Hi, as security could be flawed by a running qubes os beeing hacked in a way that /boot is mounted and initrd is altered in a way to steal the password for luks disc encryption and sends it home using ip to $friendly agency of $enemy country!
So they have your disk image from the airport “search for explosives” stunt and your luks password
I think about using pxe to boot into the first stage.
So everything is in RAM and qubes does not see the luks password you enter in the initrd stage.
The initrd stage gets booted from your trusted router (ro-file system, drivers mtd write enable are not compiled in!!) and then you can have unionfs or other means of overlays for some configs.
Advantage: Nobody sees a qubes there and one can also have a /boot by ubuntu there to deter evil maids or customs officers.
So you have a lame ubuntu with luks encryption.
The qubes you boot from a trusted router
I suggest using openwrt in a way to create a readonly (kernel cant write in production setup) flash partition for the tftp stuff that gets delivered by dnsmasq to your qubes machines.
A chain of trust shall be established, be it an airgap network between the nic and the trusted router.
As the router can be some piece of plastic without uplink to the internet that does just tftp and dhcp and tells your machines where to ask famous port 53 questions and where to default route to, this piece of cheap old plastics has a low attack surface.
After successful boot you can plug the real internet router and remove the trusted router and lay it to rest in your cornflakes box
You can also use an old raspi one or two for this purpose
The feature would be just a tftp aware setup for /boot and one needs to setup a tftp server with whatever means one has. And if one wants to use foreman as one has it in the server room already…
No I opt for limited plastic router thats is busy with the tftp job, as you can easily airgap it and hide it in your cereals.
So your small tplink hotel router will boot your qubes using tftp when the right mac is presented (which you spoof) and also it can do packet filtering and vpn for you.
And you can also have a smart travelling fan / nut milk maker with integrated ethernet (old raspi, or embedded internet of things board hacked to run openwrt and to deliver qubes-os early stage using tftp…)
What you think?
BTW, you can burn a cdrom too boot from too