Might want to try out the BOXD54250WYKH1 NUC - Amazon is still selling it.
https://www.bromium.com/advanced-endpoint-security/our-techn...
[1] https://groups.google.com/forum/#!topic/qubes-devel/MfHy2jmX...
I just (today) made a purchase of a VM server off newegg, using all AMD hardware for hardware passthrough[0], because of how truly poor NVIDIA is in this regard.
0. https://teksyndicate.com/videos/gta-v-linux-skylake-build-ha...
http://www.oracle.com/technetwork/articles/servers-storage-a...
https://en.wikipedia.org/wiki/Solaris_Trusted_Extensions
The whole idea of encapsulated data paths with labeled domains, etc. were all pioneered first in Solaris.
The unique spin here with Qubes OS seems to be do something similar, but using virtualization.
They actually came from the high assurance field that created the Orange and Red Books for endpoints and networking respectively. Earliest, fielded systems like that were in the mid-80's. Later, since nobody wanted real security, they dropped the assurance but kept & expanded features in so-called Compartmented Mode Workstations described here:
http://web.ornl.gov/~jar/doecmw.pdf
Trusted Solaris, which started as Sun MLS, conformed to low-to-mid grade of Orange Book:
http://www.cse.psu.edu/~trj1/cse544-s10/slides/cse544-lec12-...
Others included Trusted IRIX, SEVMS version of OpenVMS, Trusted Xenix around same time as Sun MLS, and so on. Many of those weak OS's with security retrofits. Today, there's Argus Pitbull, Trustifier, maybe others I don't know about.
Over time, due to security failures, DOD once again wanted high assurance desktops built on secure isolation. Turned to separation kernels (MILS) built to high assurance requirements. INTEGRITY-178B, LynxSecure, and VxWorks MILS built on that model with labeled, color-defined, virtualized desktops showing up starting around 2005. Nizza security architecture and TUDOS demo did stuff similar to high-assurance work for OSS in 2005-2006. QubesOS showed up later building on insecure Xen stack w/ VM-level separation and CMW-like features. GenodeOS built on Nizza/TUDOS work around 2007 while continuing to integrate high-assurance stuff like seL4 where possible.
So, no, Sun didn't invent these concepts or even design a high assurance system that I'm aware of. It was SCOMP, GEMSOS, XTS-300, and likely Trusted Xenix that proved most of the concepts out. Sun copied and improved on a watered down version of that. Separation kernels like INTEGRITY-178B and architectures like Nizza showed how it was supposed to be done. Then, Qubes later copied CMW's w/ a weak virtualization scheme and components but better usability (administration & hardware support) than separation kernels.
There's the lineage and history lesson for you.
Copycats? You're going to resort to name calling in an attempt to discredit actual success and reality?
Name another commercial UNIX operating system today that has an equivalent to Solaris role-based access control fully integrated throughout the entire operating system and components, especially one that supports the "two-person" rule:
https://blogs.oracle.com/gbrunett/entry/enforcing_a_two_man_...
"RHEL w/ SELinux and security add-ons. Argus on Solaris and Linux. Trustifier on Linux. Seems like there's four on two OS's depending on your measurement."
RHEL isn't UNIX and their security model is nothing compared to Solaris.
"Smart move."
Apparently not as smart as quoting lots of facts not relevant to the given context (desktop operating system) and then dismissing decades of R&D and actual commercial success of Solaris in a snide manner.
Enjoy your pyrrhic victory.
The best route for isolation, though, is to apply one of the industry separation kernels or virtualization schemes from CompSci that leave more untrusted. Good news is that I found a great document that describes MILS in detail plus some prior work and terms:
http://www.euromils.eu/downloads/2014-EURO-MILS-MILS-Archite...
GenodeOS is OSS built similar to MILS from European CompSci: