In Rutkowska’s “Software compartmentalization vs. physical separation” article, these concepts are discussed as opposed to each other. But what if there’s some way to combine both physical and virtual isolation?
Say, qubes-laptop with whonix workstations, and qubes-router with Whonix-Gateways, connected by Ethernet LAN. In this case, even if attacker uses some hypothetical Xen\Qubes\CPU\etc vulnerability to escape from VM to host and connect to internet without tor (say, to expose your IP address and pass payload) - it would fail, because connection is torified on the separate device, which is only accessible by LAN (and, presumably, no wifi card available).
And there is such solution:
With the downside of Whonix-Gateway unable to see multiple clients, so if 2 different VMs connect to same address - connection will go though same tor-chain for both of VMs, leading to same exit node, which is correlation (exposing these VMs are using the same tor-client).
Also this example utilizes VirtualBox to run Whonix-Workstation, not Qubes. But there shouldn’t be a lot of difference in terms of connection, so maybe compatible with “qubes-laptop+qubes-router” scheme.
That’s it. Thread created for discuss of “qubes-laptop+qubes-router” implementation, also “virtualbox-laptop+qubes-router” implementation, alternative schemes with same “physical+virtual isolation” goal, and everything else related.