[qubes-users] Re: GPU Passthrough Status - (Purely a meta-discussion, no specifics)

[nicklas . aven]

On Saturday, December 16, 2017 at 3:25:46 AM UTC+1, Yuraeitha wrote:
> Aight, so the idea of this thread, is to get an overview of where we stand, 
> that is, how far are we away from archiving GPU Passthrough on Qubes. 
> 
> The underlying reason it's currently not working, appears to be because of 
> its current state a virtual GPU for a specific VM, would require direct 
> access to dom0. This is deemed a serious security threat breaking a central 
> pillar of what Qubes is all about, attempting to isolate dom0 as far as 
> possibly possible. Therefore, from what I can gather, what we need is virtual 
> GPU operating from an underlying DomU stub-domain, preferably, one separated 
> from another DomU stub-domain, which holds the important and critical VM data 
> and user operations. Thereby it's not only about single virtualization 
> anymore, but also about group segmenting and isolating entire virtual 
> stub-domains. That means, one group of VM's is isolated from another group of 
> VM's. Please correct me if I'm wrong here, it's great for the discussion to 
> have the most accurate information.
> 
> Here is a scenario that stresses the above, 
> https://groups.google.com/forum/#!topic/qubes-users/cmPRMOkxkdA
> Managing to make GPU passthrough work, but only by passing it directly to 
> Xen, instead of Libvirt, which in turn, exposes dom0.
> 
> Initially, this is all the reasons I can think of for wanting V-GPU. 
> - Heavy graphic designer job or hobby (movies, animations, etc.).
> - Running Qubes on many screens at desk. 
> - Extending a single Qubes machine around the house or company, using 
> multiple of screens, keyboards/mouses or other thinkable means.
> - Gamers who take security and privacy seriously (there is surprisingly many 
> of them out there).
> - Cryptocoin miners who wish to utilize a single machine for all round 
> purposes.
> - Using a qube as a streaming TV, and want good graphics for the specific 
> TV-VM. For example 4k or even 8k+ or more on multiple tied screens.
> 
> Some of these are exotic and probably not many around use them, however, 
> others are quite common. Whichever the case, it's all scenarios with a common 
> problem. The point here, is to underpin the possible use-cases.
> 
> 
> 
> I must be tired, I initially wrote 'qubestions' instead of 'questions' 
> here... 
> aight, so possible questions for the discussion.
> 
> - What would it take for Qubes to obtain stubdomains in a feasible means to 
> allow safe GPU Passthrough? 
> - Are there other problems that needs solving too? If so, which ones? 
> - What is the grand big picture status between the above two questions? 
> - Are there currently any plans for any of these required implementations? 
> For example Qubes stub-domains in Qubes 4.1? Qubes 5? or are they still 
> unplanned? If planned, or in part planned, like only halfway there, then, 
> what are these plans? Please elaborate. 
> - Other possible questions you can think of. 
> 
> 
> I'm sure there are aspects I did not think of, but that's fine, after all, 
> this is a discussion. This initial post is just to kick it off. The purpose 
> is to combine information that a few selected individuals might be sitting 
> on, with the many users who do not know about the current state. Thereby, 
> building community awareness of the current situation. Whatever you got to 
> say, or ask, about GPU Passthrough, this thread can be used for that! The 
> only limitation, is that it is a discussion, and not a place to ask how to 
> get your own specific case of GPU Passthrough to work. It's a general, meta 
> discussion. 
> 
> What is your thoughts on the matter?

Just to add a use case is all developers doing something including the gpu.

I found Qubes OS the other day and installed it on a secondary pc. It seems 
great, and besides the security concerns it also gives a great way to organize 
the computer. To keep work, private and open source projects separated.

I work on TilelessMap, an open source project to keep huge amounts of map data 
locally (linux, windows or android). Can be view as a privacy project since it 
makes you independent of connection which reveals what maps you are interested 
in (where you are in other words).

https://github.com/TilelessMap

It renders the map in openGL som I have a problem adopting Qubes OS on my 
primary laptop. But I would really love to do it.

 write this just to point out that it isn't just gaming that is the use case. 
Anyway, Qubes OS looks fantastic, for more or less anything else. 

