Thanks for the reply enmus!
First I have to say that I see some contradictions in your post.
For example you say “I don’t have a serious requirement for security” (why do you use Qube at all then?) only a second later to say “and am very paranoid about an inevitable supply chain attack”, and yet your first question is related to security, serously caps locked.
Fair, my apologies, I did contradict myself alot. I was trying to convey that whilst I feel a pressing need for security from a supply line attack, I’m aware most of my peers wouldn’t feel the same need. Full disclosure, I worry too much (to the point of being medicated for it) so I tend to assume I’m being overly secure vs the actual level of threats I face. So basically I was saying I -want- security, but I probably don’t -need- it. Admittedly this might be the wrong place to say that, as this is perhaps one of a few places where people would agree my levels of precaution are reasonable.
Then, you say “offline Debian mini-pc” which is “cable tether”-ed
Whoops, terminology failure, my bad. By offline I meant “not directly connected to the internet”, after a short trip to an online dictionary I now realize that’s not exactly what offline means.
At the end, your idea is interesting to me and I find it legit. I’m sure someone else will have additional and different views.
Glad to hear it! Maybe I’ll post back here and let you know how it went if I go ahead.
Perhaps this is relevant:
Definitely relevant, thank you fsflover! Looking through that it seems like the controller was a threat to every VM in the “connected chain” of VMs it was serving. So even if the issues in that bulletin hadn’t been fixed, my hypothetical the controller connected to a mini-pc would only have threatened my streaming VM, which is perfectly acceptable to me.
I was more worried that Ethernet controllers were going to turn out to be like PCI graphics cards in that they could (in theory) be used to influence dom0 from within a virtual machine they’ve been passed to. Which I guess is a silly concern anyway, given nearly everyone here has a controller passed through to their sys-net VM.