u user PULSE_SERVER=unix:/run/user/1000/pulse/native bash -c 'sudo xhost + local:;/usr/bin/i3'

And launch it:

sudo ./xorgX1.sh ./i3.sh

Automating most of that

My bash version:
https://git.sr.ht/~yukikoo/gpu_template

@otter2 salt version:
https://forum.qubes-os.org/t/salt-automating-nvidia-gpu-passthrough/

Please be carefull and read the code, not much tests have been done

Issues and fixes

1

In one case in a setup with Intel IGPU + Nvidia DGPU, dom0 xorg crashed.
Solved the case by adding a Xorg configuration to explicitly use Intel:

2

Recently, a config file cause Xorg to crash when the nvidia driver is installed but no nvidia GPU is attached to the VM.
I usually just delete this problematic config file:

rm /usr/share/glvnd/egl_vendor.d/10_nvidia.json

References

• Archlinux: PulseAudio

• Archlinux: PulseAudio/Troubleshooting

This guide seems to draw heavily on this article by @neowutran, should some credits be added? (Asking you directly @neowutran since you’re in the forum.)

https://neowutran.ovh/qubes/articles/gaming_linux_hvm.html

Unless, I’ve got this backwards and it’s the other way around! @taradiddles if I understand the migration correctly you created the guide in the qubes-community project on GitHub?

I published it both on my website and in the qubes-community project on Github, you can check in the footer of the original post that I am the author:

"

• Original author(s) (GitHub usernames): neowutran
• Original author(s) (forum usernames): @neowutran
  "

everything is ok

I didn’t realize there was such useful info in the details of the migration!

Pretty cool guide! Did someone ever try with a thunderbolt external GPU?

@neowutran I got this working more easily with pipewire. And since there was recent work by @Demi in adding support, I think it’s a good bet.

(Disclaimer: this was on manjaro. Not pure arch)
Here are the instructions:

Getting audio to work

In my case I was having issues with audio. It was stuttering, so I removed the qubes-vm-pulseaudio package and and installed pipewire as a replacement and it seemed to do the job:

sudo pacman -Rdd qubes-vm-pulaseaudio pulseaudio
sudo pacman -S pipewire-{jack,alsa,pulse}

After restarting the machine, the audio was working

I just tried it but it doesn’t seems to work with multiseat Xorg. Do you confirm that for you it work even in the multiseat Xorg ?
( audio work well on my “:0” xorg session, but no sound on my “:1” xorg session. I removed all the configuration/modification related to pulseaudio )

Update:
made it working on my side with pipewire. I needed to use this custom script instead of directly i3 in my example to force connect to the audio daemon

i3.sh 
#!/bin/bash
/bin/sudo -u user PULSE_SERVER=unix:/run/user/1000/pulse/native /usr/bin/i3

I just got an HVM to display GNOME on my external GPU

I did that (I’ll try again from a cleaner environment to get a more reproducible guide)

• hide the pci devices (there is no IOMMU on the external GPU, except with the AMD card but it’s super clear to see the AMD VGA and AMD audio are part of the same group)
• pass the devices to an HVM
• use the qube provided kernel
• use X :1 -configure to generate an xorg.conf file, then remove all extra in it to just keep the screen/monitor/device related to the VGA card itself was good enough, check you are using nvidia for NVIDIA cards and amdgpu for AMD cards
• move that file in /etc/X11/xorg.conf.d/99-xorg.conf, and start your display manager, e.g. systemctl start gdm.service

Tested on OpenSUSE tumbleweed with an AMD RX 480 and NVIDIA 1060
Tested on OpenSUSE tumbleweed with an NVIDIA 1060 but in discrete mode (display in dom0 but uses the GPU)

Tested on Debian 12 using the template with an NVIDIA 1060

I used a Razer Core X external GPU case connected in thunderbolt 3 on a Lenovo T470, unfortunately it’s almost useless in this case because the CPU is way too slow to do anything meaningful with a GPU in Qubes OS

I’m sure using QubesOS doesn’t improve the CPU performance, and mobile CPU are not great for gaming to start with, but do you not also run into some serious PCIe bandwidth issues?

Can you get more than 4x PCIe lanes?, I also think TB3 and 4 only use PCIe gen 3, and it’s not the fast CPU lanes, it’s the slower chipset lanes.

Not really, on Linux I can emulate Switch games using Yuzu or play games like Death Stranding or Control (CPU bound). The laptop has an i5-7300U, it would take a while before being limited by thunderbolt bandwidth. Maybe if you use a 4k screen this would saturate faster?

If you use the eGPU as a discrete GPU, the bandwidth is limiting because the data have to go in both ways, if you use it with an external display, you have more bandwidth because the rendering doesn’t need to go back through thunderbolt.

Yes, it works if you just use it for the external display, but you could do the same with a TB dock without the GPU.

I thought you wanted to connect the GPU and use it to play games that need accelerated graphics.

that’s exactly what I’ve done, and it’s working.

Great guide but I still have some questions.

For the Iommu Group do I have to do everything inside the grub cmd of the usb linux live distro (I have to paste the #!/bin/bash part)?
And if yes how can I deal with my OS being LUKS encrypted?

Also, what’s the deal with the max-ram-below-4g?
From what I understood this means this will allow up to 2 GB of ram to your gpu passtrough HVM qube, then I don’t understand how people in other threads have straight up 4090s working. (And what about the VRAM?)

bump, I am also interested

“For the Iommu Group do I have to do everything inside the grub cmd of the usb linux live distro (I have to paste the #!/bin/bash part)?” : No. Boot into any linux live distro, use the standard terminal emulator to create a script and execute it.

“And if yes how can I deal with my OS being LUKS encrypted?”: Irrelevant, you don’t need to access anything on your OS for this step

“From what I understood this means this will allow up to 2 GB of ram to your gpu passtrough HVM qube, then I don’t understand how people in other threads have straight up 4090s working. (And what about the VRAM?)”: No, you have access to all the ram you want and don’t have any kind of limitation on VRAM.

Also, what’s the deal with the max-ram-below-4g?: You can read differents threads here:

or search on internet. Not everything is understood about what is going on with TOLUD

Btw, I did a presentation about my video editing setup on Qubes, which has GPU passthrough on an nvidia 4090, if anyone is interested.

Timestamp 5h34m30s

The lines for the original post on patching xen.xml has changed because the original patch interfered with audio VM’s.
Maybe update the lines and link to the thread in case more progress is made?

I am going to remove the information about xen.xml patching from this guide.

• The two method (xen.xml / stubdom-linux-rootfs.gz ) are currently not doing the exact same things
• The difference between the two methods seems to be causing confusion / I see lot mistakes in forum posts ; and it make troubleshooting harder
• I don’t personally use the xen.xml method and I am not willing to spend time updating xen.xml patching method to have the exact same behavior as the other method

Are you still having to keep stubdom downgraded to apply the stubdom patch or did they resolve that?

I am using the latest version of everything available in the official repositories