Thanks !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 

Re: [qubes-users] Re: GPU?

[Vít Šesták]

On January 25, 2018 5:56:41 PM GMT+01:00, "taii...@gmx.com"  
wrote:
>On 01/18/2018 04:00 PM, Alex Dubois wrote:
>Correct me if I am wrong but I don't see the issue with an apparmor 
>restricted qemu running in dom0...

Well, AppArmor might reduce the attack surface, but remember that:

1. Qubes was not intended to run QEMU in dom0 and
2. Qubes dom0 is often based on outdated Fedora. While ITL provides security 
updates for security-critical components, it does not necessarily cover all 
vulnerabilities in kernel and apparmor, because of #1.
3. Linux kernel is considered as quite weaker than Xen in terms of attack 
surface, so exploits in Linux kernel are more likely. AppArmor might mitigate 
*some* of them, but not all.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/203975FF-A8A0-4EEF-8C0B-20AC09EC19EE%40v6ak.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU?

[taii...@gmx.com]

On 01/18/2018 04:00 PM, Alex Dubois wrote:


If you have multiple GPU (i.e. integrated + NVidia), it is possible with Xen to 
do GPU pass-through (Assign the NVidia GPU to a dedicated VM) however:
- It is far from trivial and only limited setups are known to work
- The security of it is not as robust (I can't remember where I read that, I 
think it was in the GPU Pass-through page of the Xen wiki)

I have tried with limited success few years back (only one boot and was never 
able to get it back after)...


I do this all the time to play games and watch movies.

I recommend either a quality server board or a platform that has libre 
or open source firmware so that IOMMU issues can be fixed if they happen.


Correct me if I am wrong but I don't see the issue with an apparmor 
restricted qemu running in dom0...


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b959b86d-f0b4-1f76-19d7-58493c07a3e5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Vít Šesták]

On Thursday, January 18, 2018 at 10:00:19 PM UTC+1, Alex Dubois wrote:
> You can use GPU computing in Dom0 with the assumption that:
> - You trust the software you plan on using
>- 3D design software such as Blender
>- GPU compute such as CUDA libs, Tensorflow, Keras, etc..
> - You only create assets/code and export them out of Dom0

You right, one can, but:

* At least, this goes against the nature of Qubes.
* You don't have any Internet connection there.
* Creating only (and not importing anything) is a very important (and often 
unrealistic) assumption. So, you should not open any file you download. If 
there is some vulnerability in such software (well, Blender: 
https://developer.blender.org/T52924), you are actually potentially more 
affected than with traditional OS like Ubuntu: In Qubes, dom0 sometimes gets 
out of date (like Q3.2 being based on EOLed F23), so you don't receive any 
security update for software like Blender. That's not because ITL does not care 
about security, that's because Blender is not a a security-critical component 
like Xen or Linux kernel are. That's the cost of using Qubes in a way it was 
never intended.

> If you have multiple GPU (i.e. integrated + NVidia), it is possible with Xen 
> to do GPU pass-through (Assign the NVidia GPU to a dedicated VM) however:
> - It is far from trivial and only limited setups are known to work

Right.

> - The security of it is not as robust (I can't remember where I read that, I 
> think it was in the GPU Pass-through page of the Xen wiki)

I guess one of potential reasons: Some people have succeeded only without 
stubdom, i.e., with QEMU running in dom0.

