Actually the real question what I was trying to ask “Does sys-gui increase attack surface via covert channels.”
My impression is that it should not increase this but I rely on your wisdom for answering it as I obviously may be wrong.
Well, in the part that explains " Why make a GUI domain at all?" it does sound far from increasing attack surface.
Yes, I can confirm this. The dispvm is displayed in the dom0 Manager and it stays visible after shutting it down.
I mentioned this because an SR-IOV/GVT-g solution involves ‘splitting’ a single GPU up into as many sub-PCI devices as you want, then assign the split GPUs to VMs that require 2D/3D accel, this significantly increases risk of exploitation but would allow for hardware based video decoding (H264/HEVC and VP9) for example, meaning dat smooth smooth YouTube experience without CPU at 67823564%
Note: I understand most people don’t use Qubes for Media Consumption etc
I suspect the only real way to solve this is open GPU hardware that runs RISC-V or something, where the Qube’s team can inspect firmware.
Note: Below has nothing to do with SR-IOV/GVT-g
In the GUI Domain @marmarek mentions
In the perfect world, we could simply connect the graphics card to the VM as a PCI device and enjoy a new, more comfortable level of separation. Unfortunately, the world of computer hardware is very far from a perfect one. This solution works only very rarely.
I somewhat disagree, indeed there are many, many GPUs on the market, but I would argue most Qubes users are running on Laptops with 1 single integrated GPU, seeing as though there are only 2 major CPU Manufacturers (Intel and AMD), a GPU Pass-through solution that supported only these 2 manufacturers would suffice.
I ain’t running Qubes on laptop with integrated GPU. Even I have 4 colleagues with somewhat like my configuration for running Qubes. So your thought may be biased here.
Things which are broken for me after 4-5 days of testing-
While operating from dom0 command line-
qubes.ClipboardPaste
qubes-manager while using dispVM only
While operating from sys-gui session-
qubes.ClipboardPaste
qubes-manager while using dispVM
Playing Audio and Video files
Although I think It’s not yet ready, so these will be handled in future PR maybe. Thought that I should provide feedback @fepitre.
xss-lock and qubes-manager crashes are also there sometimes by using either method.
( My policy file can not be implemented with proper functioning but that’s user specific issue 
)
1 Like
Thank you for all for your feedback. Please note that we follow threads but not replying all the time. Mostly it’s like “qubes-issues”. We know it’s here 
.
1 Like
@panati, there is now a new category for discussions of the upcoming 4.1 release. I’ve moved this topic there.
Good to know!
I have a test setup where I set sys-gui as global but can only use it from dom0 and not when logging in to a GuiVM session only.
I guess you have enough to do already but if you find the time and if you are willing to share some insight it would be welcome.
Also, I am curious about sys-gui-gpu as well.
I recently tried sys-gui. I am having same issues like @panati. But I think no development have been done since last time.
What happen since then ? Did something change since the last post ? Is everything working normally now ?
@adw this link is now broken. Can you add a redirect to Xfce templates | Qubes OS (which I’m guessing is the correct link)?