Well, there seems to be a cheaper way to do roughly the same. In a nutshell, you just ensure there is no wire for those two things:
* HEAC+ (audio return channel plus ethernet). HEAC+ is optional and thus safe to remove.
* CEC (remote control input) – This one is a bit more tricky. While CEC is also optional, its wiring is reportedly (via Wikipedia) mandatory. I haven't found this in specification. Maybe CEC wire is mandatory for cables (as this is in 1.0 specification), but can be completely ignored in both parties. Theoretically, the worst what can (but hopefully won't) happen is downgrade to single-link digital DVI, effectively restricting the resolution to 1920 × 1200 @ 60 Hz, see below. OTOH, if you don't want to cut CEC, my brief look suggests just minimal attack surface.
Removing them will keep only two inputs you can hardly get rid of:
* DDC (PIN 15+16) – needed for getting the resolution etc., present even in current version of VGA. While there is some attack surface, it seems to be rather small.
* HotPlug/HEAC- (PIN 19) – I believe it will work just as hotplug detection if HEAC+ is missing. So, virtually no attack surface.
How to practically cut the wire(s)? You don't have to actually cut the cable etc. There are few easy options:
a. Use HDMI-to-DVI and then DVI-to-HDMI, both should be passive converters. According to pinout at
http://pinouts.ru/visual/gen/hdmi_dvi_cable.jpg , it seems to cut just the two input wires, i.e., it would do exactly what we want. While this looks like converting to single-link DVI and back, passive converters will probably allow full HDMI without the features we want to get rid of.
b. Use an older cable without HEAC+ wire. According to the specification, they should exist, but I am not sure if you can find a new one. Useful for home TV, since it is you who buys the cable. However, such cable will probably still have CEC. On the other hand, brief look at CEC does not suggest a large attack surface there.
c. Use cable without CEC wire. It is probably nonstandard, but it seems to actually exist:
https://www.pulse-eight.com/p/110/cec-less-hdmi-cable. It is not sure if the cable includes HEAC+ wire ir not.
I suggest verifying the wiring by ohmmeter.
“Cutting” wires might be also better from security perspective than proxy, but it depends. When the proxy is implemented carefully, it might even absorb attack surface of DDC. It also could protect the device (e.g., Smart TV) from attacks from compromised laptop, but this is probably slightly off this topic.
## Should Qubes handle this?
I believe that Qubes should care about it partialy, but the developers cannot do all for you.
First, QubesOS should ignore HDMI ethernet and maybe some other inputs (CEC and ARC) from HDMI. Maybe it already ignores all network devices connected to dom0, but I haven't seen anything that confirms this. Failure to ignore HDMI network in dom0 could make QubesOS more vulnerable to attacks over HDMI than conventional distros are, especially when dom0 is based on EOLed Fedora version.
On the other hand, QubesOS probably cannot resolve this exposure in full extent. Imagine an input being processed by GPU firmware and then with GPU driver and then rejected by QubesOS. You see, the rejection by QubesOS does not necessarily prevent processing of the input by some parsers running with absolute privileges, either dom0 or DMA-enabled device handled by dom0. QubesOS will hardly fix them and I consider it to be outside of QubesOS responsibilities.
Regards,
Vít Šesták 'v6ak'