Firmware device quarantine for compartmentalized OSs
Device passthrough is very useful, but persistent hardware compromise is an ever-present danger. Many devices have significant persistent mutable state, and while they attempt to secure this state to the best of their abilities, exploits are still found.
One solution to this problem is to persistently quarantine an entire port and all of the devices behind it. For most purposes, devices behind a quarantined port are ignored by both the firmware and the operating system. However, such devices can still be used for passthrough. This ensures that the device can only harm a VM or program that it is attached to.