My current understanding: When booting Qubes, it asks for a USB stick/key, and the system verifies its integrity (ie. that the kernel and probably even the hw component ids are matching the signature on the stick → nobody tampered with it).
I wonder, if someone got hold of the laptop, and potentially changed the kernel, well then they could change the verification to “pass” no matter what is on the USB stick. Right?
I’m sure I’m missing something. Why is the USB stick/key verification useful?
Wouldn’t it be better to use some external chip, ie. like YubiKey, that compute the checksum of all the components?
This might be silly question, I’m probably missing some basics. Thanks anyone for explaining, or pointing to some docs.