QubesOS does a lot of good things, but Secure Boot is sort of a nonnegotiable for a lot of security profiles because its one of the few ways you protect boot.
I'd be interested to hear from someone more in the know why they haven't implemented it yet.
> Anti Evil Maid is an implementation of a TPM-based dynamic (Intel TXT) trusted boot for dracut/initramfs-based OSes (Fedora, Qubes, etc.) with a primary goal to prevent Evil Maid attacks.
Still a bit confusing that its not on by default, but also much more trustable.
My reasoning is that while the bootloader and the kernel are signed, the initrd image loaded very early on in boot is not, because it is generated on device. So it provides a convenient way to compromise any system you have physical access to.
The anti evil maid implementation I linked to attempts to mitigate this hole using a TPM. I'm not sure why it isn't on by default but perhaps it's because the implementation has different options that require deciding on a threat model, e.g. setting a TPM password or using an external usb device to store a LUKS key. Here's a good blog post about the anti evil maid implementation that qubes uses(it also works with other distros like Fedora): https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.h...
This blog post contains a good overview of the secure boot status quo along with another potential future fix: https://0pointer.net/blog/brave-new-trusted-boot-world.html
In my case, I am not expecting total security. I just want access to be extremely inconvenient for opportunistic attackers.