Document requirements for secure GPU-accelerated rendering #4234
Comments
andrewdavidwong
added
help wanted
|
The documentation is a community effort. Please help us improve it by submitting a pull request: |
|
@andrewdavidwong I would be happy to, but to do so I need to know what the QubesOS maintainers would require of such a solution. |
I suggest searching qubes-devel to see whether the information you need is already there and, if not, starting a thread asking specific questions. |
|
A known problem why gpu acceleration in VMs is a secruity risk: Description of the problem: Possible approach: |
Why would this be a blocking issue? Couldn't we construct an additional virtualisation layer (maybe just draw a white screen to the buffer) so that no additional information is exposed? It should definitely be doable and wasting one of the two most powerful chips in your computer because the virtualisation is too hard to get right seems wasteful to me. |
andrewdavidwong
added
the
P: default
|
If more use cases help at all: I'm a web developer writing a WebGL-based application. Some of my application's users are on a Qubes-based desktop environment. Their performance is currently terrible, and I think this issue is the reason. Users on a physical desktop with a mid-grade dedicated GPU can get a smooth 60FPS performance with minimal load on the GPU. Even those with Intel integrated graphics from several years ago can manage a pretty stable 30FPS, as long as they're using the right drivers. Users on the Qubes platform are stuck with Chrome's "SwiftShader" pure-software renderer, which takes more than one second per frame (!). I think this problem is only likely to become more prevalent in the future, as more applications move to the browser, and browsers become more reliant on hardware-accelerated compositing and rendering. |
First, thanks for letting us know. The current situation sucks, but it is the best we can do right now. Sadly, supporting it securely on cards that people can actually afford (as opposed to super-expensive enterprise cards) is still an open problem. The good news is that people are working on it; the bad news is that these efforts could take quite a while to come to fruition. If Qubes can ever ship hardware accelerated rendering on by default without violating our user’s security expectiations, we will. Are you able to link to the web application, by any chance?
Yea, this sucks. Is your application particularly heavy on textures? Texture sampling is notoriously slow in software renderers; there is a reason GPUs have dedicated hardware for it. 3D transformations are also quite expensive. Simple pixel shaders should (at least in theory) be able to be handled pretty efficiently using SIMD instructions on the CPU, though Qubes disabling SMT (simultaneous multithreading AKA hyper-threading) probably doesn’t help there. I also suggest filing a ticket with SwiftShader; you could be hitting a pathological case there. At they very least, they might have suggestions as to what part of the code is particularly expensive. |
|
I don't have the Qubes-based desktop environment available right now, but I think you could get a good idea of the problem using this demo page. (Our application is proprietary, but built on CesiumJS.) If you paste in I will look at filing a ticket with Chromium and/or Cesium, but I kind of expect each to point the finger at the other... |
FWIW I get ~9FPS in Firefox and ~4FPS in Chrome. Both are bad, but one is clearly worse... |
|
I'm curious, if you visit the regular public-facing Google Maps from your Qubes environment, do you feel like you have a subjectively bad experience? I think they're using similar technologies. When I force software rendering on the same laptop ("hardware acceleration" option off in Chrome settings), zooming and panning "feel" bad. Maybe that could be a more broadly applicable use case for you? |
|
Google Maps works reasonably fine. It isn't super smooth, I see some jumps when panning too fast, but nothing major. |
|
I've tested as well: |
|
Just as a data point, I'm interested to see how that compares with Chrome / Chromium. It sounds like several others have answered "worse" but it also sounds like they may have been using older (or at least less powerful) hardware. |
|
Google Chrome Version 102.0.5005.61 (Official Build) (64-bit) on debian-11 with 16 vcpu. |
I can reproduce with a 1-vCPU qube. Chrome is at less than 0.5FPS while using 90+% CPU. Definitely time for a bug report. |
|
So, just to be clear, @DemiMarie , where do you think the report should go, and who do you think should file it? |
|
@thw0rted I think you should file the report against Chromium and SwiftShader. I know basically zilch about SwiftShader internals, and it has been years since I did anything interesting with web APIs. |
|
I just filed https://bugs.chromium.org/p/chromium/issues/detail?id=1348913 , in case anybody here would like to follow along. Thanks for the feedback! |
"Windows"? |
|
Hah! Oops, sorry. It auto-populated the form from the computer I was using and I didn't think to update. It does actually apply on Windows as well, inasmuch as forcing Firefox to disable hardware rendering here still outperforms Chrome when forced to use SwiftShader. Really, the OS tag should say "any". I'll leave a comment to that effect. |
|
Just discovered this issue, and I am curious about this comment that seems to have been ignored:
Is that obviously not an option? |
That would require an extremely complex translation layer. |
|
