Hello, I have a new laptop that has a good enough hardware to support Qubes. I always wanted to try it, so I’m going to install in this new machine.
Now rises my concern: what is the best option to maintain anti-tamper in boot? I have 2 SSDs of 1 TB each, now in RAID 0. Would physically installing Qubes and Windows in separate hard drives be the best option, speaking on security? Could i keep some degree of boot anti-tampering?
If your security concern comes from windows, then just using separate drives is literally useless.
Encrypting Qubes drive is helpful (which is the default, I think), but only to prevent reading and writing on the encrypted partition, not boot partition. Qubes drive can be overwritten in both cases.
On boot security:
Various guides on setting up detached luks header and boot partition, choose whichever you think is better for you.
IMO easy to set up, physically prevents tampering with boot partition, luks header, and boot loader as long as the device isn’t plugged in (assuming you store the boot loader for qubes on the detached device, of course). Results in deniable encryption as well.
Secure boot - AFAIK isn’t directly supported yet, but one still can get there with much tinkering:
The default installation loads multiboot2 binary (xen.gz) that doesn’t support signing. There are some attempts to pack MB2 binary into PE binary to be signed, but that’s not what we decided to do. Our current plan is to build an unified xen.efi binary and sign that (see #8206).
So, to (not really) answer your questions - currently there is no easy path from R4.2 installation to a one with secure boot (the way we want it). It requires using different boot binaries (and building them yourself first). We plan to include pre-built unified xen.efi in R4.3 (GitHub - QubesOS/qubes-vmm-xen-unified).