Security Benefits of Gaming in a VM


Recommended Posts

Sandbox play and work using VMs that's a good selling point, as a company, to make - I like it.  One could always break it up farther: One VM for gaming; one for email, web, and work; a third for banking/fiance. Could even make one for guests at home. 

 

The Devils-Advocate response might be, for each VM you're multiplying the potential patching/security holes being made (IE two sets of Windows Updates; or kernel patches).  However, if I had kids, I think this would be my solution for sandboxing kids "oops" to the OS.  Also utilize network shares with passwords to keep gamer/non-trusted VM from important data.

 

 

Link to comment
42 minutes ago, Jcloud said:

Sandbox play and work using VMs that's a good selling point, as a company, to make - I like it.  One could always break it up farther: One VM for gaming; one for email, web, and work; a third for banking/fiance. Could even make one for guests at home. 

 

That is actually a point I make in the article, though I say it with more subtlety as quoted below:

 

Quote

by creating dedicated VMs for dedicated users and uses, you can better protect yourself from these types of issues.

 

With respect to this:

 

43 minutes ago, Jcloud said:

The Devils-Advocate response might be, for each VM you're multiplying the potential patching/security holes being made (IE two sets of Windows Updates; or kernel patches).  However, if I had kids, I think this would be my solution for sandboxing kids "oops" to the OS.  Also utilize network shares with passwords to keep gamer/non-trusted VM from important data.

 

I don't actually agree with this sentiment because I think the security holes generated from having multiple users on the same running copy of Windows is far greater than the security holes generated from having multiple VMs to patch manage.  Especially with Windows because Windows automatically patches itself nowadays anyways, so there really isn't anything for the individual user to manage.  The downside (today) of multiple VMs vs. sharing a single computer is purely storage utilization.  Clearly you will use more storage by having multiple VMs as opposed to one single PC, but we are working on solutions for that as well (just not ready to unveil them yet).

 

Link to comment

 

8 minutes ago, jonp said:

That is actually a point I make in the article, though I say it with more subtlety as quoted below:

Indeed, I guess I skimmed too quickly, and/or I enabled the "Captain Obvious," module. Sorry about that. 

 

9 minutes ago, jonp said:

Clearly you will use more storage by having multiple VMs as opposed to one single PC, but we are working on solutions for that as well (just not ready to unveil them yet).

 

VM Snap shots; BTRFS and COW; other? If can't talk about it - that's cool, just call me curious (or nosy).  

Link to comment
1 minute ago, Jcloud said:

 

Indeed, I guess I skimmed too quickly, and/or I enabled the "Captain Obvious," module. Sorry about that. 

 

No worries!

 

1 minute ago, Jcloud said:

VM Snap shots; BTRFS and COW; other? If can't talk about it - that's cool, just call me curious (or nosy).  

 

Maybe ;-)

Link to comment
3 hours ago, tr0910 said:

This use of VM's for security mirrors the ideas behind Qubes, a Snowden approved Fedora security focused distribution (https://www.qubes-os.org/)  

 

Is this where we are going??

 

Indirectly. But in many situations it isn't required to go all the way to VM. Often containers will be enough. More and more operating systems will be huge container managers.

Link to comment
 

 

Cant you just add some buttons to the gui like SAVE VM, add some checkboxes aka a[ ] After each restart restore original VM image.[mention=1]limetech[/mention]

Do you mean? I want my VM to behave like a live CD image? Nothing saved, and a VM restart completely takes it back to original status?

 

Snapshots implemented in the VM manager would make this easy to achieve. I am very interested in snapshots for unRaid VM. I use different VM for different tasks like[mention=62528]jonp[/mention] alludes in the OP but gaming isn't one of them. Today I need to take frequent Macrimum Reflect backups of my VM to allow for rollback.

 

An implementation like vmWare workstation for snapshots and rollback would be very handy

Link to comment
  • 4 weeks later...
22 minutes ago, xairam said:

Is there any information about the added input lag. Would be pretty interessting to me. Maybe you could do a partnership with yt/battlenonsense.

