Dual-boot by replacing the SSD

zaz · March 4, 2025, 7:07pm

There was quite an interesting post a few years back that perhaps didn’t get the attention it deserves. The post suggested using hardware switches to switch power between drives prior to booting. So when booting Windows, the Windows SSD will have no access to the Qubes SSD.

What is the risk to doing this? Are there any other risks than a Windows virus flashing firmware?

I believe UEFI can be locked so that the OS cannot modify it. Can the OS then still modify firmware of other devices (SSD, etc)? Is there any way to prevent this?

Are there any other attacks I have not thought of?

ChrisA · March 4, 2025, 8:43pm

On some machines, UEFI will by itself permanently remove boot options that it notice to be absent … so you might have to add the needed UEFI entries every time you switch between the drives … but that’s not really an attack vector, just something to be aware of.

phceac · March 5, 2025, 10:51am

Oh my word! Is it true?

Is this impossible to turn off?

Can you name-and-shame, so I can add them to my avoid-list?

Sks · March 5, 2025, 11:04am

That is actually something i have thought about. This could work really well if the firmware could somehow be made constant and persistent, which is impossible to be 100% sure. Even the usb which has a write protect switch can be written on, the only way to be 100% read only is if it is isolated. In my opinion in the context you want to use it(as a way to prevent a virus jumping between os’s) is useless and hell of impractical because a virus can still jump even if does not have access because it is still connected.

Vael_S · March 5, 2025, 12:39pm

I have USBs that can be write protect.
I even have different drives that go for different systems.

Doesn’t matter if UEFI BIOS has anything in particular. As long as it can boot to USB I can boot to my USB drives without issue.

I have not seen any boards that have BIOSes that remove things like described. I haven’t seen any in my 38+ years working on PCs. Not saying they don’t exist, but to do anything like that would be stupid for a manufacturer.

So you can install a button to make a USB drive read only and not, you just need 2 wires, a switch, a soldering iron and some solder.

All you have to do is put the switch on the writing circuit, and have it run through the switch instead. I used to do that on older USBs back in the day. Even had some that were built that way.

But as far as OP goes, I have Windows and Qubes and Devuan drives. I switch between them as often as I want.

Wether I have UEFI or not doesn’t matter, they will all boot.
I can move to other PCs and still boot the drives too, doesn’t matter if it’s 2013 hardware or 2024 hardware. Doesn’t matter if UEFI is on or not.
My PC has drive bays in the front for my SATA SSDs, 2.5 inch, and that’s fine for me… I change out whenever I want to.

When I switch back to my Qubes, I generally run a RAM cleaner first.
As far as hardware writing, you can add checks that does a BIOS validation for the checksum and also for the CPU operating system as well to see if the CPU O/S is infected or not.

If you do things the right way, there isn’t any issue that I have been able to find since my Windows drives have enough protection and the O/S has it’s restrictions as well.

So if you want to just do power switching, yes it will work fine. just using the SATA connection won’t have enough power in it to do much of anything. It can not even boot the PCB on an HDD.

zaz · March 7, 2025, 3:48pm

I couldn’t find anything to do this with PCIe SSDs. Closest thing I could find was an adapter that makes them hot-pluggable. I guess I’ll go with putting the /boot partition on a USB that is removed when the untrusted OS is in use, unless anyone has a better idea?

fsflover · March 7, 2025, 5:03pm

If Windows compromises the BIOS, then it can compromise dom0. You can use Heads to verify your BIOS every time you boot to mitigate that. This is mentioned here:

Vael_S · March 16, 2025, 12:44am

Why PCIe SSDs? You don’t have M.2?
Can you provide the DMI for analysis please?

I don’t know any Motherboards that use PCIe SSDs, they do have WiFi and BT on PCIe regularly thoguh.

PCIe will not be Hot Swap capable that I know of either.

You could use the PCIe on the SATA using an adaptor, on the external drive bay for swap.
That’s easy, they are about $10 a piece. And they have M.2 on them as well if you ever decide to upgrade to M.2.

But then again all depends how you want to do things.

There are other posts in regards to this that I have talked about all this before, and I even mentioned things in my previous post here.

Easy way to have things with no access to each other, jsut turn them off in the BIOS when you switch drives.
Disable Qubes, enable Windows.
Then reverse to switch back.

It isn’t hard.