| Question about windows HVM | bradbury9 | 23/01/13 04:51 | Hi, I want to give qubes a try but actually dont have any decent hardware to try it on. On another side I am planning to get a gaming desktop computer so I was thinking maybe I could combine both needs (aka, gaming qubes). There go my questions... - Could be possible to get a windows HVM with DirectX (9.0C) and big amount of RAM (minimum 6 GB)? If not, does default qubes installation allow dual boot? - Any plans on allowing HVM get fullscreen or is there any security risk? - Is it posible to get a templateVM (probably ubuntu or mint) with OpenGL? BTW, you guys are doing a great job providing security to regular users. |
| Re: [qubes-devel] Question about windows HVM | joanna | 23/01/13 05:20 | At this moment (Release 2) there are no plans to add DirectX/OpenGL/GPU
support for AppVMs. However, given the fact you're building a custom desktop, you might try adding another GPU card and try to pass it through one of the HVMs (I guess qvm-pci should do the work as with any other PCIe device, although I never tried that). So you will want to pass your powerful GPU to the HVM, and leave some old GPU at dom0 for the standard Qubes desktop. Do let us know if that worked or not! joanna. |
| Re: [qubes-devel] Question about windows HVM | Marek Marczykowski-Górecki | 23/01/13 05:23 | As a follback option you can setup dual boot environment (manually, but
doable). Don't forget about Anti Evil Maid to protect /boot against the other system. -- Best Regards / Pozdrawiam, Marek Marczykowski Invisible Things Lab |
| Re: Question about windows HVM | bradbury9 | 23/01/13 08:41 | Joanna, Marek, thanks for the info, greatly appreciated. I will try Joanna advice and, if failed, Marek's one. Will have two gaming HVM One for a fedora17 (or ubuntu) HVM. Steam has Fedora 17 and ubuntu packages/repo (with debian or mint some tweaks must be done to the deb package, wrong dependencies on the Steam deb package) so with the correct packages should work fine. The other one for HVM (windows) using qvm-pci. My plan is to get the hardware in about a couple of months, will let you know if works fine, emailing to update HCL. Many games try to get fullscreen, would it cause problems with the HVM? |
| Re: [qubes-devel] Re: Question about windows HVM | Marek Marczykowski-Górecki | 23/01/13 08:49 | On 23.01.2013 17:41, bradbury9 wrote:The fullscreen inside of HVM will fill whatever it get as screen - VM window in case of emulated GPU, real fullscreen in case of real GPU. |
| Re: [qubes-devel] Re: Question about windows HVM | Alex Dubois | 24/01/13 00:54 | Hi Joanna,
I thought you said the dedicated GPU, if NVidia could act as an attack vector? If not I'll give it a go too... Alex |
| GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | joanna | 24/01/13 01:10 | > On 23 Jan 2013, at 16:49, Marek Marczykowski <marm...@invisiblethingslab.com> wrote:On 01/24/13 09:54, Alex Dubois wrote:> Hi Joanna, >Well, sure, passing such complex device as a GPU to untrusted domain does have some risks -- e.g. modern GPUs (some at least) do have their own reflashable firmware and we never cannot be sure whether the untrusted VM won't find a way to modify it (in fact we have confirmed this in practice for some GPUs we tested). Then, the compromised firmware, could theoretically attack the platform boot sequence, and I don't think neither SRTM nor even Intel TXT could stop it then. In practice I've never seen a successful attack of this kind, mostly because GPU's internals are not documented for most (all?) GPUs, so even if an attacker found a way to reflash the GPU's firmware, it would be hard for them to actually write some sensible one, knowing nothing about the underlying architecture. Theoretically the same could happen when one passes other PCIe devices, such as network cards, or USB controllers. On the other hand, it seems much less likely to find a way to reflash firmware on such "simple* devices -- at least I've never seen this happening in practice on modern hardware (e.g. on integrated devices in laptops). Here we talk about a situation when we pass GPU to one VM and leave it there (this, of course, assumes we have two or more monitors also), specifically we don't switch it constantly between Dom0 and some untrusted VM. In this case (which is also hard to support without special additional code in the hypervisor) the attack surface would likely be much larger, I think. My personal advice -- unless you are a Flame or Red October admin, or otherwise high-profile target, you should probably be safe trying 2nd GPU pass-thorugh to your gaming/personal HVM ;) joanna. |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | Alex Dubois | 24/01/13 09:01 | OK I'll give it a go then...
