I would like to ask you about recommendatios for BIOS update. Is it good idea to install fwupd into DOM0 (probably not) and update BIOS this way? Is it even necessary to update BIOS when using Qubes (Lenovo T490)? How big security issue it is to use Qubes with outdated BIOS (evil made is not in threat model)?
If you don’t want to update from dom0, you can download the firmware iso and make it usb bootable with the geteltorito.pl script.
It’s probably your own decision, whether you trust your BIOS manufacturer more than you are afraid of the existing bugs in the BIOS. Technically, BIOS has more permissions than dom0, so if it’s compromised, then the whole system is compromised. At the same time, BIOS vulnerabilities can affect the whole system, too.
Depends on your choice of the threat model. See this: Anti evil maid (AEM) | Qubes OS.
Yes, it converts the iso file to an img file, which you can boot from an usb device.