On 04/15/2019 12:28 AM, demioben...@gmail.com wrote: > My laptop (Lenovo P51) works fantastically with QubesOS. > > It has two GPUs: Intel integrated graphics and a discrete NVIDIA card. For > gaming, I am interested in pass-through of one (NOT both) to a VM.
Impossible. Optimus works via muxing the dGPU signal through the iGPU which results in you being able to the same muxing with an eGPU if you have one set up and only an iGPU etc. > > I believe that the integrated graphics controls the internal monitor, and > that all external monitors are connected to the dedicated graphics card. Can > someone confirm this, and can this be changed? > > I will not give another VM control of my primary display, for obvious > reasons. I also consider the VM that I would like to give GPU access to to > be highly untrustworthy and potentially compromised, since it will be running > untrustworthy games. My current plan is to give the gaming VM access to one > monitor, while I use the other monitor for normal operation of QubesOS. > > My main questions are: > > * How feasible are firmware attacks on the graphics card, Very Expert level, it is not easy to do and still have it be a graphics card. You probably don't have anything that valuable to steal or hack. I have only heard of hacked nics, serial cards etc more simple stuff not gpus. Messing around with the option rom is alot easier though but you can set the VMM to not pass that memory region so afaik it can't be flashed. > if I choose the NVIDIA card? I trust that the IOMMU will keep me safe from a > compromised card. Not on a system with black boxes and proprietary firmware, for DRM reasons the iGPU and dGPU are tightly linked to the ME - and the ME is not subject to IOMMU controls. All new x86 stuff is not owner controlled thus ones libre-IOMMU options are limited to some older x86 stuff in the narrow window between IOMMU becoming available and AMD closing up their firmware or OpenPOWER (like blackbird/talos) etc although there aren't many POWER games right now unfortunately so it is a workstation/server platform. >but only if the compromise does not persist across reboots. In the > case of >the integrated graphics, the GPU has no persistent storage, but I am nervous >about >possible compromise of the internal display, which would be fatal. For >the > dedicated graphics, I am worried that the graphics card’s firmware could >be overwritten. >Is this possible without PCI configuration space access? > > Finally, can NVIDIA cards work with PCI pass-through? Yeah but its way more difficult and finicky than with AMD. Laptop gaming sucks anyway just pick up a KCMA-D8, Opteron 4386 (microcode update req otherwise 4284), 32GB RAM and a RX590 8GB then install coreboot-libre and play games at max settings. This is a very affordable libre firmware gaming setup that can play games in a VM at max at 1080p with smooth FPS as long as they can use all 8 cores which almost everything new can, ironically new stuff like GTA5 runs better than old stuff and it uses all 8 cores at max. Since you would have more PCI-e slots to spare you can also pop in another single slot GPU for your primary desktop since the onboard sucks. The D8 has dual onboard usb controllers and can be obtained for $50-100 on fleabay used, the 4386 is the best C32 CPU and is $50-100 as well. You also need an at least 3U (pref 4U) tower cooler for it let me know if you can't find one and I can help (some Socket F coolers are compatible) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7e3b6655-164b-e49b-ffd3-82d2c563616b%40gmx.com. For more options, visit https://groups.google.com/d/optout.