Alex |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | bradbury9 | 27/01/13 09:01 | Please, when you do it, please tell me about the results or send the
info to the mailing list. I am considering in buiding a i7 with an
expensive gpu to try qubes on it and if it does not work i will modify
the build. |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | Alex Dubois | 27/01/13 15:31 | Ok but very busy. Planed for test in 2 weeks... Alex
|
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | bradbury9 | 15/02/13 11:16 | Just tried passing GPU with "qvm-pci -a"... It turns out there is some problem passing GPU via qvm-pci. Looks like Xen does not like it very much when it comes with GPU's. $qvm-start gamingLinux libxl: error: libxl_pci.c:767:libxl_device_pci_reset The kernel doesn't support reset from sysfs for PCI device 0000:01:00.0 libxl: error: libxl_pci.c:726:do_pci_add xc_assign_device failed libxl: error: libxl_pci.c:477:libxl__wait_for_device_model Device Model not ready libxl: error: libxl_pci.c:641:libxl__pci_notify_device_model qemu refused to add device: 0000:01:00.0 The GPU is a Geforce GTX 680. Is there any qvm-pci option or can the HVM config files be edited to make Xen allow those commands?
|
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | bradbury9 | 15/02/13 12:25 | I was looking in Xen PCI passthrough wiki[1] and I realized that my GPU does not seems to not support 'FL Reset', dunno what the hell it is, but it seems that is the way Xen implements the reset of the GPU, although it is not the only way (if vmware sees device does not support FLR it tries 2 or 3 other ways to reset it). Later I found some info there they recommend Ati cards and discourage Nvidia :-( [2], a list of Ati and Nvidia out-of-the-box working GPU's[3] and some Xen patches[2] that a guy created to make work a unsupported Ati. [1]: http://wiki.xen.org/wiki/Xen_PCI_Passthrough#How_can_I_check_if_PCI_device_supports_FLR_.28Function_Level_Reset.29_.3F [2]: http://wiki.xen.org/wiki/SecondaryGPUPassthrough [3]: http://wiki.xen.org/wiki/XenVGAPassthroughTestedAdapters [4]: http://old-list-archives.xen.org/archives/html/xen-devel/2010-05/msg00441.html Hope it helps others, as long as it will make me dualboot :-( Any hint on how to dualboot with Qubes? Guess that the steps are: 1- Install Qubes leaving unpartitioned space 2- Install windows in the free space 3- Boot with Qubes installer and reinstall the grub. Dunno how to do this. |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | Cosmic Charade | 02/03/13 18:09 | |
| Fwd: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | bradbury9 | 03/03/13 04:02 | ---------- Forwarded message ---------- From: gorka - <ray.br...@gmail.com> Date: 2013/3/3 Subject: Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) To: Cosmic Charade <cosmic...@gmail.com> If you try with a a NVidia you have three choices: a) Use one of the cards that the Xen guys have tested and discovered to work [1]. There are some NVidia cards in that list, but there are some of the Quadro branch (6000, 5000, 4000, 2000) and not the GTX branch. Ati cards are mostly supported.c) Using Xen 4.2 there is some weird steps that I haven tested and to be honest I fail to fully undestand, extracting the GPU EPPROM and patching Xen [4]. Be warned that Qubes uses 4.1, not 4.1 so b) option would apply. Hope this info helps. [1] http://wiki.xen.org/wiki/XenVGAPassthroughTestedAdapters [2] http://old-list-archives.xen.org/archives/html/xen-devel/2010-05/msg00441.html [3] http://en.usenet.digipedia.org/thread/11820/45042/ [4] http://wiki.xen.org/mediawiki/images/0/0a/Xen_VGA_Passthrough_-_Version_2.1.pdf I am not a linux programmer, so cannot try to patch Qubes with [2] patches withouth messing it. Besides maybe the secondary GPU passthougthrough is not the the desired way to get GPU acceleration, am i wrong Joanna, Marek? |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | Cosmic Charade | 04/03/13 02:42 | If I am reading this correctly, I have to pass through graphics from Windows to Xen (which is what I was thinking before I re-read this so maybe it now makes sense). Ideally, there would be some driver I could just install in Windows that handles all that. What about the hypervisor itself, doesn't that need an Nvidia hardware level driver? At the moment it looks like the VM's are all software rendered, I'm not sure how I'd check though. |
| Re: GPU passing to HVM (was: Re: [qubes-devel] Re: Question about windows HVM) | bradbury9 | 04/03/13 06:38 | Please, correct me if my guess is wrong. Qubes: Xen is installed under linux. Runs windows VM What you want: Xen is installed under _windows_. Runs windows VM Is that correct? In that case the info you may find in this group to passthrough a secondary GPU to a windows HVM may be mostly useless. Some of the steps required (Xen patching, loading specific _linux_ kernel modules) are linux specific. In my opinion, something similar would be needed if Xen is installed within windows, specially the loading modules (windows nvidia drivers) part, but I am not an expert in Xen. I would suggest you could find some help in official Xen wiki and devel mailing list if trying to do it in a Windows -> Windows passthrough. |
| Re: GPU passing to HVM | joanna | 04/03/13 10:08 | On 03/04/13 11:42, Cosmic Charade wrote:Yes, ideally the driver from nvidia.com. The hypervisor needs to know nothing about the specifics of the device you passthrough. I have no idea what you mean by "software rendered" in this context. joanna.
