[qubes-users] Re: Booting from two separate hard drives?

[billollib]

Heh.  It seems to me that the "Reasonable" in Qubes "A reasonably secure 
operating system" has differing values of "reasonable" depending on the user.  
I have qubes on a triple boot machine (one hard drive).  

The fact is that there is, and always will be, an inverse relationship between 
security and usability, and one has to decide on the balance on an individual 
use basis.  Security isn't a toggle.  It's a little like locks.  You lock your 
luggage not to stop someone determined to break in, but mostly just to stop it 
from spontaneously popping open as it gets thrown around by baggage handlers.  
You lock your car not to stop someone with a hammer and a crowbar, but to 
discourage people just pulling on door handles to see what they can get.  You 
lock your doors to your house not to stop a guy with a tank, but to encourage 
your average thief to go next door.  You build a gun safe so that it takes 
significant machinery to get in, and a home intruder will not be able to get 
your weapons.  You build a safe room so that it takes machinery and lots of 
time to get in.

The same thing is true here.  Qubes is cool, and it provides significantly more 
security/privacy than "regular" linux, which provides more security/privacy 
than Windows.  Most of us are not being targeted by the NSA.  Most of the folk 
I know are mostly just sick of Google and Facebook et al. stealing our lives, 
and don't like the idea of trivial routine surveillance of our lives.  For 
that, security isn't an all or nothing thing.  It's a continuum, and there's 
nothing "wrong" with making "reasonable" compromises for the sake of usability 
-- if one knows and is willing to accept the risks.

IMHO, of course.

billo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97f9f76a-90b8-4af7-9099-3ee8a07a9e49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[john]

On 03/22/2018 04:22 PM, cooloutac wrote:

On Monday, March 19, 2018 at 12:59:40 PM UTC-4, Linus Stridbeck wrote:

Hi, I have the opportunity to by a computer (HP EliteBook) that have space for 
two hardrives one SSD and one Sata M.2 SSD 2242.

I would like to run Windows on the SSD and Qubes on the Sata M.2 SSD 2242

 From what I have read it is possible all it takes is some modifications in 
bios.
  
But is it advisable from a security point of viwe? I know its a bad ider to boot from one singel hardrive but in this case i guese the Windows hard drive is completely disconnected when runing qubes on the Sata drive?


No its not advisable because windows if compromised can  undermine the qubes 
/boot partition which is not encrypted.

And even if you are disconnecting drives,  its much easier to flash firmware 
from windows then in qubes,  which would also then undermine qubes when you 
connect its drive and run it.



Just don't let the perfect be the enemy of the good.  I have two 
systems, both with windows on 1 HD , Qubes on the other,  3.2 seems to 
be UEFI , 4.0  only seems do-able  with Legacy.


It seems a bit far fetched that remotely someone is going to boot up my 
windows drive and reflash my Bios , though nothing is impossible these 
days, but as some say,  if that is your adversary's skill set, than you 
may have bigger problems :)


I don't like having to keep windows around, but Qubes being what it is, 
there is something to be said  for having a backup OS   IMO ; and I 
don't think I'm going to want to learn gnucash and there being no win 
tools (not that I ever got that stable in 3.2) in 4.0 .



Perhaps I one keeps their windows use to a minimum and offline, one 
might less worried about  /boot ?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ebf9fa6-6859-35f3-a98d-1cdd7732e025%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[cooloutac]

On Monday, March 19, 2018 at 12:59:40 PM UTC-4, Linus Stridbeck wrote:
> Hi, I have the opportunity to by a computer (HP EliteBook) that have space 
> for two hardrives one SSD and one Sata M.2 SSD 2242. 
> 
> I would like to run Windows on the SSD and Qubes on the Sata M.2 SSD 2242 
> 
> From what I have read it is possible all it takes is some modifications in 
> bios.
>  
> But is it advisable from a security point of viwe? I know its a bad ider to 
> boot from one singel hardrive but in this case i guese the Windows hard drive 
> is completely disconnected when runing qubes on the Sata drive?

No its not advisable because windows if compromised can  undermine the qubes 
/boot partition which is not encrypted.

And even if you are disconnecting drives,  its much easier to flash firmware 
from windows then in qubes,  which would also then undermine qubes when you 
connect its drive and run it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3fecb166-a118-4e4e-a225-fb31bb3f883b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Very god information! Thanks..

