Make VM GPU device optional

canonical / lxd

Powerful system container and virtual machine manager

https://canonical.com/lxd

GNU Affero General Public License v3.0

4.29k stars 923 forks source link

Make VM GPU device optional #12825

Open simondeziel opened 5 months ago

simondeziel commented 5 months ago

The VM GPU device is not always needed and having it enabled comes with additional memory overhead and bigger attack surface. Being able to easily disable it would make it simple to pack more VMs on any given host.

The bigger attack surface is probably due to GPUs being complex beast which lead to hypervisor-escapes in the past (https://census-labs.com/media/straightouttavmware-wp.pdf).

tomponline commented 5 months ago

@simondeziel is this a known security issue in QEMU 8.1?

simondeziel commented 5 months ago

@tomponline no, this is just to highlight that vGPU comes with additional attack surface and memory usage that'd be nice to make optional.