There was a talk on Qubes OS Summit 2022 https://www.youtube.com/watch?v=YllX-ud70Nk - what does it mean for secure GPU-accelerated rendering? Does it sacrifice security? And if so: to what extend does it sacrifice security? |
|
It doesn’t intend to, but it isn’t ready for use in Qubes yet, in part because of Xen limitations. |
|
How feasible would it be to add an unfiltered, less secure way to expose the GPU to selected VM's? Similar to how KVM/virt-manager can do it. Why? I trust certain VMs enough to take a risk here. Having a dedicated YouTube qube or video edit qube could save a lot of power and time. It will still provide much better isolation and sandboxing than raw Linux. Like a form of Qubes Lite, which sits between the current Qubes OS and conventional desktop systems. The only alternative here is building my own "Qubes" based on Linux + KVM, with a lot of dev effort for proper clipboarding, auto-updates, microphone and more. |
|
@marmarek thoughts? |
|
Has anyone considered using virtio-gpu or virgl from a security standpoint? It could also allow using the GPU across multiple cubes. |
|
@covert8 Its funny you asked, because I was about to file an issue for this! VirGL and Venus run the userspace driver (OpenGL and Vulkan respectively) on the host. This means that they provide a hardware-independent API to the guest, but also means that the entire userspace stack becomes guest-accessable attack surface. This attack surface is very large, and Linux graphics developers have stated on IRC that it is not a security boundary. Therefore, @marmarek has decided that Qubes OS will never use VirGL or Venus and I agree with his decision. virtGPU native contexts, on the other hand, expose the kernel ioctl API to the guest. This API is accessible to unprivileged userspace processes, which means it is a supported security boundary. It is also much smaller than the OpenGL or Vulkan APIs, which means that its attack surface is vastly smaller. As a bonus, native contexts offer near-native performance, which should be enough even for games and other demanding tasks. The kernel ioctl API (also known as the userspace API or uAPI) is hardware-dependent, so virtGPU native contexts are only supported on a subset of hardware. Currently, Intel, AMD, and Adreno GPUs are supported using the upstream i915, amdgpu, and freedreno drivers. Xen supports grant-based virtio, so virtio-GPU should not be incompatible with running QEMU in a stubdomain. The virtio-GPU emulator will need to run in dom0, but its job is much simpler than that of QEMU (it is only emulating a single device) and so the attack surface should (hopefully!) be acceptable. |
|
@DemiMarie, documentation issues like this go on the Non-release milestone, since they are independent of the Qubes OS release cycle. |
andrewdavidwong
changed the title
|
I wanted to make people aware of this related thread: https://forum.qubes-os.org/t/seamless-gpu-passthrough-on-qubes-os-with-virtualgl/20265/18 Which talks about someone using virtualGL (which i believe is different then virGL) (I'm assuming that the intention was to use virtualGL to communicate between a "sys-gpu" type qube to other cubes that you wanted to be able to access GL calls, however the initial post is incomplete, and no one has been able to replicate it, so the full intention is fuzzy.) |
|
Current dependency tree:
|
|
@thw0rted One idea I just now had was to see about optimizations on the CesiumJS side. Even when a GPU is available and in use, forcing it to 100% usage cannot be good for battery life on mobile. |
|
I was just a Cesium user, never on their dev team, and I've since moved on to another project. That said, I think they already did what they could for optimization. It's a graphically-intensive 3D application, so battery drain should be treated more like running a mobile game than a regular web page. They did include an option for the application developer to trigger rendering manually, so that the render process would idle otherwise, which I think would help a lot in a mobile context. The problem on Qubes was that even in short bursts (like scrolling a map), the software WebGL implementation was so slow that you could easily drop down to seconds-per-frame rather than frames-per-second. With the manual rendering option, you might only kick up to high power drain for 5 seconds of pan-and-zoom, then go back to idle, but with hardware acceleration those 5 seconds felt nice and smooth. |
|
Thanks for the explanation @thw0rted! |
|
Should this be closed? I think it is redundant, now that work on GPU acceleration has actually started. |
Has it? awesome. Is there another GithHub issue for that? (which one?!) |
|
andrewdavidwong
added
R: not applicable
|
This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:
We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community. Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding. If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed. |
Qubes OS version:
R4.0
Affected component(s):
Documentation
Steps to reproduce the behavior:
Search for documentation for what exactly would be necessary for secure, hardware-accelerated rendering in untrusted AppVMs
Expected behavior:
Some documentation as to why it is not possible currently, and what would be required to change that.
Actual behavior:
No such documentation.
General notes:
One obvious use of a system like Qubes is running untrusted Steam games. Because Qubes doesn’t support hardware-accelerated rendering, this doesn’t work. It would be nice to have documentation as to why this is not possible, and what would be necessary to change this.
Related issues:
The text was updated successfully, but these errors were encountered: