On 07/08/2016 12:27 AM, raahe...@gmail.com wrote:
I'm also confused, you say gpus are so insecure and that qubes is not doing
enough to isolate them?
I don't think that's what I implied. But trying to be concise on a
complex subject can leave some people with the wrong impression, so I
apologize if I've left out too much.
Two issues with GPUs I'm assuming are that they represent a target for
malware (being a large computing resource), and also that when we try to
isolate them most do not respond well to bus commands that enable things
like passthrough (i.e. they do not 'behave' in IOMMU isolation).
Passthrough is also clunky, requiring at least another display output.
GPU virtualization is another way for domU apps to access GPU functions,
and it shouldn't require separate displays or secondary graphics chips.
Excuse me for being noob but doesn't qubes not allow most gpu functions to go
past dom0.
AFAIK, Qubes doesn't allow any GPU functions whatsoever from domU into
dom0. Qubes graphics are virtualized in a 2D, non-accelerated way.
Having limited developer resources, that is a good first step to making
the system secure and I'm glad it works that way--for now. But I also
realize that needs to be a transitional phase and to not remain the
status quo.
Graphics vendors are currently demonstrating GPU virtualization
technology that would make GPU utilization safe, inviting developers to
use it. ITL says this would take a lot of developer effort, however.
And so you would rather have them in domu domains with similar isolation as
the netcard vm (which has no choice) and you would feel that more secure? I'm
no expert so dont' know if thats true. If not would even having the ability on
machine make me more vulnerable even if not applying it myself? excuse my
noobness.
Hmmm, no. I think the choice is to either leave the GPU in a privileged
domain such as dom0 and employ GPU virtualization to allow safe access
from domUs, or to improve in some way the current (impractical) practice
of isolating secondary graphics cards in domUs so that they actually
work when they're properly isolated.
Most people also dont' have two gpus in their machine, which you imply would be
the most secure way to use this feature? Only people I know of that do are
gamers. If you do graphic designing and need to use special professional
programs that require gpu processing I would recommend using a separate
computer. But it seems this might be a feature in the future on Qubes. I
wouldn't call it a priority though.
A lot of people have two GPUs and don't realize it. Even so, its not
like we are talking about great expense here: Even having access to
weaker GPUs could make a big difference in Qubes' power and usability.
I think Qubes is fine for normal everyday users doing everyday tasks for home
and office use. I can still edit photos, watch movies, create greeting cards,
view almost any webpage. Only thing I can't do is play video games. And thats
fine I have another machine for that, since i consider playing video games one
of the most dangerous things you can do online anyways.
Projecting our own personal routines on the issue will probably not be
of much help. And I think I've already made the case against framing
this as a games issue; I'd urge the community not to look down its nose
on graphics in this way or we will find the world of graphics can stare
back at us more sharply. If it gets to the point where OpenBSD is
recommended over Qubes because the latter "can't do much" and "lack of
GPU virtualization sounds pretty insecure" then I think we'll be in real
trouble. :)
Its nice that you have so much faith in Qubes and that it can stop all attacks, but that
is unrealistic. There is still always danger when doing untrusted tasks even when using
Qubes, even with its hardware isolation. People should realize what. Qubes themselves
describe it as "somewhat" secure, meaning much better then a traditional os,
but nothing is 100%.
That is always a factor no matter what we do with Qubes. But it seems to
me that the simple Qubes interfaces have already been used to enable
some pretty complex functionality "securely". I don't think it follows
that accessing GPUs through them necessarily incurs unacceptable risk;
but even if this is a possibility, it requires further investigation.
Since GPU manufacturers now have an incentive to not appear as an
element that undermines security (hence, the GPU virtualization
initiatives they're taking) there is a good chance that some reasonably
secure accommodation can be made for primary graphics.
The alternative is to endow Qubes systems with secondary graphics that
work nicely with passthrough. Currently, users can experiment with this
in a piecemeal fashion and likely meet with failure.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/10ac67b3-d176-bb9f-a81a-b95b804b93bc%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
