iGPU-Passthrough with rom-file - Is it maybe a security issue?

B

brightrgb

Member
Dec 26, 2021
88
5
13
39
I want to passthrough my iGPU Ryzen Pro 5650 to a VM.
In this case I downloaded some ROM-files from: https://github.com/isc30/ryzen-gpu-passthrough-proxmox and tested with them.
I copied them to "/usr/share/kvm/" and added them with "hostpci0: 0000:XX:00.0,pcie=1,romfile=vbios_xxxx.bin" to the vm. Then i started the vm.
Now I'm wondering what the ROM file in proxmox actually does...

Does it really overwrite the firmware on the iGPU?

Is it generally dangerous to use unknown ROM files for passthrough?

Or is the whole thing not a security issue because the ROM file is only used to activate the GPU?
 
If you follow the instructions and make it yourself in vbios.c, it should be fine.

It is not for anyone to check if you trust what others have made.
 
  • Like
Reactions: brightrgb
uzumo said:
If you follow the instructions and make it yourself in vbios.c, it should be fine.
Click to expand...
But where do I put the script on the proxmox host, that in can later execute it?

uzumo said:
It is not for anyone to check if you trust what others have made.
Click to expand...
Of course, but are unknown vbios.rom files generally a security risk, or could they even compromise the entire host?

Or is it possible for them to cause a hardware defect?

That's what I'd be particularly interested in!
 
brightrgb said:
But where do I put the script on the proxmox host, that in can later execute it?
Click to expand...
By installing gcc on the Proxmox host, you should be able to run it anywhere and obtain the vbios of your environment.

https://github.com/isc30/ryzen-gpu-passthrough-proxmox/issues/131#issuecomment-3138512335

brightrgb said:
Of course, but are unknown vbios.rom files generally a security risk, or could they even compromise the entire host?

Or is it possible for them to cause a hardware defect?
Click to expand...
Everything that is written comes with risks.
I think it is difficult to modify the vbios now, but if there are vulnerabilities to attack, attackers are likely to confidently overcome them and possess the knowledge to carry out a successful attack.

However, I am not aware of any such cases.

Whether to trust that file is up to you.
Please understand that it was provided in good faith.
This is information provided by the goodwill of the creators. Please understand that if you post content that spreads risks after hearing such things, it will become difficult to reflect only the results presented by the creator in the future.

If you have doubts, there is a way for you to personally maintain your doubts and not use it.
 
Last edited:
Thank you.

I was actually just asking whether a vbios.rom could pose a security vulnerability in general or not.

It's perfectly clear, that everyone has to decide for hisself whether to trust a source or not!
 
You must log in or register to reply here.
Top Bottom