There are quite a few threads on this forum that explain this.
The general gist of it is that if you run something else that has access to your Qubes OS drive/partition, it generally has unrestricted access to touch/alter any part of that partition.
It isn’t necessarily “normal Linux”. It’s the fact that it will treat your Qubes OS install just like a normal drive, and likely won’t stop anything nasty (or innocent, for that matter) from making modifications, both innocent or malicious, to your Qubes OS install.
This would definitely stop your Qubes OS install from being treated as “just another drive”, for sure.
But this wouldn’t protect your Qubes OS install from any firmware attacks.
I’m not saying that your device firmware is necessarily “compromised”.
It might be, it might not be.
I’m saying that when Qubes OS is the booted operating system, there will be more roadbloacks, checks and balances in place between the high-level stuff (web browser, website code, userspace, AppVMs, etc.) and the low-level stuff (dom0, PCI device firmware, drivers, BIOS, etc.) than a regular monolithic GNU+Linux-based operating system.
Because of this, it’s a lot more difficult to get from the usual attack vectors (USB drive, web browser, GNU+ Linux root user, etc.) to the mission-critical stuff (such as the BIOS)
DISCLAIMER:
Terminologies like “secure”, “compromised”, “attacker”, etc., are incredibly subjective, and there is no universal definition of any of these.
The only definition of “secure” that even remotely resembles anything universal is:
- “My computer is performing the tasks that I want it to do successfully”
- “To the best of my knowledge, my computer isn’t doing anything I don’t want it to do, or anything that I am not prepared to accept”
- “If my computer is doing something I am not aware of or would not be prepared to accept, I am in blissful ignorance thereof”.
Absolutely, it would.
One way is to use LUKS encryption or similar on the other drive/partition, using a different key. Assuming that your RAM/hardware components aren’t backdoored, as long as you never decrypt the other drive, it should be sufficient.