First a little background, feel free to skip this and jump to the questions:
I’ve been playing around with Qubes OS and, like so many before me, am contemplating putting together a new computer and making Qubes my “daily driver”.
The twist is that I’m considering using a motherboard with two in-built Ethernet ports and having the second port permanently occupied by a cable tether to a (otherwise offline) Debian mini-pc.
I’d interact with this mini-pc via a dedicated streaming quebe using some manic combination of steam link, sync-thing and Tiger VNC. (I’ve got steam link/remote working over a direct Ethernet connection in the past.) I’d attempt to use a combination of apt-mirror and file transfers to update the mini-pc when I’m inevitably forced to by some software requirement.
My motivation here is that I’m a 3D software developer and need some basic GPU acceleration for testing builds with 3D graphics and creating some low poly blender models. While convoluted I figure the setup above is the best way to accomplish that without GPU pass-through. TBH I don’t have a serious requirement for security, I just like coding with rust and am very paranoid about an inevitable supply chain attack.
Now I suspect to accomplish this hypothetical setup I’m going to have to pass my second Ethernet controller (the one connected to the mini-pc, not the internet,) directly to the streaming VM. This is where my questions come in…
Here’s the actual questions:
- In general if I pass-through an ethernet controller directly to a Qube VM, does it pose a security threat to anything OTHER then the VM its getting passed to? (Like how passing through a GPU to a qube potentially compromises the whole system, rather then just the qube its passed to.)
- My motherboard would have two built-in ethernet ports, so presumably it would have two ethernet controllers. Does anyone predict issues with Qubes recognising these two individually and passing through one direct whilst separately communicating internet via the other controller using the normal firewall qube?
- If you read my whole post, what do you think? Is this nonsense worth a shot? (If you didn’t, no worries, just ignore this .)
I appreciate its pretty unlikely anyone has had first hand experience with exactly this scenario, I just thought I’d throw this out there and see what people think. I’m probably going to end up gambling money on testing this, so it would be irresponsible not to check I haven’t overlooked some obvious problem first .