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c445a8d5-60ba-4e89-b8e7-3099b90e8ce7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Den måndag 19 mars 2018 kl. 22:17:26 UTC+1 skrev Jon R.:
> On Mon, Mar 19, 2018 at 4:25 PM Linus Stridbeck  wrote:
> That's a serious question I don't get it...
> 
> 
> 
> Any way would itbe compleatly safe to actuly changing harddrives manualy?
> 
> 
> 
> That’d remove the potential brute force option outlined above however if your 
> firmware got infected all bets are off. 
> 
> 
> Generally speaking it really depends on your use case. At this current 
> juncture at this (this is my opinion) point in time that workflow is fine for 
> most people. It really depends on your level of concern. 
> 
> 
> I personally use a laptop exclusively with QubeOS for travel and utilize two 
> hard drives (simultaneously plugged in) on a local desktop for multiple boots 
> as this fits my use case / scenario. 
> 
> 
> It boils down to risk / reward / practicality for you. 

Obviously you seem understand the technical aspects.
So conclusively its less secure to boot from different hard drives compared to 
switching manualy becous the first option could alow some one to get in to bios 
not only firmware?

Its amzing to me that its even possible to get in the firmware! Ones in the 
firmware youre basicly one step from the hardrive? Is it easier to get in the 
firmware whern using Windows than when using qubes? 

Besides when in the firmware you per se have to IP address?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9b8c285-ad1d-4de4-95bf-4ff3ccc55d0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Den måndag 19 mars 2018 kl. 22:17:26 UTC+1 skrev Jon R.:
> On Mon, Mar 19, 2018 at 4:25 PM Linus Stridbeck  wrote:
> That's a serious question I don't get it...
> 
> 
> 
> Any way would itbe compleatly safe to actuly changing harddrives manualy?
> 
> 
> 
> That’d remove the potential brute force option outlined above however if your 
> firmware got infected all bets are off. 
> 
> 
> Generally speaking it really depends on your use case. At this current 
> juncture at this (this is my opinion) point in time that workflow is fine for 
> most people. It really depends on your level of concern. 
> 
> 
> I personally use a laptop exclusively with QubeOS for travel and utilize two 
> hard drives (simultaneously plugged in) on a local desktop for multiple boots 
> as this fits my use case / scenario. 
> 
> 
> It boils down to risk / reward / practicality for you. 

Obviously you seem understand the technical aspects.
So conclusively its less secure to boot from different hard drives compared to 
switching manualy becous the first option could alow some one to get in to bios 
not only firmware?

Its amzing to me that its even possible to get in the firmware! Ones in the 
firmware youre basicly in the hardrive right? Is it easier to get in the 
firmware whern using Windows than qubes? If not im not to worried about 
switching hard drives for that reason.

Besides when in the firmware you per se have to IP address right?



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a5d012b-d72c-48ef-a39d-e9ff13a1b842%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Den måndag 19 mars 2018 kl. 22:17:26 UTC+1 skrev Jon R.:
> On Mon, Mar 19, 2018 at 4:25 PM Linus Stridbeck  wrote:
> That's a serious question I don't get it...
> 
> 
> 
> Any way would itbe compleatly safe to actuly changing harddrives manualy?
> 
> 
> 
> That’d remove the potential brute force option outlined above however if your 
> firmware got infected all bets are off. 
> 
> 
> Generally speaking it really depends on your use case. At this current 
> juncture at this (this is my opinion) point in time that workflow is fine for 
> most people. It really depends on your level of concern. 
> 
> 
> I personally use a laptop exclusively with QubeOS for travel and utilize two 
> hard drives (simultaneously plugged in) on a local desktop for multiple boots 
> as this fits my use case / scenario. 
> 
> 
> It boils down to risk / reward / practicality for you. 

Obviously you seem understand the technical aspects.
So conclusively its less secure to boot from different hard drives compared to 
switching manualy becous the first option could alow some one to get in to bios 
not only firmware?

Its amzing to me that its even possible to get in the firmware! Ones in the 
firmware youre basicly one step from the hardrive right? Is it easier to get in 
the firmware whern using Windows than when using qubes? 

Besides when in the firmware you per se have to IP address right? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/10770d12-fa74-4044-ad19-2277dd17be7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Booting from two separate hard drives?

['awokd' via qubes-users]

On Tue, March 20, 2018 1:28 pm, Yuraeitha wrote:

> Also note if you for example link your drives directly into an AppVM for
> example via qvm-block or qvm-usb, as far as I understand it, you're
> essentially exposing the firmware of the drives/thumb-drives

That's partly (since the USB controller remains in sys-usb which I imagine
restricts access somewhat) true of qvm-usb but not qvm-block. Ideally,
when you use qvm-block you attach a partition to a VM. By attaching the
whole block device instead, you additionally expose the VM to partition
table level attacks, but still not firmware.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ea0f4697c7ee0a0a2cdb9e92335bdd9.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Yuraeitha]

On Tuesday, March 20, 2018 at 10:11:29 AM UTC+1, Linus Stridbeck wrote:
> Obviously you seem understand the technical aspects.
> 
> So conclusively its less secure to boot from different hard drives compared 
> to switching manualy becous the first option could alow some one to get in to 
> bios not only firmware?
> 
> Its amzing to me that its even possible to get in the firmware! Ones in the 
> firmware youre basicly one step from the hardrive right? Is it easier to get 
> in the firmware whern using Windows than when using qubes? 
> 
> Besides when in the firmware you per se have to IP address right?

