Re: [qubes-users] Re: GPU?

2018-01-25 Thread Vít Šesták


On January 25, 2018 5:56:41 PM GMT+01:00, "taii...@gmx.com"  
wrote:
>On 01/18/2018 04:00 PM, Alex Dubois wrote:
>Correct me if I am wrong but I don't see the issue with an apparmor 
>restricted qemu running in dom0...

Well, AppArmor might reduce the attack surface, but remember that:

1. Qubes was not intended to run QEMU in dom0 and
2. Qubes dom0 is often based on outdated Fedora. While ITL provides security 
updates for security-critical components, it does not necessarily cover all 
vulnerabilities in kernel and apparmor, because of #1.
3. Linux kernel is considered as quite weaker than Xen in terms of attack 
surface, so exploits in Linux kernel are more likely. AppArmor might mitigate 
*some* of them, but not all.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/203975FF-A8A0-4EEF-8C0B-20AC09EC19EE%40v6ak.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU?

2018-01-25 Thread taii...@gmx.com

On 01/18/2018 04:00 PM, Alex Dubois wrote:


If you have multiple GPU (i.e. integrated + NVidia), it is possible with Xen to 
do GPU pass-through (Assign the NVidia GPU to a dedicated VM) however:
- It is far from trivial and only limited setups are known to work
- The security of it is not as robust (I can't remember where I read that, I 
think it was in the GPU Pass-through page of the Xen wiki)

I have tried with limited success few years back (only one boot and was never 
able to get it back after)...


I do this all the time to play games and watch movies.

I recommend either a quality server board or a platform that has libre 
or open source firmware so that IOMMU issues can be fixed if they happen.


Correct me if I am wrong but I don't see the issue with an apparmor 
restricted qemu running in dom0...


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b959b86d-f0b4-1f76-19d7-58493c07a3e5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

2017-04-25 Thread Grzesiek Chodzicki
That escalated quickly...

Guys come on, this was supposed to be gpu passthrough thread not pc fanboy vs 
console fanboy thread.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/657bb49c-5425-4978-836d-ea6bd729b855%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

2017-04-25 Thread taii...@gmx.com

On 04/25/2017 11:29 AM, cooloutac wrote:


You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
ago cause piraters, cheaters, and ddos.
What? there are still many decent new games being released. I play BF4 
and only encounter obvious cheaters once in a blue moon and they always 
get banned by stat based anti-cheat like fairfight (server side 
anti-cheat is the only way to go, no bullshit kernel drivers required 
either)


Consoles suck, even the new versions of the PS4/Xbone can't play at 
native resolutions with at least 60FPS and once the OEM shuts down the 
servers your games are useless - people are still playing BF1942 because 
they were able to easily reverse engineer a master server and anyone can 
DL the server files but that wouldn't be possible on a console.
Not to mention the DRM and always-online requirements for singleplayer 
games (yeah PC is DRM'ed too, but there are still great AAA games that 
get released without it such as The Witcher 3 and the Metro series)


Piracy doesn't result in bad game sales, only bad games do and denuvo 
proves that - the witcher 3 released without DRM sold many more copies 
in the first week than Mass Effect 3.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f94c762c-836e-5ecc-4157-eab7e148fe2c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

2017-04-25 Thread cooloutac
On Tuesday, April 25, 2017 at 11:29:51 AM UTC-4, cooloutac wrote:
> You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
> ago cause piraters, cheaters, and ddos.
> 
> League of Legends is the only pc game on windows I would consider "popular" 
> tks to asian countries who take e-sports as serious as football. But On Linux 
> the only popular games are cs:go and Dota2 and unless you're a gaming pro or 
> someone who doesn't mind trolls, that would be sadistic...lol
> 
> I would stick to single player games for consoles until they start jailing 
> kids like in Japan and Korea.  Man do I miss ea-sports on the pc. 95-2005 was 
> a great decade.
> 
> Hardware industry has been steady tankin since, and I don't blame tablets or 
> smartphones.  I built a computer for the first time in years only for Qubes,  
>  but no way I'd waste money on a gaming rig for me and my hardware to get 
> abused.

Actually I called dota2 and cs:go popular, but only by linux standards.  
millions at a time playing LoL compared to maybe 50,000 playing dota2, 20,000 
playing cs:go and I'm sure those numbers are fabricated. And thats world wide.

And I find it such a shame that only moba games are popular.  But they are the 
hardest games for anarchists to undermine I guess...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7986fe73-7b69-487b-981f-8d47f37ce9ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

2017-04-25 Thread cooloutac
You have a ps4 and you want to game on the pc?  why?  Pc gaming died a decade 
ago cause piraters, cheaters, and ddos.

League of Legends is the only pc game on windows I would consider "popular" tks 
to asian countries who take e-sports as serious as football. But On Linux the 
only popular games are cs:go and Dota2 and unless you're a gaming pro or 
someone who doesn't mind trolls, that would be sadistic...lol

I would stick to single player games for consoles until they start jailing kids 
like in Japan and Korea.  Man do I miss ea-sports on the pc. 95-2005 was a 
great decade.

Hardware industry has been steady tankin since, and I don't blame tablets or 
smartphones.  I built a computer for the first time in years only for Qubes,   
but no way I'd waste money on a gaming rig for me and my hardware to get abused.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b200d00-6591-446f-8ab4-bd5ab0b7f3e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: GPU passthrough: 2000 USD bounty

2017-04-22 Thread Jean-Philippe Ouellet
I don't know anything about your specific hardware, but it is true
that secondary GPUs are often not connected to the display itself, but
rather the rendering takes place there and then the rendered frames
are passed back to the host and to the integrated gpu to be put on
your display. From a Qubes perspective I believe this is actually a
very good thing since it means we could keep the integrated GPU
statically assigned to dom0, and keep the qubes gui protocol largely
unchanged. The question would be one of getting the passed through GPU
to render its output to some buffer which we pass back to dom0.

There are still firmware-security issues associated with passing the
discrete GPU between VMs of different trust levels, because someone
who has full control of the GPU may be able to re-flash its firmware
with something that would later perform a DMA attack against the 2nd
VM it's attached to. However, if you only ever wish to pass it through
to a single "gaming" windows HVM or such, this is not a problem.

The reason integrated GPUs are interesting in this regard is that they
do not have firmware which is persistently stored on the device,
rather it is loaded externally on each power-on and subject to normal
boot-security measures. The thinking is that by rebooting between
assigning your integrated GPU to different VMs, you prevent one from
compromising another via the GPU by making GPU compromise ephemeral.

As for previous successes requiring upstream-QEMU in dom0, the problem
here is that Xen only supports a very old forked QEMU in stubdomains,
but this is something that will change. Progress in this area has
stalled because there was an effort to run QEMU in a very minimal
unikernel-style environment, but this effort has been abandoned and
work is now underway towards making it run on top of linux (still in a
separate stubdomain), which should take less work to bring to a usable
state than the previous minimal-stubdom effort.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CNR4BYGtkjhYoNhSS32JEQyts7n_o3-snNu_B90oN1sQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.