V6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41aa2710-cfbf-4b9a-a432-d4666a0d5346%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Alex Dubois]

On Thursday, 18 January 2018 21:00:19 UTC, Alex Dubois  wrote:
> On Sunday, 14 January 2018 07:12:24 UTC, ro...@tuta.io  wrote:
> > Is qubes able to use the computing power of the gpu or is the type of gpu 
> > installed a waste in this issue?
> 
> You can use GPU computing in Dom0 with the assumption that:
> - You trust the software you plan on using
>- 3D design software such as Blender
>- GPU compute such as CUDA libs, Tensorflow, Keras, etc..
> - You only create assets/code and export them out of Dom0
> 
> If you have multiple GPU (i.e. integrated + NVidia), it is possible with Xen 
> to do GPU pass-through (Assign the NVidia GPU to a dedicated VM) however:
> - It is far from trivial and only limited setups are known to work
> - The security of it is not as robust (I can't remember where I read that, I 
> think it was in the GPU Pass-through page of the Xen wiki)
> 
> I have tried with limited success few years back (only one boot and was never 
> able to get it back after)...

Sorry forgot to mention that GPU pass-through also require another monitor (or 
switch input...).
It may also be much easier to only use it as a Compute GPU (you keep the UI via 
Qubes-Dom0)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/039bb36d-c45a-44bc-8479-0db627db2cc2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Alex Dubois]

On Sunday, 14 January 2018 07:12:24 UTC, ro...@tuta.io  wrote:
> Is qubes able to use the computing power of the gpu or is the type of gpu 
> installed a waste in this issue?

You can use GPU computing in Dom0 with the assumption that:
- You trust the software you plan on using
   - 3D design software such as Blender
   - GPU compute such as CUDA libs, Tensorflow, Keras, etc..
- You only create assets/code and export them out of Dom0

If you have multiple GPU (i.e. integrated + NVidia), it is possible with Xen to 
do GPU pass-through (Assign the NVidia GPU to a dedicated VM) however:
- It is far from trivial and only limited setups are known to work
- The security of it is not as robust (I can't remember where I read that, I 
think it was in the GPU Pass-through page of the Xen wiki)

I have tried with limited success few years back (only one boot and was never 
able to get it back after)...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9604c45-de67-4a9c-94cd-6b85735f6159%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Elias Mårtenson]

On Tuesday, 16 January 2018 04:02:13 UTC+8, Vít Šesták  wrote:
> It might be possible, just no one has implemented it in a way that does not 
> require complex processing by trusted parts of system.
> 
> There is an attempt called XenGT (for Intel iGPUs), but I am not sure about 
> its state and at least it is not integrated to Qubes yet.

I'm sure that if someone wants to take it up as a GSoC project, a lot of people
would be very happy. :-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bb5de18-3a7c-4ce0-8d1e-ecdad5d2e4b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Vít Šesták]

It might be possible, just no one has implemented it in a way that does not 
require complex processing by trusted parts of system.

There is an attempt called XenGT (for Intel iGPUs), but I am not sure about its 
state and at least it is not integrated to Qubes yet.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8f99b20c-82c8-4771-9cfc-460883e2d10a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[demiobenour]

Why is it not possible to securely virtualize the GPU?

On Sunday, January 14, 2018 at 6:08:37 AM UTC-5, Vít Šesták wrote:
> Qubes does not have GPU virtualization for security reasons. As a result, 
> additional GPU is used only in dom0 (od GuiVM in future). GPU might be useful 
> for:
> 
> * additional output like HDMI (well, good luck…)
> * window manager acceleration (but integrated GPU usually does the job well 
> for less power)
> * GPU passthrough to a VM (It might work, but it is not officially not 
> supported and much work will be needed. Also, if the VM can rewrite GPU 
> firmware, the GPU can perform a DMA attack during boot.)
> 
> When selecting my last laptop, I've decided to choose one without additional 
> GPU. First, I don't need it much. Second, it adds some hassle. It would be 
> ideal to have it switched off in order not to comsume power (=> lower heat, 
> more quiet laptop, better battery life). On the other hand, I remember having 
> HDMI output wired to the additional GPU, which was rather PITA. I was able to 
> get it somehow working on my old laptop, but it used to crash X11.
> 
> HDMI through additional GPU will reportedly get better with Wayland, but we 
> are not there yet.
> 
> Regards,
> Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e7300b2d-4d9a-4070-bdb3-4c8ca6a3e9f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU?