>> From: gorka - <ray.br...@gmail.com <javascript:>>>> 2013/3/3 Cosmic Charade <cosmic...@gmail.com <javascript:>> |
| Re: GPU passing to HVM | joanna | 04/03/13 10:12 | On 03/04/13 15:38, bradbury9 wrote:Correcting, as requested. Xen cannot be installed "under Linux" -- after all it's a _baremetal_ hypervisor, right? Ignoring the rest of the post. joanna. |
| Re: GPU passing to HVM | Cosmic Charade | 04/03/13 12:27 | ah yeah, Xen is not installed 'under' anything, it 'is' the very thing that other things are installed 'under' - hence the term 'hypervisor'. So if I install the binary Nvidia driver within the Windows 8 environment, won't this break something? Or may it in fact work? I'm not so concerned about something as ultra complex as games, which I can boot in to a native Windows 8 for, I just want the graphics card to support at least desktop compositing and playing videos and whatever. As for 'software rendering' - I mean in the days of yore in Linux when hardware graphics often didn't work for lack of a driver, so all the rendering was done in software or by the CPU instead of the GPU and it showed - as in windows not being smooth and just looking like the CPU rather than GPU was doing all the graphics work. Which is not what CPU's are for. And I don't want to spend my days living in a text terminal if I can help it (as useful as I find a terminal, but within a GUI environment thank you!) So if Xen doesn't need a graphics driver, where would I install it? Can I install the Nvidia graphics driver under the Fedora VM and Windows HVM? Won't those two VM's then clash or something? Thats why I wondered if the hypervisor had to 'mangle' all the graphics stuff together from all the various VM's. And on the Wiki page, it says Nvidia driver not compatible with Xen - is this true? |
| Re: [qubes-devel] Re: GPU passing to HVM | joanna | 04/03/13 13:19 | On 03/04/13 21:27, Cosmic Charade wrote:In your Windows HVM. j. |
| Re: [qubes-devel] Re: GPU passing to HVM | Cosmic Charade | 06/03/13 20:44 | OK this is my lack of technical understanding coming through. So the Xen hypervisor does *not* require a graphics driver, but each VM does? What would happen if I installed the Linux Nvidia binary driver in the Fedora default VM's, and the binary Nvidia driver in a Windows 8 VM? Wouldn't they clash or something? I don't want to play games (I'll use a bare metal Windows for that), but I may want to watch some basic / streaming media or full screen video (not DRM protected blu-ray's - but possibly .mkv or other video files).
On 03/04/13 21:27, Cosmic Charade wrote:> So if Xen doesn't need a graphics driver, where would I install it? |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 06/03/13 22:50 | On Thu, Mar 7, 2013 at 5:44 AM, Cosmic Charade <cosmic...@gmail.com> wrote:You can redirect the GPU only to one virtual machine at a time. The real question is whether the driver correctly resets the card, so you can attach it again. For example Catalyst drivers did not (10.12 or so - first version with Radeon 7950 support) - but xm's old way of reset worked well. Perhaps someone should patch that into xl as well for cards w/o FLR like that one. Theoretically Qubes GUId may be just about fast enough for full screen video, if your CPU is fast enough to decode it in software with some remaining power, as the GUI protocol is relatively CPU intensive. It is too slow for fullscreen Flash though - that thing has very slow software decoding and/or scaling. (CPU here: Xeon E3 1275) -- Radosław Szkodziński |
| Re: [qubes-devel] Re: GPU passing to HVM | Cosmic Charade | 07/03/13 00:36 |
Works for me.. So I just install the binary drivers in to each VM environment and I'm good to go.