 

No additional input lag if the VM owns the USB controller and graphics card. It's just some of the hardware sliced off and running as if was a completely separate computer.

 

It's only when you let the host own the USB controller that you will suffer input lag because you then add an additional software translation layer before the gaming OS will be able to see events from the connected USB devices.

Link to comment

Hey guys! I have a question.  How will this gaming work?

This example:

I have a PC with 4 hdd, Unraid.

Cpu with iommu, vt-d supported, 16 gm ram ,

1 monitor

2 gpus ( for example 1 from cpu - intel hd, second pci - gtx 970 )

 

Do I just click my windows 10 vm machine with gpu passthrough and play game( for example 3d shooter) on my 1 monitor with intel hd?

Or do I need some kind of rdp/vnc from another computer and another monitor and workplace??

Confused

 

Update

It seems I need another pc anyway since I connect to unraid via https://url

But will games and sound work with vm running in browser??

Edited by sk8erbender
Link to comment

If you are using hardware passthru of your GPU then you simply do your gaming directly on the VM using the GPU (with it’s attached monitor) and you should get close to bare-metal performance.   You do NOT want to use RDP for gaming if you can possibly avoid it as RDP does not have the graphics performance games normally need.

 

i think you may be getting confused that unRAID does not require an attached monitor and is managed using a web browser?   This can be on another machine.   However there is nothing stopping you running that web browser from within a VM hosted on unRAID.  

Link to comment
16 hours ago, itimpi said:

If you are using hardware passthru of your GPU then you simply do your gaming directly on the VM using the GPU (with it’s attached monitor) and you should get close to bare-metal performance.   You do NOT want to use RDP for gaming if you can possibly avoid it as RDP does not have the graphics performance games normally need.

 

i think you may be getting confused that unRAID does not require an attached monitor and is managed using a web browser?   This can be on another machine.   However there is nothing stopping you running that web browser from within a VM hosted on unRAID.  

But to firstly setup the VM with gpu passthrough I need to connect via web interface right? Thanks for explaining this.

I will also have to pass the keyboard and mouse as I understood for vm?

Link to comment
  • 2 weeks later...
On 8/12/2018 at 3:45 PM, pwm said:

It's only when you let the host own the USB controller that you will suffer input lag because you then add an additional software translation layer before the gaming OS will be able to see events from the connected USB devices.

Have you measured this yourself?  I actually don't notice a difference when it comes to mouse/keyboard input speed between using USB assignment vs. USB controller pass through.

Link to comment
1 hour ago, jonp said:

Have you measured this yourself?  I actually don't notice a difference when it comes to mouse/keyboard input speed between using USB assignment vs. USB controller pass through.

You should normally not be able to notice with keyboard/mouse. A traditional keyboard/mouse has a quite slow report rate - maybe 125 Hz report rate. It's only gaming keyboards/mouses that make use of 1kHz report rate. And we humans aren't fast enough to measure such short delays. But when the game responds to key presses or mouse clicks synchronized with the display frame rate, then one in x mouse clicks may result in the game responding one display redraw earlier which for 100 frames/second could scale a 1ms mouse lag into a 10ms slower game response.

 

Where it normally matters for non-gamers is when using USB sound cards, JTAG-interfaces, logic analyzers etc that streams synchronous data that may require hard real time (a bit depending on buffer capacity on each side). But for this type of devices, I have - in some situations - clearly seen a difference between having the VM own the USB host or just bridging the USB device. But it matters what other hardware shares the interrupts on the host machine and what load the host machine has (and quality of drivers), so it can work very well even with streaming devices. But a single slow critical section in the kernel can starve the USB processing enough to affect the transfer.

