Hi @anon13425142, welcome to the Community! I’m glad you’re interested in using Qubes OS.
Novacustom offer anti-tamper feature and Purism (not certified but with preinstalled Qubes) offer anti-interdiction services. I’m not sure about the former, but the latter ship the hardware key for Heads independently, before shipping the laptop and, optionally, to another post address, so tampering on the way is almost impossible without detection.
As @parulin mentioned, Qubes Backup tool allows easy reinstall without loosing any data with just a few clicks. Also, every time you reboot a VM, an automatic snapshot is created, which you can use to revert it to a state before the last run.
Yes: Compromise recovery in Qubes OS | Qubes OS
You should tell us more about what you mean here. Note that Qubes provides privacy via Whonix.
Heads protects your BIOS and possibly the /boot
partition. It doesn’t protect the userspace or drivers.
Wifi with the internal interface is more secure on Qubes, because you connect it to a dedicated VM (sys-net
) and it doesn’t have any access to the rest of the system. You can always shutdown that VM, and it won’t be connected to anything at all.
In case of the USB Wifi, you will have to combine the sys-usb
qube with sys-net
, which potentially allows malicious USB devices (on the same USB controller) to access the Internet.
Apart from that, some laptops, including Librem 14, have a kill switch for the WiFi.
AFAIK you don’t have to undo it to use UEFI, although I might be mistaken here.
There are a couple of good guides explaining how to organize your qubes for security and convenience: one, two.