Dual Boot - Live CD Knoppix & USB-SSD Qubes?

[013784'091783240917832094781093247438]

Hello,

the debian live CD Knoppix has its charme, that you can find out quite well, which configuration will work for your hardware, because this live-configuration seems smart enough to deliver some solution.

So for trouble shooting, this might be of some help.

Now due to the Q-Security Policy Dual Boot is a VSI:

https://groups.google.com/forum/#!searchin/qubes-users/Multiboot$20usb$20disks%7Csort:relevance/qubes-users/DKdGgpPMAc0/GX15PNJwztIJ

https://www.qubes-os.org/doc/security-guidelines/

https://www.qubes-os.org/doc/multiboot/

https://www.sandisk.com/home/ssd/extreme-510-ssd

Will it be some workaround (to gain a steeper learning curve in Qubes) that I use:

- Only the Knoppix live DVD (as a second OS)
- Install Qubes on a fast USB-SSD 500 GB and unplug it before I start Knoppix..
- and use AEM, so I can detect some BIOS modification

The vulnerable unencrypted /boot cannot been reached, because it will be unplugged, before I start Knoppix.

But, how I know, that Knoppix will not be able to modify my BIOS-Firmware?

This means, if I run my system like this and AEM detect the BIOS-Firmware Malware - I can only throw away the hole PC and buy a new one?

Kind Regards

[1'0934178'09384'1092438'091432]

Hello,

if nobody can control the BIOS, if it is maybe or maybe not clean and infected with a root-kit in some way...

Will it not be some advantage, if the stateless laptop has a firmware-module, which is mobile? $
So I can unplug the firmware, the PC-body is without interest, because it has no persistent Memory (like the lapdoc of Motorola).
The best, would be, if the mobile module exists of two components, the SSD disk and the firmware module.
Both can be stored on a safe place and replaced by plug an play.
In advantage, with a second module some Dual Host system will run also. Safe Plug and Play for Qubes or Windows or Ubuntu or...

Sure, there should be a disaster recovery plan for the firmware module, how you make sure, that you came back to a clean System with Firmware Security, so you can start a real clean re-installation of the OS, if necessary.

And in the last case a cheap replacement of the Firmware-Module (e.g. that for security reasons you will replace it all 30 days, because it might be some cheap electronic device, instead of the hole PC).

The firmware/hardware must be complete in some sense, so you need only to update the BIOS with security considerations, but not to expand the configuration-stuff in some way (This leads to a more complete systems, including touch screen, 3D....).

Will this work in some way?

So you would have different ways to start with a proofen clean Firmware?

Kind Regards

[raah...@gmail.com]

sounds interesting if you can manufacture it. Some experts say it is possible to infect bios and these firmwares remotely as well, not just physically. As some experts claimed with hacking teams bios malware that infected insyde uefi bios in oem systems.

I would also suggest if very worried about this type of attack to use something like AEM to detect if something did indeed change, hopefully. I would like see qubes get secure boot eventually also that can be used alongside aem for even better measurement.