So…I turn on my computer…it shows me a list of which OS i’d like to start (Linux or Windows)…How can I add Qubes to the list?
1 Like
I wouldn’t bother. By doing that you are cancelling whole premise of Qubes: to have a reasonably secure OS.
The way you intend to, it’s impossible. Other OS’s can and will at some point mess up not only your Qubes…
Sorry to bring you bad news…
The good news is that nothing prevents you from having Ubuntu and Windows, or whatever UNDER Qubes and truly be reasonably secure. It’s your call and choice…
1 Like
I do not think it is possible, even if you can find a way, as @tempmail say you will be adding a surface attack.
I would recommend to remove your hard drive put a new one and install Qubes on that second hard drive, so you can test it and see if it is what you need, then you can use Ubuntu and Windows templates if you need.
1 Like
This is absolutely possible - I run such a configuration for several years. You should proceed using the following steps:
- Install Qubes on a separate disk. Do not use any disks used for Windows or Linux, since this may cause trouble or even security risks.
- Install Qubes on that new disk.
- In
dom0, add new entries to the Qubes boot menu for your existing Windows and Linux installations. You can do this by creating appropriate menu definition files in/etc/grub.d. - For instance, to add a Linux menu entry before the Qubes menu entry, add a file
07_custom, containing:
#!/bin/sh
exec tail -n +3 $0
menuentry "Mint 22 Wilma" {
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root <UUID of boot partition>
linux /vmlinuz-6.8.0-39-generic root=UUID=<UUID of system partition> ro quiet splash
initrd /initrd.img-6.8.0-39-generic
}
- In order to add a menu entry for a Windows system after the Qubes menu entry, add a file
42_custom, containing:
#!/bin/sh
exec tail -n +3 $0
menuentry "Windows 7 Professional 64 Bit (SSD)" {
insmod part_msdos
insmod ntldr
insmod ntfs
set root=(hd1,msdos1)
search --no-floppy --fs-uuid --set <UUID of Windows partition>
ntldr ($root)/bootmgr
}
- Set the new files’ protection to allow execution via
chmod +x. - Recreate the Qubes
grubmenu viasudo grub2-mkconfig -o /boot/grub2/grub.cfg. - Set the boot sequence of your PC to boot from the Qubes disk as the preferred option.
Now your system will boot into the Qubes boot menu, offering to boot Qubes along with the other systems.
In order to reduce the risk for the Qubes installation, you should use the default installation option of encrypting the Qubes disk. In this case, the other systems might still be able to destroy Qubes, but not to modify it. You should also consider installing boot protection via AntiEvilMaid or Heads. Now the only way for the foreign systems to attack Qubes should be via some BIOS modification, but this could have happened long before you installed Qubes; so this would be no new significant additional threat.
Remember, however, that it depends on your threat model whether such a configuration is acceptable for you: You will be well protected against run-of-the-mill hackers, and be much better off than with native Linux or Windows. But if your adversary is something like the NSA, Mossad, GRU, or such, planning a targeted attack against you, you have bad luck. In this case, even a separate Qubes installation probably will not be able to provide sufficient protection.
Have good luck, and a fine New Year!
3 Likes
Just to be clear: I meant the way he intended to, it’s impossible to have reasonably secure OS, not to multiboot. That’s trivial.
1 Like