[Vít Šesták]

Qubes does not have GPU virtualization for security reasons. As a result, 
additional GPU is used only in dom0 (od GuiVM in future). GPU might be useful 
for:

* additional output like HDMI (well, good luck…)
* window manager acceleration (but integrated GPU usually does the job well for 
less power)
* GPU passthrough to a VM (It might work, but it is not officially not 
supported and much work will be needed. Also, if the VM can rewrite GPU 
firmware, the GPU can perform a DMA attack during boot.)

When selecting my last laptop, I've decided to choose one without additional 
GPU. First, I don't need it much. Second, it adds some hassle. It would be 
ideal to have it switched off in order not to comsume power (=> lower heat, 
more quiet laptop, better battery life). On the other hand, I remember having 
HDMI output wired to the additional GPU, which was rather PITA. I was able to 
get it somehow working on my old laptop, but it used to crash X11.

HDMI through additional GPU will reportedly get better with Wayland, but we are 
not there yet.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ad472cf-d74c-4a5c-970d-04e9b5018aca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

[Grzesiek Chodzicki]

That escalated quickly...

Guys come on, this was supposed to be gpu passthrough thread not pc fanboy vs 
console fanboy thread.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/657bb49c-5425-4978-836d-ea6bd729b855%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

[taii...@gmx.com]

On 04/25/2017 11:29 AM, cooloutac wrote:


You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
ago cause piraters, cheaters, and ddos.
What? there are still many decent new games being released. I play BF4 
and only encounter obvious cheaters once in a blue moon and they always 
get banned by stat based anti-cheat like fairfight (server side 
anti-cheat is the only way to go, no bullshit kernel drivers required 
either)


Consoles suck, even the new versions of the PS4/Xbone can't play at 
native resolutions with at least 60FPS and once the OEM shuts down the 
servers your games are useless - people are still playing BF1942 because 
they were able to easily reverse engineer a master server and anyone can 
DL the server files but that wouldn't be possible on a console.
Not to mention the DRM and always-online requirements for singleplayer 
games (yeah PC is DRM'ed too, but there are still great AAA games that 
get released without it such as The Witcher 3 and the Metro series)


Piracy doesn't result in bad game sales, only bad games do and denuvo 
proves that - the witcher 3 released without DRM sold many more copies 
in the first week than Mass Effect 3.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f94c762c-836e-5ecc-4157-eab7e148fe2c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

[cooloutac]

On Tuesday, April 25, 2017 at 11:29:51 AM UTC-4, cooloutac wrote:
> You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
> ago cause piraters, cheaters, and ddos.
> 
> League of Legends is the only pc game on windows I would consider "popular" 
> tks to asian countries who take e-sports as serious as football. But On Linux 
> the only popular games are cs:go and Dota2 and unless you're a gaming pro or 
> someone who doesn't mind trolls, that would be sadistic...lol
> 
> I would stick to single player games for consoles until they start jailing 
> kids like in Japan and Korea.  Man do I miss ea-sports on the pc. 95-2005 was 
> a great decade.
> 
> Hardware industry has been steady tankin since, and I don't blame tablets or 
> smartphones.  I built a computer for the first time in years only for Qubes,  
>  but no way I'd waste money on a gaming rig for me and my hardware to get 
> abused.

Actually I called dota2 and cs:go popular, but only by linux standards.  
millions at a time playing LoL compared to maybe 50,000 playing dota2, 20,000 
playing cs:go and I'm sure those numbers are fabricated. And thats world wide.

And I find it such a shame that only moba games are popular.  But they are the 
hardest games for anarchists to undermine I guess...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7986fe73-7b69-487b-981f-8d47f37ce9ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

[cooloutac]

You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
ago cause piraters, cheaters, and ddos.