And here's the catch :-) Only one way to find out I suppose.
Qubes GUID? You mean the X server and the like in the Fedora VM's or by the hypervisor itself? Ideally software decoding would be shunted to hardware wherever possible as most PC's have this sort of hardware built in now (decode acceleration), but even so the binary driver run everything just fine I would have thought.
Should be fine with binary drivers, I'll find out. -- |
| Re: [qubes-devel] Re: GPU passing to HVM | bradbury9 | 07/03/13 02:00 |
That's the main problem with most NVidia cards. |
| Re: [qubes-devel] Re: GPU passing to HVM | Cosmic Charade | 07/03/13 19:16 | That blows... Is there any way to compensate for the lack of a reset command in NVidia cards? I'm fine with hardware lock to each VM as they are used although I'm not sure how this would work with windows from different VMs displaying simultaneously. |
| Re: [qubes-devel] Re: GPU passing to HVM | bradbury9 | 07/03/13 23:49 | On the links I provided there was a guy that workarounded that problem configuring the HVM to not to reset the device, but I share Radoslaw opinion. It would be wiser to patch the code. Is vmware code publicy accesible? they do two different alternative ways to reset if FLR is not available. El viernes, 8 de marzo de 2013 04:16:13 UTC+1, Cosmic Charade escribió:
|
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 08/03/13 08:08 | On Fri, Mar 8, 2013 at 8:49 AM, bradbury9 <ray.br...@gmail.com> wrote:Xend has the right reset code, tries: FLR, then P-states warm reset, then P-states power off, and if all fails, PCI bus reset. This is obviously available. -- Radosław Szkodziński |
| Re: [qubes-devel] Re: GPU passing to HVM | Cosmic Charade | 08/03/13 12:45 | PCI bus reset sounds a bit harsh? Could that damage hardware in any way? -- |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 08/03/13 13:20 | On Fri, Mar 8, 2013 at 9:45 PM, Cosmic Charade <cosmic...@gmail.com> wrote:No, at worst it will result in a hardware hang with associated file system damage, if any at all. Perhaps even necessitating a full power cycle. -- Radosław Szkodziński |
| Re: [qubes-devel] Re: GPU passing to HVM | Cosmic Charade | 08/03/13 16:37 | So it is a harsh method but could work then... may need a way to soft restart PC if it hangs then -- |
| Re: [qubes-devel] Re: GPU passing to HVM | kod.c...@gmail.com | 15/12/13 09:21 | Xend has the right reset code, tries: FLR, then P-states warm reset, I agree, this is most probably available unless something in kernel is off, or if not using xend, because i think with xl things got broken. Maybe xl will get fixed in future, but doubtly, and for the time being is probably better to have xend. IMHO, the security issue of VGA passthrough might have other perspective. If there is something there smart enough to encode itself in the video card, it will boot by simple power on, and has own resources and physical access regardless if its used as device or not. Let your imagination wild, write your own microcode etc. I think this is why the idea is so attractive. So the security might be already compromised by the video card just *being there*. If it is passed throguh, actually might just help keeping connectivity busy, might force ware into hiding mode. So dunno how much this is right or wrong, but *my os accessing the video card* might just not be same with *video card accessing me*. At the very least i am inclined to think like so. Hard virtualization is coming and imho it will bring many changes, weather we like it or not. Ex many OS-es will become bundled apps. Degraded from os to apps status. Want some programs for say electronics, fire up fedora-electronic-lab in a vm, and you got it all, but thats not an os anymore, its a bundle of apps that just dont bother with incompatibilities. Schools use spins that are tailored for certain topics. Are you a game maker, make your own os to be your game engine. Ultimate cross-platform. Not there yet, but coming. I think this aspect and what it means is largely underestimated. If someone today would officially support vga passthrough out of box, it would gain an immense momentum right now. Or will be bought out by another co, probably to delay things and help ms's hyper-v. But doing the same thing 2-3 years from now when everyone will have the feature, it wont mean anything then. Again this is just my opinion. |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 15/12/13 10:50 | That old thread and I got pinged.
