Qubes 4.1 introduces the Graphical User Interface (GUI) domain. The Graphical Processing Unit (GPU) is passed to the GUI domain so the GUI is separated from the AdminVM (dom0).
My dream is to play games with 3D acceleration in an untrusted domain. Let’s say I have two GPUs and I make two GUI domains A and B. I pass one GPU to A and another to B. A is kept clean. The window manager in A can be trusted to see, display and interact with sensitive content running in AppVMs. B is the untrusted GUI domain where new software is to be installed. The software (and games) in B runs on a dedicated GPU with 3D acceleration.
Is this possible to implement? What are the security issues if the untrusted GUI domain B is compromised?
Disclaimer: I’m a newb
1 Like
Has been possible: https://forum.qubes-os.org/search?q=gpu%20passthrough
Can confirm this works, haven’t patched things to get more than 3.5G ram yet though.
If your system meets the QubesOS security requirements (CPU supporting VT-d) and if everything works as designed the attacker should gain no additional advantage with a setup like that (unless he can reprogram the GPU, in that case it’d be possible for him to extract/take over other VMs that also use this GPU; if you only attach it to the single qube it doesn’t matter).
2 Likes
Can confirm that patching things around as in here Another 2. GPU passthrough post - #2 by Rnd3sB3g13rng allows assigning as much RAM to a vm as you can spare while still handling the GPU (on Q4.0)
But can one play games in the GUI domain with just one GPU?