OpenGL driver errors in QubesOS VMs: Why there’s no fix*

6th Jun 2025
2 min read
Tags:
qubes os,
troubleshooting

The reason you can’t fix this is simple: QubesOS is built on the principle of isolation, and GPUs aren’t designed to meet the strict isolation requirements QubesOS demands because they prioritize performance instead.

Also, QubesOS uses the Xen hypervisor, which does not support GPU passthrough in a way that allows OpenGL applications to run with hardware acceleration inside VMs.

This limitation, which effectively prevents VMs from using GPU-accelerated OpenGL apps, exists for a good reason.

There are some theoretical attack scenarios where malware inside a VM could:

Exploit vulnerabilities in the GPU driver or firmware
Permanently flash malicious firmware to the GPU
Survive reboots, OS reinstalls, possibly even heat death of the universe.

See Qubes OS Device handling security for more information.

I ran into this issue myself while trying to switch my setup to fully use nixpkgs. When I installed kitty (a terminal emulator) from nixpkgs, it didn’t work due to OpenGL errors, but the apt version (0.26.5-5) worked fine.

I tried matching the nixpkgs version to the closest available one-0.26.5-but it threw the same OpenGL 3.3 requirement error.

Some [1, 2] solutions exist for GPU passthrough on QubesOS, but none of them are easy to implement and often require a secondary graphics card, so that one goes to the dom0 and the second goes to the VM. Attaching a whole GPU to a VM is not a trivial task and certainly is overkill just to run a terminal emulator in my case.

In case you really need GPU passthrough (for cracking, games, or 3D rendering), it’s better to use a different machine (best solution) or dual-boot (which introduces other attack vectors; see multibooting qubes).

One of apt’s main goals is to provide packages that work across a wide range of hardware setups, including systems without GPU passthrough. Because of this, for incompatible apps like kitty, I currently stick to using apt packages and make bash builder scripts to combine the declarative power of Nix with the stability of apt.

If you have a better solution, let me know.

Until then!