I want to bind folder root/var/lib/qubes/appvms to an external harddrive. In effect moving all the appvms to the external hard drive.
Dom0 needs access to the drive. But if the drive is malicious, then well… the whole system is compromised.
Is there a way I can setup a sys-usb just for this data stream, and firewall it to only allow access to/from certain folders on the USB hard drive?