[vbox-dev] BLUF: Consider enabling 3D acceleration by default (as least for KDE-based Linux guest OSs)
Aaron Rainbolt
arraybolt3 at gmail.com
Fri Mar 8 17:24:02 GMT 2024
On 3/8/24 11:10, Nate Graham via vbox-dev wrote:
> Hello! I'm Nate Graham from KDE. We're tracking an issue that causes
> Linux guest OSs with KDE Plasma 6 to fail when 3D acceleration is
> disabled: https://bugs.kde.org/show_bug.cgi?id=481937. The changes
> made in Plasma 6 that resulted in this issue are unfortunately not
> easily revertable, and 3D acceleration improves the UX in general for
> our systems, so our developers aren't feeling a strong incentive for
> to try.
>
> I'd like to discuss the possibility of enabling 3D acceleration by
> default--at least for as least for KDE-based Linux guest OSs.
I am not a VBox dev, but this change has potentially severe security
implications that would make me highly uncomfortable enabling this if I
were a VBox dev. Quoting from the VirtualBox 7.0 user manual
(https://docs.oracle.com/en/virtualization/virtualbox/7.0/user/guestadditions.html#guestadd-video):
Note:
Untrusted guest systems should not be allowed to use the 3D acceleration
features ofOracle VM VirtualBox, just as untrusted host software should
not be allowed to use 3D acceleration. Drivers for 3D hardware are
generally too complex to be made properly secure and any software which
is allowed to access them may be able to compromise the operating system
running them. In addition, enabling 3D acceleration gives the guest
direct access to a large body of additional program code in theOracle VM
VirtualBoxhost process which it might conceivably be able to use to
crash the virtual machine.
If KDE-based Linux VMs have 3d acceleration become mandatory, KDE-based
Linux VMs will also no longer be suitable for any security-sensitive use
of VirtualBox (malware analysis, sandboxing of suspicious applications,
etc.). The ability for VirtualBox to sandbox insecure software is
important enough that the guide specifically mentions it as a primary
use case for VirtualBox
(https://docs.oracle.com/en/virtualization/virtualbox/7.0/user/Introduction.html#virtintro):
In addition to that, with the use of anotherOracle VM VirtualBoxfeature
calledsnapshots, one can save a particular state of a virtual machine
and revert back to that state, if necessary. This way, one can freely
experiment with a computing environment. If something goes wrong, such
as problems after installing software or infecting the guest with a
virus, you can easily switch back to a previous snapshot and avoid the
need of frequent backups and restores.
It would help to know what exactly these changes are that "cannot be
easily reverted" (probably not on the VBox ML though). Perhaps someone
who is willing to put in the necessary time and effort can discover a
way to make KWin compatible with more secure graphics options under
VirtualBox? I personally would be willing to try and help with that.
--
Aaron Rainbolt
Lubuntu Developer
Matrix: @arraybolt3:matrix.org
IRC: arraybolt3 on irc.libera.chat
GitHub:https://github.com/ArrayBolt3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20240308/26d1fc43/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x84FC20D468BEFD4D.asc
Type: application/pgp-keys
Size: 3996 bytes
Desc: OpenPGP public key
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20240308/26d1fc43/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20240308/26d1fc43/attachment-0001.sig>
More information about the vbox-dev
mailing list