Of course, it has issues like any hardware passing. If the hardware has programmable firmware that survives reboots/resets, then malware could encode into it and exploit the drivers. Therefore you should not attach the device to any more secure domain afterwards; passing it across domains of the same security degree should be fine though. Dom0 does not have to actually run the driver for this device though, but it is an avenue for an attack on the EFI code. Hard to pull off though. Hardware virtualization for GPUs is still some ways off, look at how long it took for CPUs to handle properly. R. |
| Re: [qubes-devel] Re: GPU passing to HVM | kod.c...@gmail.com | 15/12/13 14:42 | I like that. It makes total sense to me to have a secondary video cards locked down in least secure area. If i have a win vm with vga on it, i will certainly play alot of games and each of them will be totally insecure :) The whole point of having it like that is coz the low chances that malware is able to jump the virt jail, jump across os-es, or else. If we do have a malware at a difficulty degree that is able to encode itself into the bios, then probably it is at least equally capable to do the other things, or done it already. Again, with xend this should be already possible for Qubes os, i mean with a secondary video card. Can we get some sort of confirmation if it is or not possible - and i dont mean supported, just possible atm. Does beta3 still use xend api, and can this be played with, any caveats for this under Qubes os? |
| Re: [qubes-devel] Re: GPU passing to HVM | David Schissler | 15/12/13 18:22 | Very true. Who could have thought that GNU/Hurd would would be usable while being virtualized on top of a hypervisor with a GNU/Linux graphical front end. Maybe funnier things have happened? |
| Re: [qubes-devel] Re: GPU passing to HVM | David Schissler | 15/12/13 18:32 | A British company is selling upgraded Thinkpad X60 machines (Core 2 64 bit) with the BIOS replaced by coreboot. http://shop.gluglug.org.uk/product/ibm-lenovo-thinkpad-x60-coreboot/ |
| Re: [qubes-devel] Re: GPU passing to HVM | france...@gmail.com | 25/12/13 09:32 | So... has it been patched? I have a Geforce 740m, in addition to the one integrated in the CPU (i7 Haswell), and I run Beta 3. If I create a HVM and select the GPU to be passed through in the settings, should the guest work with the video card as if it was installed on bare metal? Or will strange things happen? |
| Re: [qubes-devel] Re: GPU passing to HVM | Markus F | 16/01/14 10:34 | Has anyone managed to completely pass any graphics card to a HVM in qubes yet? Or has this thread firmly settled on not-possible-right-now? —
I'm building a PC and would like to use Qubes. Since this means getting components that play nice with VT-d anyway, it seems a shame not to at least try GPU passthrough rather than perpetual system swapping. To this end I am considering getting an intel processor with onboard graphics for Qubes, and an ATI card (R9 280X) to passthrough to a Win8 HVM (with another monitor connection to the card). Right now, I have zero experience with qubes (this will be remedied!), but reasons I think this isn't just a mad wish:
Does that leave any reason why these settings shouldn't work in qubes? Of course, qubes isn't just xen, so I imagine the differences are where the trouble lies, but I don’t yet know where all the differences lie. Security-wise, again I understand that I understand basically nothing, but from Joanna’s reply above, it seems to me that there isn’t too much danger as long as I never assign the GPU to any higher security areas. |
| Re: [qubes-devel] Re: GPU passing to HVM | Alex Dubois | 16/01/14 11:54 | To be tested with xen kernel modifications for HVM vm only I believe to be the status. Alex
|
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 17/01/14 06:38 | I've done it a long, long time ago with Radeon 7950 as a secondary
card, but I had to start the VM using xm and not xl, manually. Otherwise the card wouldn't be properly reset on VM shutdown and any future attempt to start a Windows VM with it would cause a hardware hang, while Linux ones would oops. I'll retest this setup soon, but not on Qubes right now. R. |
| Re: [qubes-devel] Re: GPU passing to HVM | coderman | 17/01/14 13:31 | i had success with this same setup, a pair of 6950's, with the second
manually started via xm with specific configuration. important: disable SLI! i could not get this to work reliably when SLI was linked up... this was R1B1, i have not tried since. i may have time to try again, if Radoslaw does not beat me to it. best regards, |
