I use Qubes for awhile, but I’m not very technical person.
Can you please explain how I should setup my systems and what I should do if I want to run 2 or more other linux systems on desktop PC with different M.2 SSD?
One of the reasons is that I need to use Nvidia graphics card. The other is journalism.
I don’t need to protect myself from physical access at least for now.
How can I encrypt my /boot and do I need to worry about UEFI and legacy boot(I don’t know much about these things)?
If I won’t use Windows, do I still need to deal with BIOS security and if yes, what I need to do?
What other things I need to consider?
If you’re using UEFI then during OS installation it should automatically create a separate boot menu entry and you can use UEFI boot menu at boot time to select which menu entry to boot from e.g. something like this:
This is not how it works, and you probably don’t want to do this. The other OS can attack Qubes. Even if you encrypt your /boot, your EFI partition still remains unencrypted. Qubes does not support UEFI secure boot so you have no protection here.
And yes, you still need to deal with BIOS security. Apply all available updates. Disable SMT, unnecessary peripherals, thunderbolt, remote management, computrace. Enable memory encryption, UEFI capsule updates, UEFI downgrade protection, DMA protection, IOMMU, admin password, etc.
