I have just one or two applications which would best work if it was able to use the RTX 2060 Mobile in this laptop, but there is seemingly no easy way to do this. Would running some portable installation of Windows work? And if so, does that compromise the security of QubesOS in some way to do this?
The boot partition isn’t encrypted, booting a second OS could compromise the boot partition. You can mitigate this by detaching the LUKS header, or using heads/AEM.
The Windows OS would have fully access to all hardware and firmware, this in theory be used for attacks as well.
1 Like
It’s possible to passthrough the discrete GPU to one of the VMs, including Windows VMs. Just to make sure that’s not the only GPU on your system, in case you lose gui access.
1 Like
First off, I have tried to use Windows VM, it does not work. When you try to start up any qube with the GPU added as a device, the entire system freezes and restarts. Looking online, a lot of others have a similar issue and have concluded that getting a built-in laptop GPU to work isn’t feasible (you can do this with an external GPU connected in some other way, but laptop GPU’s just don’t work).
Unless you know a way around that, I may be out of luck
I thought I was reading something during installation regarding installing the boot partition on a USB drive, so your PC boots when you have it plugged in and cannot boot without it. I would do that if I knew how, then just have no USB in when Windows is being used on an external drive/USB drive so it can only borrow the PC hardware, so to speak. Does this still cause considerable security breaches?
You know your threat model better than I do.
I don’t think it is something that in the “standard bot package”, but mounting the drive and writing to the partition would not be hard for a human.
If you need to worry about skilled actors targeting your system, then yes, it’s a considerable threat.
The manner in which Nvidia cpus are integrated into most (all?) mobile cpu laptops, where there are some display functions shared/routed through both the iGPU and the dGPU at the same time, it’s not possible to pass through the dGPU to VMs.
B
This is a guide for passing through you dGPU on your laptop for your VM. This guide only apply to laptops that does not load dGPU firmware through acpi call, which include all MUXed laptop and some MUXless laptop. For laptops that use acpi call to load dGPU firmware, please refer to to u/jscinoz 's optimus-vfio-docs.