| Re: [qubes-devel] Re: GPU passing to HVM | guyfawkes | 26/09/14 18:49 | Something I found on xen forum about how to determine if FLR function exists on your devices. So my question is does your Radeon 7950 support FLR and if not how did you manage to reset using xm and not xl, manually ? my current set up is t420s with Integrated graphics [intel hd graphics 3000 ( which is basically integrated graphics on cpu)] I7-2620m then on top of this there exists on the mother board also a Nvidia NVS 4200M. Which I want to pass through to my windows 7 vm so I can fully utilize this for gaming. what do you guys think ? before doing a format on this windows system I would like to know your opinion. How can I check if PCI device supports FLR (Function Level Reset)? Run "lspci -vv" (in dom0) and check if the device has "FLReset+" in the DevCap field. If you are Ubuntu/Debian user don't forget to add sudo at front, otherwise, you won't get the result you should get. sudo lspci -vv | egrep -i --colour flreset The above line should get root access for lspci program and show color with flreset it found from output If you see output with "FLReset-" then your PCI device don't support FLR function. If output has "FLReset+" then it does. |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 27/09/14 00:51 | 7950 does not support FLR. However, the card reacts well to PCI reset,
as used to be done by xm - returns to a fully clean state. (In linux, you will need to reload the drivers for it to work again - the firmware has to be reuploaded.) xl depends (or depended?) on the guest OS to reset the card, so you have to reset the card manually via sysfs if using Windows or fglrx. (radeon open driver resets the card properly when unloaded) If you don't reset the card properly, it will hardware hang your system if you try to use it in Windows and Linux will spout kernel error messages. R. |
| Re: [qubes-devel] Re: GPU passing to HVM | guyfawkes | 27/09/14 01:10 | So with my above mentioned set up do you think that I will be able to pass the NVS 4200M to the windows 7 vm and since it does not support FLR what do you recommend so I am able to utilize this fully in the vm ? I am new to linux and all, my current set up is win7 with truecrypt, boot loader on thumb drive. with AES hardware encryption on i7 and bios tpm fingerprint. But I see that the future is in hypervisor's so I want to migrate to such a platform. I bought the t420s soly' on the fact that it was listed in the Qubes os supported hardware. So I would like to utilize this new system much as I can, preferably not to dual boot for gaming, would be defeating the purpose of a hypervisor. |
| Re: [qubes-devel] Re: GPU passing to HVM | joanna | 27/09/14 01:42 | On 09/27/14 09:50, Radoslaw Szkodzinski wrote:Where do you get this info from? |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 27/09/14 01:46 | Got it a long time ago from Konrad when I asked what is the difference
- why xl didn't work and xm did. Not sure it's still accurate though. R. |
| Re: [qubes-devel] Re: GPU passing to HVM | joanna | 27/09/14 01:52 | > On 09/27/14 09:50, Radoslaw Szkodzinski wrote: On 09/27/14 10:42, Joanna Rutkowska wrote:That would be totally wrong, as the guest is normally untrusted. If you cannot point out to specific code to support your statements, and/or are unsure about what you're talking about, please do not make them sound authoritative. And, please, don't remove quoted text, it's useful for referenced. Not everybody is reading this via Google groups Web interface. joanna. |
| Re: [qubes-devel] Re: GPU passing to HVM | guyfawkes | 27/09/14 03:23 | So with my above mentioned set up do you think that I will be able to pass the NVS 4200M to the windows 7 vm and since it does not support FLR what do you recommend so I am able to utilize this fully in the vm ? I am new to linux and all, my current set up is win7 with truecrypt, boot loader on thumb drive. with AES hardware encryption on i7 and bios tpm fingerprint. But I see that the future is in hypervisor's so I want to migrate to such a platform. I bought the t420s soly' on the fact that it was listed in the Qubes os supported hardware. So I would like to utilize this new system much as I can, preferably not to dual boot for gaming, would be defeating the purpose of a hypervisor. |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 27/09/14 05:52 | On Sat, Sep 27, 2014 at 12:23 PM, guyfawkes <guyfaw...@yandex.ru> wrote:It should work with new Xen. I'm not sure which version is in Qubes R3 alpha though, probably still too old. That was the answer I got around Xen 4.2 time though... Qubes is still using 4.1.x, right? So it does not run a full PCI reset on relinquishing passthrough devices, only FLR. Insecure indeed if a device does not support FLR. It was changed around Xen 4.3, now libxl calls into dom0 kernel for PCI reset, which does all kinds of resets. -- Radosław Szkodziński |
