Dual boot with NO network for Windows

The only need I have for Windows (or OSX) these days is for video editing or serious work in Photoshop etc.

For this its actually ideal to be offline while working on projects like these, and I will always have another device running if I absolutely need to search for something related to those tasks.

Would a dual boot with Qubes where all connectivity is removed for Windows/OSX be as secure as a clean install?

Updates on the Windows/OSX partition would also then not be necessary, maybe once a year or less while wiping & reinstalling Qubes as well, that should be a good thing to make sure all the data there is truly portable anyway!

No, you can’t know for sure what’s on a closed-source system with lots of proprietary drivers and programs.

You can find a few links here: My Qubes broke again. Can't see network - #3 by BEBF738VD

If you have the need for Windows programs, you could try installing them in a Windows VM.

Sorry, but this reply doesn’t even make sense…

Sounds like you didn’t read or grasp my question, which makes sense if what you’re trying here is to get some paid work.

Which I’d certainly support, but not in this fashion!

No, it’s not as secure as a clean install. Windows will have full access to unencrypted /boot partition of Qubes and can do anything with it. Also with BIOS. It’s basically the same as this, but no network for Windows. Why do you think it matters?

Maybe if you fully trust your current version of Windows, but not all future updates, it could make sense.

A good solution could be using Heads with Nitrokey/Librem Key to verify the BIOS and /boot every time.

The idea would be to never let the Windows partition go online. Maybe it would be necessary to pull the wifi card to make sure, of course…

I understand your idea, but not why it matters. Windows can attack your BIOS without going online, can’t it?

So its possible for a worm to send info out without the partition from where it got in ever going online again?

It would have to send from the Qubes install on its own then. Sounds pretty advanced á la Stuxnet, but perhaps my thinking is off here, maybe that is standard fare these days?

If Windows compromises /boot and BIOS, then these two can compromise dom0. The latter does have the access to the Internet.

I don’t think it’s a standart, but it’s definitely not as secure as a clean Qubes install – your original question. However it’s probably more secure than almost anything else :slight_smile:

Part of the reason I’m wondering about these things is that I got a Lenovo T480 with 32Gb ram.

Since I can’t get coreboot running on that one anyway I’m thinking of using Qubes in a non-secure way where I segment off data only to manage fingerprinting when doing online marketing, managing servers and so on.

Might end up running a dual boot with Linux Mint on this one & keep the old X230 for server work, then eventually get around to install coreboot…

Sounds like you didn’t even bother to check out the links in my reply because if you did, you would quite easily understand the following:

One problem is that when you dual or multiboot, even if you are using encryption on your Qubes installation, /boot is still unprotected and could be maliciously modified by the other OS, possibly leading to Qubes itself being maliciously modified.

The other problem is firmware security - for example the other system could infect the BIOS firmware, which might enable compromise or spying on the Qubes system.

It would make sense for you to ask questions if you were actively trying to learn something, with some actual effort perhaps, but surely not in this fashion! :slight_smile:

Or, considering all this information was already available and several questions about this very topic had already been made, you perhaps didn’t quite grasp the concept of the search button?

And by the way, I’m not paid to do anything here, I’m gifting you my free time. Sure glad to see it’s appreciated.

1 Like

Sorry seems I mixed you up with another, similar username sending unsolicited PMs.

What is this about with these usernames that seems like they’re robots? Not a good thing if we get flooded by bots…

1 Like