League of Legends is the only pc game on windows I would consider "popular" tks 
to asian countries who take e-sports as serious as football. But On Linux the 
only popular games are cs:go and Dota2 and unless you're a gaming pro or 
someone who doesn't mind trolls, that would be sadistic...lol

I would stick to single player games for consoles until they start jailing kids 
like in Japan and Korea.  Man do I miss ea-sports on the pc. 95-2005 was a 
great decade.

Hardware industry has been steady tankin since, and I don't blame tablets or 
smartphones.  I built a computer for the first time in years only for Qubes,   
but no way I'd waste money on a gaming rig for me and my hardware to get abused.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b200d00-6591-446f-8ab4-bd5ab0b7f3e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

[Jean-Philippe Ouellet]

I don't know anything about your specific hardware, but it is true
that secondary GPUs are often not connected to the display itself, but
rather the rendering takes place there and then the rendered frames
are passed back to the host and to the integrated gpu to be put on
your display. From a Qubes perspective I believe this is actually a
very good thing since it means we could keep the integrated GPU
statically assigned to dom0, and keep the qubes gui protocol largely
unchanged. The question would be one of getting the passed through GPU
to render its output to some buffer which we pass back to dom0.

There are still firmware-security issues associated with passing the
discrete GPU between VMs of different trust levels, because someone
who has full control of the GPU may be able to re-flash its firmware
with something that would later perform a DMA attack against the 2nd
VM it's attached to. However, if you only ever wish to pass it through
to a single "gaming" windows HVM or such, this is not a problem.

The reason integrated GPUs are interesting in this regard is that they
do not have firmware which is persistently stored on the device,
rather it is loaded externally on each power-on and subject to normal
boot-security measures. The thinking is that by rebooting between
assigning your integrated GPU to different VMs, you prevent one from
compromising another via the GPU by making GPU compromise ephemeral.

As for previous successes requiring upstream-QEMU in dom0, the problem
here is that Xen only supports a very old forked QEMU in stubdomains,
but this is something that will change. Progress in this area has
stalled because there was an effort to run QEMU in a very minimal
unikernel-style environment, but this effort has been abandoned and
work is now underway towards making it run on top of linux (still in a
separate stubdomain), which should take less work to bring to a usable
state than the previous minimal-stubdom effort.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CNR4BYGtkjhYoNhSS32JEQyts7n_o3-snNu_B90oN1sQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU passthrough: 2000 USD bounty

[Grzesiek Chodzicki]

With latest version of Xen it is possible to pass through a PCI device to a HVM 
(without running qemu in dom0) so we could at least try. I have one gpu in my 
system but somebody here ought to have two.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5cf8707-33b9-4850-ab0a-2bfdfc600a52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU passthrough: 2000 USD bounty

[Stickstoff]

On 04/21/2017 10:13 PM, pixel fairy wrote:
> havent tried this yet, but you can stream from ps4 to windows (or 
> mac), the requirements are pretty light and imply no need for 
> accelerated graphics on the client end. please mention me if you try
>  this and post back to the group. i have a ps4, but still working on
>  getting qubes running.
> 
> if your willing to get a separate system for games, the nintendo 
> switch looks pretty nice on paper. havent seen one in person yet.

There are several streaming solutions. Steam does it natively [1],
Nvidia has something [2], and there's an OSS implementation of that
Nvidia thing [3].
I, personally, would rather get some additional computerhardware instead
of a gaming console. More versatile and reusable later on.


On 04/22/2017 03:02 AM, Grzesiek Chodzicki wrote:
> IIRC secondary GPU passthrough won't work on laptops because the 
> discrete GPU is a render device and not a full display device (it's 
> not directly connected to the laptop display or the video outs, instead
> it's framebuffer is copied to the framebuffer of the integrated GPU that
> handles the actualy physical displays) Copying the framebuffer between
> VMs with minimal latency sounds challenging.

That's bad news. Thanks for the hint.
I suppose copying the framebuffer still is more reasonable than
streaming the game over ethernet, which, surprisingly, works quite good
with [1] to [3].

