An internal SSD will usually be a PCI device, at least lets assume that in this topic.
An external SSD will usually be a USB device, at least lets assume that in this topic.
USB devices get attached to sys-usb which is great for security.
PCI devices get attached to dom0 which is bad for security.
qvm-device pci list will show that both internal SSD devices are attached to dom0. So the SSD that you install qubes os on is attached to dom0. That is also the device that you create qubes on and run the qubes on.
This is where my lack of knowledge raises the question about the 1st/primary internal SSD which qubes os is installed on, it seems like it’s contradicting with dom9 is supposed to be isolated from partitions etc. But it’s not as the qvm-device pci list shows.
So my concern is because we create all kinds of qubes and disposables and untrusted VMs which uses the same pci storage device as dom0 is using, that seems like a “serious” (whatever serious could mean) attack vector.
So this topic is about the secondary SSD. If we make it internal with PCI, then it will have the same problem. But if we make it external with USB then it uses sys-usb which isolates it from dom0 which should be more secure.
I hope this is a good start of the topic. Feel free to extend the discussion, it doesn’t have to precisely answer only these specific questions. Use your judgement.
I’d start with rhetorical question about your topic’s subject: what’s buying has to do with Qubes OS security?
Which further points to how your goal and threat model aren’t clear at all.
Is it more secure to buy a secondary external SSD instead of internal SSD?
Assuming you actually mean use (not buy), the question is: Secure against what?
PCI devices get attached to dom0 which is bad for security.
How exactly?
qvm-device pci list will show that both internal SSD devices are attached to dom0. So the SSD that you install qubes os on is attached to dom0. That is also the device that you create qubes on and run the qubes on.
If you have a secondary device, it would have to be used the same way. If everything is set up properly, you should not be able to attach a USB drive to dom0 the way you attach it to domUs (through sys-usb).
This is where my lack of knowledge raises the question about the 1st/primary internal SSD which qubes os is installed on, it seems like it’s contradicting with dom9 is supposed to be isolated from partitions etc. But it’s not as the qvm-device pci list shows.
Device != partition.
USB controllers are PCI devices (run lspci in dom0 and you will see them).
What you quoted doesn’t mean dom0 should be isolated from any partition - that is impossible because it must boot and run somehow. What the quote means (my understanding, w/o having read that topic) is that you should not mount non-dom0-specific partitions in dom0. For instance, you should not directly mount a domU image in dom0 dir and play with the files in it.
So my concern is because we create all kinds of qubes and disposables and untrusted VMs which uses the same pci storage device as dom0 is using, that seems like a “serious” (whatever serious could mean) attack vector.
Can you describe the attack?
So this topic is about the secondary SSD. If we make it internal with PCI, then it will have the same problem. But if we make it external with USB then it uses sys-usb which isolates it from dom0 which should be more secure.
Consider this: Unlike USB devices, PCI ones can’t simply switch to keyboard mode and start typing in your dom0. You may want to read about BadUSB, Stuxnet and similar.
The reason I started wondering about this and became interested is the warning in the docs about attaching PCI devices to a qube. Because after you restart the computer the pci device will be attached to dom0 again. That’s why I wasn’t sure how to configure it securely with a PCI block device. But I think the only protection is to only attach the partition (thin volume) when creating a qube with the secondary internal storage. It’s probably a very good protection though and not something to worry about.
I also realized that sys-usb doesn’t actually make it more secure from this attack vector I was thinking about. Because sys-usb is a qube on the same storage device as dom0 is attached to. So sys-usb isn’t entirely isolated from dom0.
So when you create qubes, the attack vector is reduced by only attaching the partition (thin volume), this is already stated clearly in the docs. And that is the same thing when you have a secondary storage which the topic is about.
The reason I started wondering about this and became interested is the warning in the docs about attaching PCI devices to a qube.
IIUC, the doc you probably are referring to clarifies what a tainted PCI device is. That is different from your use case.
In your case, a secondary storage device will be used by dom0 only, i.e you don’t attach it to a domU, thus tainting it. So, it is just as safe as your primary PCI storage.
That still doesn’t mean that a faulty or malicious storage firmware can’t do mischief with your data but that is beyond what Qubes can protect from. As long as you use encrypt your drives, the firmware is blind to the data.