| Re: [qubes-devel] Re: GPU passing to HVM | joanna | 27/09/14 06:15 | Xen has been using PCI bus reset as part of do_FLR() since at least 3.x
(was doing that in case the device didn't support FLR). Please back up your claims with specific code refs, or stop spreading misinformation. Thanks, joanna. |
| Re: [qubes-devel] Re: GPU passing to HVM | joanna | 27/09/14 06:17 | I'm not sure I get your idea -- so your laptop has 2 GPUs, but 1
monitor, correct? Even if you manage to passthrough one of the GPUs to a VM, still, you have just one monitor, right? Is there any control mechanism that you can easily use to select which GPU is currently connected to the monitor? joanna. > the *NVS 4200M to the windows 7 vm and since it does not support FLR what > do you recommend so I am able to utilize this fully in the vm ? I am new to> the purpose of a hypervisor.* |
| Re: [qubes-devel] Re: GPU passing to HVM | Radosław Szkodziński | 27/09/14 06:45 | On Sat, Sep 27, 2014 at 3:15 PM, Joanna Rutkowska > Xen has been using PCI bus reset as part of do_FLR() since at least 3.xWhich is not true. First of all, xl does not properly force a FLR: http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=tools/libxl/libxl_pci.c;h=61bef12c62c83dcc61730726ad88891c720b257a;hb=8231a6762ad70aa00f54cb53424b7c850d4c286b#l722 (4.1.6.1, as in Qubes R2, maybe R3 is newer?) vs fix (broken, see reference, trivial): http://lists.xen.org/archives/html/xen-devel/2014-06/msg03107.html Feel free to apply the patch. This requires a patch set which your kernel might not have: http://lists.xenproject.org/archives/html/xen-devel/2014-07/msg01111.html Unpatched 3.12.x kernel (as used in Qubes) will not properly force a reset on a pciback device either via sysfs (because the device is busy thanks to pciback) or via do_flr even if you write to the right path (because there are bugs). My workaround (until I've updated Xen) was to unbind it from pciback, reset via sysfs, run a hotplug add then pciback it again. I should've looked into the code instead, could've spotted this bug. Of course, that was completely insecure, because for a moment the device was attached to dom0. -- Radosław Szkodziński |
| Re: Question about windows HVM | Chris Olin | 16/10/14 08:42 | For the last couple of months, I've been using Qubes on an HP EliteBook (using it right now, actually) with no impressive graphics and the motherboard is capped at 8GB of RAM. With the high possibility of a new job with significant more pay, I've been looking for an "all in one" laptop to do literally "everything" on in terms of virtualizing demo/testing servers. I'm not much of a gamer, but the laptop I found is a gaming laptop (for some reason, only gaming laptops have 32GB of memory) and supposedly has a graphics processor built into the i7 in it (http://forum.notebookreview.com/msi/762800-official-msi-gt72-dominator-pro-gtx-980m-owner-s-lounge.html). While I'm not much of a gamer, it'd be a shame to let the nVidia card just sit there, wasting away. If and when I do end up buying this laptop, I'll see if gaming on a HVM is a possible and viable option. |
| Re: [qubes-devel] Re: Question about windows HVM | Francesco | 16/10/14 20:15 | Even a laptop with a free expresscard slot may allow a linux compatible graphic card slot: besthttp://www.amazon.com/PE4H-EC2C-Passive-adapter-ver2-4-ExpressCard/dp/B008I71HXQ On Thu, Oct 16, 2014 at 1:42 PM, Chris Olin <ch...@chrisolin.com> wrote: -- |
| Re: Question about windows HVM | thibau...@gmail.com | 09/10/15 04:28 | Hello guys, i am currently building a new machine with vt-d to use passthrough with my gpu. I am a developper so i wanted to put all the gaming stuff into a different os so i could secure my main os. Now i just discovered qubes, could someone confirm to me that passthrough solutions with xen will work just fine with qubes? I read things about xen who might not be compatible with non multi os gpu and i have a gtx 980 ti. Any answer would be more than welcome :) Le mercredi 23 janvier 2013 13:51:08 UTC+1, bradbury9 a écrit : Hi, |