I don't know anything about your specific hardware, but it is true that secondary GPUs are often not connected to the display itself, but rather the rendering takes place there and then the rendered frames are passed back to the host and to the integrated gpu to be put on your display. From a Qubes perspective I believe this is actually a very good thing since it means we could keep the integrated GPU statically assigned to dom0, and keep the qubes gui protocol largely unchanged. The question would be one of getting the passed through GPU to render its output to some buffer which we pass back to dom0.
There are still firmware-security issues associated with passing the discrete GPU between VMs of different trust levels, because someone who has full control of the GPU may be able to re-flash its firmware with something that would later perform a DMA attack against the 2nd VM it's attached to. However, if you only ever wish to pass it through to a single "gaming" windows HVM or such, this is not a problem. The reason integrated GPUs are interesting in this regard is that they do not have firmware which is persistently stored on the device, rather it is loaded externally on each power-on and subject to normal boot-security measures. The thinking is that by rebooting between assigning your integrated GPU to different VMs, you prevent one from compromising another via the GPU by making GPU compromise ephemeral. As for previous successes requiring upstream-QEMU in dom0, the problem here is that Xen only supports a very old forked QEMU in stubdomains, but this is something that will change. Progress in this area has stalled because there was an effort to run QEMU in a very minimal unikernel-style environment, but this effort has been abandoned and work is now underway towards making it run on top of linux (still in a separate stubdomain), which should take less work to bring to a usable state than the previous minimal-stubdom effort. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CNR4BYGtkjhYoNhSS32JEQyts7n_o3-snNu_B90oN1sQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
