I recently installed Qubes on my external SSD because I don‘t want the drive to be plugged in when Windows is running for obvious reasons. Now I wonder how to create a sys-usb Qube because at the moment all USB devices are directly plugged into dom0. I use a desktop PC therefore I have only the possibility to use it on an external SSD with USB keyboards and I don‘t have any PS2 port. Furthermore I would like to install Anti-Evil-Maid but read that this isn‘t possible in because of the configuration I‘m using: I use UEFI boot on an AMD processor and have TPM 2.0 enabled. Is it possible to enable it or are there other ways to preserve the authenticity of the EFI partition?
I am grateful for any help on these two topics.
Your Windows installation could still technically infect your BIOS, so removing the SSD won’t help. The best way is to install Windows in a qube of course. More details: Security using qvm+windows?
AFAIK you can’t create
sys-usb when your system runs from the USB. But you can do it when running from an internal drive, even with a USB keyboard and mouse (but be careful). See also: Justification for not enabling sys-usb-keyboard by default on a fresh Qubes OS install.
Thank you very much for your fast and well documented answer! I will take a look on your suggestions and hopefully I can manage to secure my system that way.