There is actually a workaround for this issue with possibility of modifying /boot partition by malicious software from dual boot OS.
You can write your Qubes /boot partition on SD card and then lock your SD card for write protection.
But not with the Write Protection physical pin that is switched by the slider on the side of SD card but by configuring protection register in SD card.
It is because Write Protection physical pin is only a recommendation for software to not write on the SD card but doesn’t restrict it from doing so. But by configuring protection register the software can’t write on SD card before it configure protection register for writing.
You can access the SD card registers only when it’s configured as MMC block device (/dev/mmcblk*) and can’t access them when device is configured as USB Mass Storage Device (/dev/sd*).
Most USB SD card readers connect over USB and export a Mass Storage Device and can’t access the SD card registers but there are USB SD card readers that connect over USB and export a MMC block device.
So the workaround is:
- Buy two SD card readers - one that export a Mass Storage Device and one that export a MMC block device.
- After installing /boot partition on SD card attach it in the SD card reader that export a Mass Storage Device and lock it for write protection with sdtool:
GitHub - BertoldVdb/sdtool: A small tool for managing the write protection flag of SD cards. - Attach your SD card with /boot in the SD card reader that export a Mass Storage Device for daily use.
- When you want to update /boot (update initramfs after dom0 update or for something else) then attach your SD card with /boot in the SD card reader that export a Mass Storage Device and unlock it for write protection with sdtool. Remount the /boot and update files on it. Then Lock the SD card write protection with sdtool again and attach your SD card with /boot in the SD card reader that export a Mass Storage Device for daily use.
But it won’t save you from another OS software modifying your hardware firmware.