Created page on installation security considerations.

InstallSecurity.md

@@ -0,0 +1,73 @@
+---
+layout: doc
+title: InstallSecurity
+permalink: /doc/InstallSecurity/
+redirect_from: /wiki/InstallSecurity/
+---
+
+# Installation Security Considerations #
+
+## Verifying the Qubes ISO ##
+
+You should [verify][] the PGP signature on your Qubes ISO before you install
+from it. However, if the machine on which you attempt the verification process
+is already compromised, it could falsely claim that a malicious ISO has a good
+signature. Therefore, in order to be certain that your Qubes ISO is trustworthy,
+you require a trustworthy machine. But how can you be certain *that* machine is
+trustworthy? Only by using another trusted machine, and so forth. This is a
+[classic problem][trusting-trust]. While various [solutions][countering] have
+been proposed, the point is that each user must ultimately make a choice about
+whether to trust that a file is non-malicious.
+
+## Choosing an Installation Medium ##
+
+So, after taking some measures to verify its integrity and authenticity, you've
+decided to trust your Qubes ISO. Great! Now you must decide what sort of medium
+on which to write it so that you can install from it. From a Qubes-specific
+security perspective, each has certain pros and cons.
+
+### USB Drives ###
+
+Pros:
+
+ * Works via USB, including with a [USBVM][].
+ * Non-fixed capacity. (Easy to find one on which the ISO can fit.)
+
+Cons:
+
+ * Rewriteable. (If the drive is mounted to a compromised machine, the ISO could
+   be maliciously altered after it has been written to the drive.)
+ * Untrustworthy firmware. (Firmware can be malicious even if the drive is new.
+   Plugging a drive with rewriteable firmware into a compromised machine can
+   also [compromise the drive][BadUSB]. Installing from a compromised drive
+   could compromise even a brand new Qubes installation.)
+
+### Optical Discs ###
+
+Pros:
+
+ * Read-only available. (If you use read-only media, you don't have to worry
+   about the ISO being maliciously altered after it has been written to the
+   disc. You then have the option of verifying the signature on multiple
+   different machines.)
+
+Cons:
+
+ * Fixed capacity. (If the size of the ISO is larger than your disc, it will be
+   inconvenient.)
+ * Passthrough burning is not supported by Xen. (This mainly applies if you're
+   upgrading from a previous version of Qubes.) Currently, the only options for
+   burning optical discs in Qubes are:
+   1. Use a USB optical drive.
+   2. Attach a SATA optical drive to a secondary SATA controller, then assign
+      this secondary SATA controller to an AppVM.
+   3. Use a SATA optical drive attached to dom0.  
+      (Option 3 violates the Qubes security model since it entails transferring
+      an untrusted ISO to dom0 in order to burn it to disc, which leaves only
+      the other two options.)
+
+[verify]: https://www.qubes-os.org/doc/VerifyingSignatures/
+[trusting-trust]: http://www.acm.org/classics/sep95/
+[countering]: http://www.dwheeler.com/trusting-trust/
+[USBVM]: https://www.qubes-os.org/doc/SecurityGuidelines/#creating-and-using-a-usbvm
+[BadUSB]: https://srlabs.de/badusb/

QubesDownloads.md

@@ -11,6 +11,7 @@ Qubes Downloads
 -   [System Requirements](/doc/SystemRequirements/)
 -   [Hardware Compatibility List](/hcl/)
 -   [On Digital Signatures and How to Verify Qubes Downloads](/doc/VerifyingSignatures/)
+-   [Installation Security Considerations](/doc/InstallSecurity/)
 -   [Licensing](/doc/QubesLicensing/)
 
 Qubes Release 3.0