Hey, I’m actually surprised a search did not return any results for this… I want to utilize a UHS-II (for slightly faster speeds) SD card to store parts of the OS (and ideally the template VMs, and system VMs) on a write-blocked SD card. I have been searching for information on this and I’m actually surprised that Google does not pull up any information - maybe I’m searching for the wrong thing?
Anyway, my question is: Which paths/files should I partition off and store on a write-blocked SD card during the QubesOS installation? The SD card will be writable during the installation but as soon as it is finished, I will switch the hardware switch on the SD card which could, I imagine, improve the security of Qubes significantly.
FYI, for those of you who are also interested in pursuing this avenue / experimenting with me, there are faster solutions available than SD cards. I just like the SD card method because my future laptop will have an integrated SD card slot.
Here is basically the only seemingly legit supplier of hardware-switch write-blocked NVMe / SSD drives:
I am not affiliated with the company. I am however amazed that they somehow managed to integrate a virus scanner into a USB stick - I imagine it has to have an integrated computer on board – pretty confused about it actually.
The other question I have in case any sleuths stumble upon this question: If I manage to figure out which parts of the file system can be stored on write-protected media, then how can I prevent Qubes from slowing down? The SD cards that fit into traditional card readers max out at about 250MB/s whereas modern PCIe drives can do over 3000MB/s. I imagine, hopefully without too many tradeoffs, we can load the read-only stuff onto a RAM disk or even overwrite a disk paritition during the boot process.
Why isn’t this the way computers work? Shouldn’t system files / libraries / binaries be locked down to prevent malicious substitutes by forcing hardware authentication (in the form of switching the write protection) to modify system files? Or am I fundamentally missing how modern malware/actors that are capable of penetrating QubesOS work?