Actually, having a malicious hardware attached at boot time is something hard
to defend. Even if Xen does not attach the hardware to dom0, there is some
pre-Xen phase of boot – BIOS/UEFI. Qubes cannot affect this phase of boot. If
you have attached a malicious device that for example pretends to be a USB
keyboard, it can control the computer. It can also try to provide another boot
medium or to exploit a vulnerability (e.g., some FS parsing vulnerability in
UEFI).
So, I advise some Qubes-unrelated mitigations:
* If possible, avoid having untrusted devices connected at boot.
* Check your boot medium options in BIOS config.
* Set a BIOS password. Even if it can be bypassed by anyone with physical
access, your malicious device is unlikely to take a screwdriver and disassembly
your computer. :)
That's not to say that Qubes-related mitigations are useless. They are just not
enough when you are concerned about boot time.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/bb4a5f98-9605-4b15-b5c8-8cd10d574512%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.