I don’t know if this is best to be posted as a guide or support or discussion. I think it works in all three cases because it’s a good guide for new qubesOS users and since I am also new I would like some feedback to know I have a good plan and we can also generally discuss the topic of securely installing qubesOS on a new computer from USB drive.
You have bought a new computer and want to install QubesOS on it. You trust the vendor and say the new computer is secure but you don’t have QubesOS installed.
One way is by using a USB drive which has firmware that can’t be changed and the usb drive can only be written to one time. I don’t actually understand how exactly that is a solution but the docs says it is so i trust it is. The way I think about it is if the system isn’t trusted then even if it’s a write once USB drive then it can write a compromised qubesOS installer to it.
If you don’t have one of these special USB drives then your choice is you must have a secure system already. So you must already have a computer that isn’t compromised. Maybe it is using qubesOS or linux? And you have never given any adversary the opportunity to physically tamper with it.
So the new computer can only be as secure as your old computer. It inherits the security of the old computer. For some this is good but I think for many people this is not good.
This leaves only one choice remaining, that is to make sure that new computer comes with Windows 11. Then you have to create an online microsoft account on it because otherwise you can’t complete installation of win 11. And then install Rufus and use that to create a usb drive installer for QubesOS. Then you can restart the computer and begin the installation of QubesOS.
I’m impressed with Rufus developer. They have gone far and beyond to make Rufus secure and explain how it is secure and can be trusted and verified. This means you can simply install it from Microsoft Store. It feels very strange if you are a linux user who believes in FOSS but if you read the wiki of Rufus you will understand that it’s extremely secure and almost impossible to be tampered/compromised.
Then there’s the whole thing about AEM/Heads/UEFI/legacy bios/coreboot. That’s something that should probably be discussed indepth in other topics and there already exists a few. But it’s worth saying that it is something you need to plan for when you install QubesOS. Because you can’t switch back and fourth between for example legacy bios and UEFI. You have to pick one and stick to it. I also saw unman saying this which is great info: “if you have a legacy boot option alongside UEFI, that isn’t legacy boot. It’s a mode of UEFI that provides the functions of a legacy boot. In some cases it’s better, but who knows?”
Do you have any feedback and what is your favorite way to securely install QubesOS on a new computer?