I’ve downloaded the .iso, confirmed the sha256, and flashed it to an old USB thumb drive with Belena Etcher. Is it recommended to use a brand new thumb drive for installation or would the boot sector of any USB drive get overwritten by default in any case?
I’m the only person who has used the thumb drive before but the machine I used to flash the drive might be compromised for all I know. Is there a way to check the USB drive itself for malware or am I worrying for nothing?
That depends on your threat model. Acquiring a new USB drive is very cheap, so that is easily dealt with, but using an untrusted machine, especially if that will ultimately be the installation destination, is more costly to replace.
installation target will be new Lenovo T14s Gen 5 AMD ordered from Lenovo – can anyone tell me whether flashing the USB with Belena Etcher automatically overwrites malware on the thumb drive?
Rewritable. (If the drive is mounted to a compromised machine, the ISO could be maliciously altered after it has been written to the drive.)
Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also compromise the drive. Installing from a compromised drive could compromise even a brand new Qubes installation.)
the new T14s Gen 5 AMD will come with Linux pre-installed so I could use that to dd the Qubes .iso to a new Sandisk thumb drive and use that for the install on the T14s?
not sure I could do better than this if I can’t trust my existing devices?
If you trust that the new laptop hardware and OS are not compromised and the new USB drive firmware is not compromised then you can create installation media on it.