>  Although I remember one guy
> on this group that successfully passed through an AMD GPU to a Windows
> VM and was able to play games in the VM. This was a desktop PC though.

Yes, I remember that too. He installed quemu in DOM0 for this, which is
too much of a security compromise for me.


On 04/22/2017 12:57 PM, Mathew Evans wrote:
> Biggest issue that limits you with nvidia is the fact that drivers
> detect that it is running in a VM / HVM etc.. It is possible to get
> nvidia drivers installed into Qubes (dont recommend it) and then you
> can pass a prime device through to a app VM with little issue. Ive
> done this for doing cuba-cat for password cracking and it works but
> you wont get any output on the screen at all. (goto dump to file)

You mean you installed the nvidia drivers in DOM0? Yes, I'd avoid that
on my regular system.

> Would love to play games on Qubes though. implenetation of OpenGL for
> the Qubes GFX driver would go a very very long way.

I tried to force software rendering in the VM, no luck even with that.

There are projects which split the opengl driver into a local proxy-like
part and a remote actually-rendering part, I found at least three [4] of
them. Maybe that would be usable? The rendering part would have to run
in DOM0 though, and I'm not sure if we could trim it down enough to
trust it though.
Heck, even just connecting to the rendering part via network would be a
good start I guess.


So, I'm not even sure what is technically possible, with 3D acceleration
in a VM (from GPU passthrough or rendering-proxy) without compromising
security of the system? There's thunderbolt for external pci too. Is any
of those ideas even possible?


Ente


[1] http://store.steampowered.com/streaming/
[2] https://www.nvidia.com/en-us/shield/games/gamestream/
[3]
https://github.com/moonlight-stream/moonlight-docs/wiki/Moonlight-Overview

[4]
https://www.mesa3d.org/osmesa.html
https://arrayfire.com/remote-off-screen-rendering-with-opengl/
http://www.virtualgl.org/About/Introduction

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a2322f0d-e2c8-7821-8dc3-11f98878337a%40posteo.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Re: GPU passthrough: 2000 USD bounty

[Mathew Evans]

Biggest issue that limits you with nvidia is the fact that drivers detect that 
it is running in a VM / HVM etc.. It is possible to get nvidia drivers 
installed into Qubes (dont recommend it) and then you can pass a prime device 
through to a app VM with little issue. Ive done this for doing cuba-cat for 
password cracking and it works but you wont get any output on the screen at 
all. (goto dump to file) 

Would love to play games on Qubes though. implenetation of OpenGL for the Qubes 
GFX driver would go a very very long way.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe1cec66-d729-4d0a-9be6-004ed041fb16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU passthrough: 2000 USD bounty

[Grzesiek Chodzicki]

