Your Windows installation could still technically infect your BIOS, so removing the SSD won’t help. The best way is to install Windows in a qube of course. More details: Security using qvm+windows?
AFAIK you can’t create sys-usb when your system runs from the USB. But you can do it when running from an internal drive, even with a USB keyboard and mouse (but be careful ). See also: Justification for not enabling sys-usb-keyboard by default on a fresh Qubes OS install .
Lately I’ve been re-examining my reasons for using Chrome OS despite the privacy concerns (Google per se isn’t in my threat model, but that doesn’t mean I want to feed them everything) and found my biggest reason is its use of verified boot, which ensures that only signed and approved code is executed. The root of this trust (not sure if correct terminology) is in a ROM.
When combined with powerwash and a small attack surface, this means that even if malicious actors do somehow punch through th…
3 Likes