I would like to buy a second GPU preferably an old one to use as a main display for dom0 and pass my better GPU through to Qubes. I wanted to buy a old GPU because it is cheap and I only need it to display Dom0 graphics while the better one will render AI models or games similar to this post. But I realized the GPU would be without support or any security updates. Considering it would only be connected to dom0 would it be a security risk or attack vector someone could use to compromise my system?
From my novice understanding of Qubes OS because it uses the Xen hypervisor any vulnerability on the level of hardware are unable to effect the larger system remotely, because dom0 never connects to the internet directly, and all updates are verified by a sighing key to prevent anyone without the key adding any malicious code. This is assuming that the OS and ISO using is not compromised and that Qubes key has not been leaked or anyone is acting maliciously on the Qubes team. Or a exploit that breaks the hypervisor remotely is being used. Which if I have to assume any of those things then hardware vulnerability’s are the least of my worries.
So it seams like using a old GPU is not a security risk, but I know very little about digital security, so I am likely mistaken. Regardless someone please explain why it is or is not a risk.