The BIOS/UEFI is also firmware btw, so in the future you read security articles 
and firmware is mentioned, it might indirectly include mention of BIOS/UEFI as 
well. The same goes to any other firmware, drives like 
HHD's/SSD's/HVMe's/thumb-drive's all have firmware too, and so does USB, and 
many other pieces of hardware. Qubes OS founder Joanna is advocating for 
stateless hardware, essentially hardware without firmware, where the software 
fully controls the hardware. This allows for machines to be wiped clean and 
install fully secure software on it again, or to reset if you suspect you got 
infected. Unfortunately right now market forces, politics, society habits, as 
well as competition and costs, all make it unlikely for anyone to start 
creating stateless hardware. It'd require a big push, or for a significant 
producer to start doing it, politics demanding it via law, or something like 
that.

Also note if you for example link your drives directly into an AppVM for 
example via qvm-block or qvm-usb, as far as I understand it, you're essentially 
exposing the firmware of the drives/thumb-drives, and thereby new firmware 
threats can reach this firmware, even if you're using Qubes. This is something 
the developers warned us about and are working on solving. But it goes to show 
that you're not fully safe, not yet, though using Qubes OS gets you far into 
the right direction at least, and it's a direction that is rapidly improving 
further.

And as you might suspect now, your question if it's easier to access firmware 
from windows, is essentially a big yes, your firmware is completely exposed in 
any operation-system running directly on the hardware. That's the strength of 
virtual environments, you can keep it out of reach of the hardware's firmware. 
Unfortunately virtual technology isn't perfect yet, it's still under 
development and improvements. But the protection Qubes provides, is far 
superior than the non-existing protection i.e. Windows provides.

Dual booting has two major issues that are solved by not dual booting 
- Easier to cause new infection of firmware from a less secure Operation System.
- Attacks carried out on the secure OS from the non-secure OS.

I believe those two can carry all the exploit methods meta-headlines, beneath 
them it gets much more complicated, but essentially it can be narrowed down to 
those two headlines in a broad sense.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/96f7b2ce-9636-4a13-9648-ff6eaa8da99b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Obviously you seem understand the technical aspects.

So conclusively its less secure to boot from different hard drives compared to 
switching manualy becous the first option could alow some one to get in to bios 
not only firmware?

Its amzing to me that its even possible to get in the firmware! Ones in the 
firmware youre basicly one step from the hardrive right? Is it easier to get in 
the firmware whern using Windows than when using qubes? 

Besides when in the firmware you per se have to IP address right? 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ab2fa1d-6890-4e08-baed-2e95c5b88e96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Obviously you seem understand the technical aspects.

So conclusively its less secure to boot from different hard drives compared to 
switching manualy becous the first option could alow some one to get in to bios 
not only firmware?

Its amzing to me that its even possible to get in the firmware! Ones in the 
firmware youre basicly in the hardrive right? Is it easier to get in the 
firmware whern using Windows than qubes? If not im not to worried about 
switching hard drives for that reason.

Besides when in the firmware you per se have to IP address right?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/520621dc-0968-4c1a-b576-00d8b8bc2d4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Booting from two separate hard drives?

[Jon R.]

On Mon, Mar 19, 2018 at 4:25 PM Linus Stridbeck 
wrote:

> That's a serious question I don't get it...
>
> Any way would itbe compleatly safe to actuly changing harddrives manualy?
>

That’d remove the potential brute force option outlined above however if
your firmware got infected all bets are off.

Generally speaking it really depends on your use case. At this current
juncture at this (this is my opinion) point in time that workflow is fine
for most people. It really depends on your level of concern.

I personally use a laptop exclusively with QubeOS for travel and utilize
two hard drives (simultaneously plugged in) on a local desktop for multiple
boots as this fits my use case / scenario.

It boils down to risk / reward / practicality for you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJd29STYYUVTUN3owf8eiDkpRcvoaUvWfuFB6Wptmkmt8F6JnQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

That's a serious question I don't get it...

Any way would itbe compleatly safe to actuly changing harddrives manualy?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a16ba128-9d53-4bb2-81bc-446a72eed1f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Yuraeitha]

On Monday, March 19, 2018 at 8:23:50 PM UTC+1, Linus Stridbeck wrote:
> ok, that's interesting. so whats the difference between between booting like 
> i proposed and simply manually taking out the windows harddrive and putting 
> in a hardrive with qubes on it?

