On Thursday, April 20, 2017 at 10:50:58 AM UTC-4, Marek Marczykowski-Górecki wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Thu, Apr 20, 2017 at 07:05:40AM -0700, je wrote: > > Hello, > > > > Intel GVT-g is Intels mediated pass-through technology for graphics > > virtualization. Mediated pass-through allows to share a graphics card > with > > multiple guests [1]. Intel GVT-g was formerly known as XenGT. However, > > GVT-g was added to the mainline kernel 4.10 [2] and have since seen > > improvements [3]. > > > > Are there any plans to support GVT-g in upcoming Qubes OS releases? Did > you > > do any experiments with GVT-g and QubesOS? > > Currently not. While this may look very attractive, it also have a huge > attack surface - especially the mediating part running in device model. > There are at least two things to be concerned about: > - exploiting some bug there to break out into dom0, > - exploiting some bug there to steal/subvert data of other VM using the > same GPU >
> > The first one could be somehow mitigated by sandboxing it in a separate > VM - like we do with qemu for HVM domains. But it wouldn't prevent the > second kind of attack, which is especially severe if you have only one > GPU. > This also require a lot of research what other parts of the system could > be affected by such a complex feature. > > This all doesn't mean we will never add such a feature - using this > technology, or some other future one. But probably it will not be > enabled by default. And surely it will not be in the near future - since > our resources are limited, we focus on things improving security of > Qubes OS, not loosening it. > > If you did not do any experiments with GVT-g and QubesOS, than I would > > really like to see a GSoC project which evaluates the Intel GVT-g > > technology in Qubes OS. Because Intel GVT-g could be maybe used to > enable > > Android and WebGL development in Qubes OS. Furthermore, proper GPU > > acceleration support could improve or enable many use cases which > require > > GPU acceleration. > > Well, this indeed may be a good candidate for GSoC project. I'm somehow > sceptical if this as a whole could be framed as such (IMO it's much more > than 3 months of work), but some parts probably yes. Anyway for this is > for the next year - deadline for projects submission for this year > already have passed. > I think that GPU virtualization is a very new field. I would not consider this as a feature anytime soon in Qubes OS. However, I think Qubes OS should explore new technologies in this area soon as they appear. Currently it is not really possible to play games, use 3D rendering applications or use WebGL. I tried once to play a simple WebGL based tower game on Qubes OS. It was just painful. Whereas the same game was running very fast on an Alcatel OneTouch FirefoxOS phone (http://www.gsmarena.com/alcatel_one_touch_fire-5319.php). My Intel i7-3x running Qubes OS should have been able to surpass the performance of my phone by far. What I was thinking about is, to have a page for QubesOS with proposals which can be used for GSoC students, students or researches which have to write a thesis. We could call it Qubes OS Research Lab. The proposals should be around interesting and novel research topics in virtualization, such as GPU virtualization, Unikernels, separation of Desktop Environment and Dom0, introspection/forensics and many more. I think students would be interested to work on topics which allow them to contribute to an open source project and work together with a community. > > [1] https://01.org/igvt-g > > > > [2] > > > http://www.phoronix.com/scan.php?page=news_item&px=Intel-GVT-G-Linux-4.10-State > > > > > [3] > > > http://www.phoronix.com/scan.php?page=news_item&px=Intel-GVT-g-Linux-4.12-Slated > > > > > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJY+MrMAAoJENuP0xzK19csm6EH/jhI3O7/l0byXOZdV1jt/Q/f > OpaVZo7DbHLgV6lyQpt++N56jlk+4MBJo1o26qfi6JhItBAMjtS8CGEzWtWVGCiX > /4BQw02rAEqJMhAFE+H7jRamf9TDUCw17PVS//hPs1btW9ccPRls/x7zaHSgRsQ+ > Y2GLOGGXvkFygiixzPhR8Bf3pzngWESznF2qRxGMCkycs+068efRTshJ+bhmZkOq > fB5Ml1BO7xdCUWOhgMZmaIRKiiIKqeHVpDpOjrRQXeh6Q1Hx1wRU8bXXZu6GFFdx > LzRfj6464Wr1iKeceZ4hEj2/fjmGH8zyzE/RJiu/GvNhkOGfjCCSsR0BhI1XvnU= > =OCFo > -----END PGP SIGNATURE----- > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/77a85b8b-3c40-423c-aa9b-4cb52d5f55ca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
