Virtually Aligned Why VMs are probably my future
Virtually Aligned Why VMs are probably my future
Whenever someone talked about virtual machines, I used to be a little uneasy. Not because they are difficult, but because they caused difficulties.
Years ago, virtual machines to me seemed too exotic and too much effort to maintain. Each time I thought of virtual machines, my memories were tied to horrible experiences I had while hobbling around in VirtualBox. Horrible unstable networking, terrible graphical performance, and throw what people used to consider a "guest addition" - I ended up always ditching the idea.
The promise of what VMs had to truly offer were lost on me, and for a very, very long time I stayed within the confines of bare-metal workflows. Dedicated computers for every task. Extra power consumption, more costs, more zombies waiting to probably become e-waste or inefficient server after a few years.
But everything changed when I stumbled across a concept called VFIO. I decided to take one more chance, one last stand for the promise that VMs were in fact, worth the effort...
Who or what is a VFIO?
"Virtual Function I/O", or what the fancy people I will never probably meet call VFIO - is a Linux feature that essentially allows you to take physical hardware on a computer, tell Linux that it's special and, if the hardware and Linux kernel modules load correctly, allow a virtual machine to access that hardware as if it were directly attached to it.
But what is it really? Well, if you ask any of the maniacs who pursue this endeavor (who aren't paid to do it I mean), it's more like a combination of a lottery and a very well rounded skill-testing question. Successfully running VFIO requires:
-
When passing through graphics: more that one graphics-capable unit (integrated or PCIe) in a system, otherwise you'd be running scripts that would require a ridiculous amount of tweaking.
-
PCI devices need to be able to do a PCI state reset. Older, and some current cheaper devices will not correctly reset to a state that can be usable by a VM on boot, or worse - can only be loaded once and don't properly unload - making the PCIe device unusable until a fresh reboot. It's beyond annoying - using hardware that can't properly reload won't be feasible in a VFIO setup.
There's a very dedicated community to VFIO. There are topics that are on r/VFIO for instance, that aren't really in my ballpark - or require existing knowledge of the inner workings of kernel modules. If you're interested in more details in VFIO, some resources like Reddit, Linux Wikis, and even Youtube would be a great place to start - even if that's just getting your foot conceptually in the VM door.
What's the big deal about VMs?
If you survived the last paragraph, meaning you decided to keep reading - good for you. I don't like explaining things with jargon when I don't have to, but when it comes to advanced subjects, it sometimes does feel in-evitable.
Now that you're here, lets talk about Virtual Machines - but the "Qubes OS" approach.
Qubes OS - A computer should be like a box
Strong advocates of privacy probably heard of Qubes OS before, which means 99% of people (including probably you) have not. There's no shame in that, Qubes OS is not for casual people, and even most professionals.
Conceptually, Qubes OS is a very very light operating system that does only one thing, runs things in insolation, by creating smaller instances of highly enclosed virtual machines so when you run a program like Firefox, or open your emails for a specific company, or even just edit code, any traces of your permanence.
I can't stress this enough. Qubes OS would be a computer locked in a black-box. Every security and VM isolation setting is intentionally cranked to 11, to protect some of the most at-risk people in the world, including (but not limited to) journalists, activists, dissenters, people living int autocracies, and potentially fugitives.
IF you don't have state or corpo secrets in your possession, I'll be honest - Qubes OS is likely not meant for you. But none-the-less, it introduces and doubles-down on the deeply important idea that an operating system could and maybe should be ephemeral.
And maybe your data shouldn't be on you os drive..
And maybe you don't need to do everything on one machine...
And maybe you should keep things separate, maybe it will help keep you sane....
Using a decoupled system - what it actually feels like
Assuming you get VFIO setup for a graphics card, the #1 usability killer on most virtual machines goes away. If you've given a virtual operating system full control of a PCIe device - meaning you can do things like - run Windows-only games, and not have to worry about root-kits or malware infecting your Linux host.
Got specifically work-specific programs you don't want running on the same system your personal emails and credentials are? Don't want a personal breach to give hax0rs access to pretty much anything? Give it it's own VM, add at-rest-encryption. IF they someone get root access to your system while it's logged in - they wont' be able to do anything with the data in the VM.
And yes, if you're worried about a hack0r having the compute power to overwhelm your AES-whatever encryption: your threat model is likely too advanced.
Turn off your computer, vaporize your storage, then flee and go and live in a mountain. If your antagonists can easily break AES, you have bigger problems.
Hate passing through USB devices constantly? Add a PCI-Reset compatible USB card and USB switch to add an inexpensive mouse-keyboard switcher. Now the machine running the VM has NO IDEA what you're typing (which will help keep work stuff and personal stuff safe).
What if someone compromises your host machine? Well, here's hoping they have the ability to hack a TPM module remotely, because you can pass that to a Virtual Machine now to (which is how you can run Windows 11 without any hacks).
Your machine gets physically stolen? Not only is my machine encrypted at rest, if they are able to break the encryption they'll be met with additional layers of at-rest encryption.
Speaking of which, you can create shared drives between virtual machines. You can clone, or partially clone a virtual machine - allowing you to share data between existing VMs. This is particularly useful for things like gaming, where you might one VM to be configured to use specific HDMI ports (for streaming to a TV).
Worried about ransomware? You should be - it's not nice. Make backups because you know it's the right thing to do. Don't let leet coders be the arbiters in your life.
Why I believe VMs are probably my future
Before the last few months, I struggled to come to terms about virtual machines and their full range of usefulness. For the most part, all of the "always-on" services I run at home are already confined to containers (which are like VMs but without the overhead of needing a hypervisor - making them much easier to manage, and faster to move around or scale), which made virtual machines a redundancy I didn't really need.
Now that I've applied the idea of containers to my personal workflows, the inherent usefulness of virtual machines has exceeded my expectations. Having the ability to spin up or down isolated environments, with full graphical support, usb passthrough, and even better than expected audio - has fundamentally changed how I see a computer, probably forever.