Thanks for explaining. IIUC, the 2 options are: Have a dedicated rootqube for each VM. - Overkill. Have one rootqube for all VMs. - No isolation: that rootqube will know every root command of every client qube. Here is another idea: Have a “Root Terminal” submenu for each domU to the Qubes Domains. This will be a shortcut for running e.g. qvm-run -u root VM xterm - something which required dom0 privilege, i.e. no conventional privesc possible. I don’t know how one can add such submenus ...