W dniu piątek, 21 kwietnia 2017 21:55:07 UTC+2 użytkownik Stickstoff napisał:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hello everyone,
> 
> I would like to be able to do a little gaming on my regular computer
> from time to time, for sanity reasons. I use Qubes OS on a dual GPU
> notebook. I don't want to compromise security with unsafe code in DOM0
> nor dual booting. My budget towards this is up to 2000 USD.
> 
> Options I can think of (ordered by preference):
> 
> - - put 2000 USD to a bounty for programming of general (secondary) GPU
> passthrough to an app-VM (including consumer nvidia GPUs)
> 
> - - replace my computer with an nvidia quadro equipped computer, put
> whats left of the 2000 USD towards a bounty to get ATI and nvidia
> quadro GPUs (apparently both easier to do than consumer nvidia GPUs)
> 
> - - buy an additional computer and stream the gaming via VNC or the like
> to a Qubes app-VM
> 
> - -buy and use an additional computer
> 
> 
> Gaming on Qubes is a niche and unrelated to its real goal. Still, it
> would open new possibilities with running different OS' in VMs with
> hardware acceleration, from gaming to grafics rendering to video
> editing to scientifical calculations. It would be a big step towards
> one-system-fits-all for the security conscious.
> If some universally useable code came from this, it would make
> migration from windows to "regular" linux distros much easier for a
> lot of people who still need some gpu-dependent windows function.
> 
> I understand that 2000 USD is probably too little for a project of
> such magnitude. Maybe it's a start of a bounty that becomes big enough
> for this.
> 
> What do you people think? Or am I overlooking other options?
> Kernel 4.10 adds "virtual GPU support" [1], will that make things
> easier?
> 
> Cheers,
> 
> Stickstoff
> 
> 
> [1]
> http://news.softpedia.com/news/linux-kernel-4-10-officially-released-wit
> h-virtual-gpu-support-many-features-513077.shtml
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJY+mOSAAoJEPyQPtcO3Q1iyc4P/3u79Lx+8vXJ1/wyfcoKljI6
> LYVEIC5ZaUNNl1k14rOL69V3Ndf3AFTPdRLUV9j5pvqpBCRHzrokKAJJ32vfQg6R
> 8uiJaDaYgje8RYUDx8K4U3oq69ETWx1aLYANnp5gV71IoMES2mK+XOW71+EhfjhF
> GE7XQob/dgYXLWRHExarTGy1Rr+Nr3rScdGc3mAWAPqlreN58OZmkS0T/K7HCCcR
> NPDpne7Pljb6MM8rBb9cZcG4Vz6nHOdJyuKKqEnquYLU8hoKsFEO90k7xK1GEFP1
> iyBwK7yV0vauLmaHkf4HXN3PMRo4Hhuz2RfrHkW+AP0j5wIaqk4Wq2FZFvxz4C3n
> ErQrYgqHi7eFrcBm+rwSedbi6BfgYqK15lRRqXwLsYbMUKdaN1eYnYpLKV/sl6UK
> FGv9Y08G44ZPhNS5JAGbxBdvsKe+Nde0V/H/u8MzRXCLmkk8XKRbKyf+lQ5ZTmtd
> r+XLmWiQ5DwOKUi24h8pMltngWc/nqhSDMy7mbf4JBBhjWV1T3o0o4MDg4YatR4d
> x8vDs64U4A1lqTMbw+U4mZU2crka4xSFJ+OZk3h76heIrVF/jOwGzGpKGFL0+cHH
> yDWFQj8r+PZ/BHChkJluthD0mj1bkDebilA33K1tMXOvbA3/Xd+1WDg1Q9YvskNv
> ExN45lREneOMcWeLiHUV
> =Up+F
> -END PGP SIGNATURE-

IIRC secondary GPU passthrough won't work on laptops because the discrete GPU 
is a render device and not a full display device (it's not directly connected 
to the laptop display or the video outs, instead it's framebuffer is copied to 
the framebuffer of the integrated GPU that handles the actualy physical 
displays) Copying the framebuffer between VMs with minimal latency sounds 
challenging. Although I remember one guy on this group that successfully passed 
through an AMD GPU to a Windows VM and was able to play games in the VM. This 
was a desktop PC though.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/28b8e4a1-ddab-46a1-b6e4-5fe59f5b7842%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: GPU passthrough: 2000 USD bounty

[pixel fairy]

On Friday, April 21, 2017 at 12:55:07 PM UTC-7, Stickstoff wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hello everyone,
> 
> I would like to be able to do a little gaming on my regular computer
> from time to time, for sanity reasons. I use Qubes OS on a dual GPU
> notebook. I don't want to compromise security with unsafe code in DOM0
> nor dual booting. My budget towards this is up to 2000 USD.
> 

havent tried this yet, but you can stream from ps4 to windows (or mac), the 
requirements are pretty light and imply no need for accelerated graphics on the 
client end. please mention me if you try this and post back to the group. i 
have a ps4, but still working on getting qubes running.

if your willing to get a separate system for games, the nintendo switch looks 
pretty nice on paper. havent seen one in person yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6150e141-d9c2-4172-9268-bb7133cc1f5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.