  • Like 1
  • Upvote 1
Link to comment
You should normally not be able to notice with keyboard/mouse. A traditional keyboard/mouse has a quite slow report rate - maybe 125 Hz report rate. It's only gaming keyboards/mouses that make use of 1kHz report rate. And we humans aren't fast enough to measure such short delays. But when the game responds to key presses or mouse clicks synchronized with the display frame rate, then one in x mouse clicks may result in the game responding one display redraw earlier which for 100 frames/second could scale a 1ms mouse lag into a 10ms slower game response.
 
Where it normally matters for non-gamers is when using USB sound cards, JTAG-interfaces, logic analyzers etc that streams synchronous data that may require hard real time (a bit depending on buffer capacity on each side). But for this type of devices, I have - in some situations - clearly seen a difference between having the VM own the USB host or just bridging the USB device. But it matters what other hardware shares the interrupts on the host machine and what load the host machine has (and quality of drivers), so it can work very well even with streaming devices. But a single slow critical section in the kernel can starve the USB processing enough to affect the transfer.
Another option is to use isolcpus as a kernel parameter not just for the VM itself, but for the emulator pin(s) so that you can prevent the emulator from having to compete for access to the CPU.

When I hear someone bring up "input lag", I really think they are worried about mouse clicks and keyboard strokes. I haven't noticed any delays using either USB method (I have Razer gaming keyboards and mice) when it comes to this, but as you said, the human eyes probably wouldn't even notice it.

I was mainly curious if you had gone through the effort to measure this yourself using an LED attached to a mouse button with a high-speed camera. That's how the guy for battle nonsense and of course Linus from LinusTechTips measures for this.

Sent from my Nexus 6 using Tapatalk

Link to comment
11 minutes ago, jonp said:

When I hear someone bring up "input lag", I really think they are worried about mouse clicks and keyboard strokes. I haven't noticed any delays using either USB method (I have Razer gaming keyboards and mice) when it comes to this, but as you said, the human eyes probably wouldn't even notice it.

Gamers really are worried about input lag for mouse/keyboard. And it can be shown that every x mouse clicks will be delayed another display redraw even for a single 1ms delay of the click. But since this requires statistical methods, it shouldn't matter much for most users who aren't using real-time-streaming devices.

 

Besides using statistical methods, the lag can't be seen. Standard keyboards/mice have 125 Hz poll rate just because we aren't fast enough to notice the delay even when the key presses are only polled every 8 ms. But with 100 fps, a 128 Hz poll rate means half the key presses will be delayed one additional display refresh and in some games that will be measurable in damage-per-second or similar.

  • Upvote 1
Link to comment
Gamers really are worried about input lag for mouse/keyboard. And it can be shown that every x mouse clicks will be delayed another display redraw even for a single 1ms delay of the click. But since this requires statistical methods, it shouldn't matter much for most users who aren't using real-time-streaming devices.
 
Besides using statistical methods, the lag can't be seen. Standard keyboards/mice have 125 Hz poll rate just because we aren't fast enough to notice the delay even when the key presses are only polled every 8 ms. But with 100 fps, a 128 Hz poll rate means half the key presses will be delayed one additional display refresh and in some games that will be measurable in damage-per-second or similar.
Interesting. Would really like to see someone do the LED test compared to bare metal to see if the theory holds water and to see if there is a delay, how much it materializes. A step further would be to see how isolcpus impacts that.

Sent from my Nexus 6 using Tapatalk

  • Like 1
Link to comment
  • 1 month later...

Hi, I'm Brazilian and I already apologize for my English.

I'm interested in unraid just for games, currently I use three workstations using the aster program and for compatible games it works great, but has about 30% of games I tested do not work with this program.

my system

processor: ryzen 5 1600x

gpu: gtx 970 windforce

Motherboard: Asus rog strix b 350f

Memory: 20gb ddr4

In aster I do not have to split my hardware so the workstations when required didvidem my hardware.

How does it work in the unraid case?

I could put the 12 cores of my processor, the 20 gb of memory and my gtx 970 for the three workstations? and if I had to split how would it be with the video card I only have one?

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.