This would protect you from current and future attacks like the ones mentioned, 
but it will not protect you from existing infected firmware if it has already 
exploited/attacked, essentially it's like ghosts living in your firmware, it'll 
keep coming back. The question is if your hardware's firmware got 
exploited/attacked in the past or not. You're not totally safe, but on the 
other hand you would be more safe than before.

The question is also if you want to go this far though, Qubes is not fully 
developed yet to completely isolate the hardware. For example firmware of 
drives may get exposed in the current Qubes. Qubes OS has gotten far, but as 
the developers say themselves, it still got some areas to fix, which will be 
done in the future versions of Qubes OS. 

Essentially, you may want to question if you want to take extreme measures, 
whether it's worth it not, considering currently many firmware attacks may 
still be exotic (but may not stay that way), and that Qubes isn't fully 
isolated from the hardware today, so you'll still be exposed to damaging 
firmware's anyway, at least for some time to come.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b814195e-071f-40fe-a1e8-234ca11771ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Ok, that's interesting. So whats the difference between between booting like i 
proposed and simply manually taking out the windows harddrive and putting in a 
hardrive with qubes on it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5260c862-5905-439d-8d8d-0844889b7545%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

ok, that's interesting. so whats the difference between between booting like i 
proposed and simply manually taking out the windows harddrive and putting in a 
hardrive with qubes on it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2bfc099-2fc6-40b9-a5b4-c3a2fc2820f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Linus Stridbeck]

Ok, thats intreasting! So whats the diference between betven booting like I 
peoposed and simply manualy taking out the windows hard  drive and putting in a 
hardrive with Qubes on it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c319a64a-2f18-4b5b-9344-77d0e57dd60a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Yuraeitha]

On Monday, March 19, 2018 at 5:59:40 PM UTC+1, Linus Stridbeck wrote:
> Hi, I have the opportunity to by a computer (HP EliteBook) that have space 
> for two hardrives one SSD and one Sata M.2 SSD 2242. 
> 
> I would like to run Windows on the SSD and Qubes on the Sata M.2 SSD 2242 
> 
> From what I have read it is possible all it takes is some modifications in 
> bios.
>  
> But is it advisable from a security point of viwe? I know its a bad ider to 
> boot from one singel hardrive but in this case i guese the Windows hard drive 
> is completely disconnected when runing qubes on the Sata drive?

Another idea is to use BIOS/Grub, instead of UEFI/EFI, put the parts of Grub 
that is un-encrypted on an CD/DVD/Bluray, and use your disk to boot up Qubes. 
This way it cannot be modified.

Your BIOS/firmware is still exploitable though, but at the very least you're 
less exposed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3d5f5bd-cdbe-4c57-8ef2-8cb40efa5a58%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Booting from two separate hard drives?

[Yuraeitha]

On Monday, March 19, 2018 at 5:59:40 PM UTC+1, Linus Stridbeck wrote:
> Hi, I have the opportunity to by a computer (HP EliteBook) that have space 
> for two hardrives one SSD and one Sata M.2 SSD 2242. 
> 
> I would like to run Windows on the SSD and Qubes on the Sata M.2 SSD 2242 
> 
> From what I have read it is possible all it takes is some modifications in 
> bios.
>  
> But is it advisable from a security point of viwe? I know its a bad ider to 
> boot from one singel hardrive but in this case i guese the Windows hard drive 
> is completely disconnected when runing qubes on the Sata drive?

It's certainly possible yes, I've done it multiple of times on different 
hardware, although I don't do it on my main hardware. Just be sure you know 
your way around UEFI/BIOS EFI/Grub.

- Firmware, while maybe exotic attacks? can be attacked, and thereby having 
anything unsecure installed on your system, from anytime in the past, to any 
time in the future, while using Qubes on it, is insecure. Once comprimised, 
it's not really something you can undo again by erasing disks or putting in new 
disks. Generally too, it's not certain when or how these kind of attacks are 
measured, so they may be more common than imagined, maybe years into the 
future? Especially when A.I.'s come around, but don't wait for A.I.'s to take 
this threat seriously, it may happen before then. 

- Qubes must also always stay encrypted, never access it from another unsecure 
operation system. 

- Password encryption must be at least strong enough so that your own cpu can't 
brute-force it. I don't think it can be brute-forced remotely though, but you 
never know.

Whether its advisable? I frankly don't know, I don't have the skills and 
expertise to tell you. But if you ask me, it can work, but it isn't something 
you should bet your own life on.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88cb41cd-f794-48b6-bd21-7477c512b673%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.