Vms vs Containers
Advantages of containers
- Lower memory usage
- Much easier memory sharing between environments (especially with KSM/etc)
- Much faster start times
Advantages of vms
- Better hardware isolation between containers
Hardware enforced isolation of devices (network cards, etc) between containers using the IOMMU
- Smaller attack surface accessible from each container (as the memory space/io space is segregated)
Protection from Kernel exploits, as each container has it's own kernel.
- Greater protection against side channel attacks, due to the greater isolation, and due to emulated devices. As an example, you can't exploit Rowhammer on GPU ram if you only have an emulated graphics device to render to.
Overall it's clear that for a security focused system, using VM's to separate Qubes makes the most sense.