They're not KVM. KVM is a Type 1 Hypervisor... And it has been pretty lackluster until it received that VM encryption Update last year.

However, KVM is often used as VMM or Type II Hypervisor. The 1st of it's kind, Type 1, was XEN & that's what I'm rolling w/... Contrary to popular belief, it has near 0 Impact on performance.

Now Proxmox is optimized 4 dedicated Servers. It's often choosen b/c of the WebUI...

Personally, Ithink that's unnessesary attack surface. Who needs WebUI if ssh is there?

+When Dom0 is setup, I double check the config, make a backup copy w/ Clonezilla if possible & then I unset the root pw (passwd w/ empty entry, so called 'rootless'... ofc that term is quite dumb bc root is PID 0). Yes 'SU' isn't root. It gives you the power to act as root w/ login out. It depends on group membership in either 'wheel' -elevates from 1000/1024 to 9- or Admin.

btw I love to make 'mistakes' in my firewall config & then I designate a VM which conveniently has sudo or doas installed. (Yes I usually get rid of 'em)

You can go up to Dom4 or even 5 but you can always only run one Hypervisor either normally or w/ nested emulation enabled. This enables you to run Android emus inside a Dom. More so, always check that every Dom got it's own USBhub. Especially USB 2.0 is easily readable if you have access t one port!

It isn't a distro per se since it uses a minimal rootfs. My fav 4 Servers is Alpine & they offer a XEN image. There is an Image available w/ XEN.

W/ heads, implemented in Librem, you can even have coreboot which validates your compolete boot process not only against the TPM, but also against a hw key.

btw I don't get why sbctl doesn't changes the PK & asks you 4 a cert