Nobody seems to know of a current generation laptop that will run qubes-os?

[epic...@gmail.com]

Hi,

I've been searching this user group over the past few days and it seems like nobody currently knows of a current generation laptop that meets the best achievable Qubes security level (green columns in HVM, IOMMU, TPM).

I don't mean to be a downer, but how can this project gain any traction if nobody is able to find or buy hardware that supports it? This is frustrating for me because I've long been a fan of qubes, and I really want to use it, but it's not practical to expect people to buy old Lenovo laptops and use them as their primary.

Does anyone know of an **ultrabook** that supports most of the columns here:
https://qubes-os.org/wiki/HCL

I see there is one post on the subject, and a lot of the lingo is overwhelming to me, I'm really just looking for an exact laptop model I can buy and install Qubes-os on:

https://groups.google.com/forum/#!msg/qubes-users/Sz0Nuhi4N0o/ZtpJdoc0OY8J

Thanks

[Fabian Wloch]

Well, which one to buy depends on how much you want to pay.
I had a fixed budget over about 600€, so i bought one from MSI, with which
im pretty happy actually.
And i think the main problem is, that nearly no manufacturer gives
informatikns about TPM Modules on their product pages - this is an
information you need to get from the manufacturer.

To the 'old' generations: As long as they support everything, you shouldnt
thinkt too much about the "age" of a product.

But indeed you're right - a list of notebooks would be nice.

But then there is again the problem, that nobody can give you a guarantee
that qubes is working on a new notebook, cause nobody tested it.

Easiest way would be to watch out for a good one you like, and ask the
manufactueer support if they support intel vt-d, and if they have a tpm
chip built-in.
Just to give a hint - there's a good price-search-engine, which i can
recommend for this purpose, cause it supports vt-d as search parameter.
http://geizhals.de/?cat=nb&xf=69_VT-d%7E27_4%7E27_2%7E883_IGP%7E2991_240%7E12_8192%7E31_USB+3.0%7E82_SSD%7E3710_WLAN+802.11ac#xf_top

They all !!! should !!! run fine and have modern hardware. Just TPM/Intel
TXT is missing here - for this you have to ask the manufacturers. Maybe
someone else can write something additional to these notebooks that are listed.
And sorry if the website is only in german - there was an translated page
for UK in the past, but i cant find the link on my smartphone.
Maybe use google translate.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/cd86138a-1f0c-41c7-8b5a-1d083ba4d908%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[cprise]

On 02/07/15 21:48, epic...@gmail.com wrote:

Hi,

I've been searching this user group over the past few days and it seems like nobody currently knows of a  current generation laptop that meets the best achievable Qubes security level (green columns in HVM, IOMMU, TPM).

A problem here is that the Qubes HCL script does not check for TPM presence, so the people sending HCL reports who do not care about AEM (or don't yet use AEM at the time they report) create an entry in the HCL that leaves the TPM column blank.

I've suggested adding TPM support to the HCL script to help fill the voids and at least give readers a preliminary indication that a TPM is accessible by Qubes in a given system.

I don't mean to be a downer, but how can this project gain any traction if nobody is able to find or buy hardware that supports it? This is frustrating for me because I've long been a fan of qubes, and I really want to use it, but it's not practical to expect people to buy old Lenovo laptops and use them as their primary. 

Does anyone know of an **ultrabook** that supports most of the columns here:
https://qubes-os.org/wiki/HCL

I see there is one post on the subject, and a lot of the lingo is overwhelming to me, I'm really just looking for an exact laptop model I can buy and install Qubes-os on:

https://groups.google.com/forum/#!msg/qubes-users/Sz0Nuhi4N0o/ZtpJdoc0OY8J

Thanks

If Haswell CPUs are what you're looking for then you have some good choices available. IIRC all of the mobile chipsets for Haswell support VT-d/IOMMU. Also, any recent Intel Core i-series processor that supports VT-d also supports VT-x (HVM). So it boils down to choosing a model with the correct Haswell CPU (say, an i5-4300U) selected from a brand and product line that's known for proper BIOS support.

The best Qubes support comes from Lenovo Thinkpads. The X1 Carbon will work, and the T440s and X240 are pretty safe bets since other Haswell T and X Thinkpads are known to work well.

ASUS, MSI and HP have working models on the list as well. Dell seems to have a bit lower than average compatibility, but the Latitude E7440 does work.

If the empty TPM column bothers you, consider that most/all of the negative reports represent either "TPM untested" or "TPM not present". So if you're intent on using Qubes' AEM feature, I think the best thing is to look for business models like Thinkpad and Elitebook and check with the manufacturer that a TPM is included.

If you want Broadwell CPUs, none of those machines have been tested with Qubes yet AFAIK. I would consider a Thinkpad T or X series Broadwell machine to be a fairly safe bet with Qubes, though.  The Gen 3 X1 Carbon is already announced which has Broadwell as well as returning to a more standard keyboard layout and trackpoint buttons. My own reasoning in selecting the T430s was that the Qubes core developers use the T420s and gave it 'green' all the way across, so I just got the current (at the time) iteration of that model with the same features; I think that consistency of compatibility will hold for the new models coming this year.

[Dave C]

Cprise already mentioned the lenovo X1 Carbon.  I'm running qubes-os on one of those as I type this.  I am troubleshooting some issues, but I don't think those issues are due to the hardware.

I've installed on a macbook pro.  Qubes seems to run fine, but without a driver for the broadcom wifi, so I was never able to connect to the network, making it pretty useless.

[epic...@gmail.com]

Hi All,

Thanks for the responses. I really want a laptop that is thin and sexy so the ultrabook makes the most sense.

Dave, what issues are you having with the lenovo X1 Carbon? And what generation did you buy? Looks like 3rd generation is out now.

The only bummer with the Carbon is that it looks like there is 4GB of max memory available when I go to customize it:
http://shop.lenovo.com/us/en/laptops/thinkpad/x-series/x1-carbon/#tab-customize

Seems like you ideally want 8GB min if not 16GB for qubes?

Thank you again for the replies.

[George]

I have just got a new (Broadwell) X1 Carbon and have been trying to get
Qubes installed. First off, I know it will be fine because I have Qubes
on a usb stick that I installed using a different laptop and I have
managed to get that working.

A straightforward up to date setup wouldn't work and as far as I could
see it was due to the Intel HD Graphics 5500. I installed the 3.17
kernel from the testing repo and then all was fine.

Installing to the X1 itself is another matter though. Firstly the
installer fails because it can't start a graphical session. This is
covered in various past posts - picking basic graphics doesn't help but
putting a kickstart file on another usb stick allows the text mode
installation to complete.

Naturally enough the newly installed system can't start a graphical
session. So I copied across the 3.17 kernel rpm and installed that but
it didn't help. I could see that it ran the 3.17 kernel but still no X.
I have also tried installing a few other rpms that have been updated
since the installation iso but still no joy.

I thought I'd be able to do a qubes-dom0-update but I can't because the
firstboot setup hasn't run (again presumably because it needs a
graphical session) so I have no netvm etc etc.

All hints gratefully received for where to go next. Once I get there
I'll do a hcl report and write up what's needed. Early news is that
vt-x and vt-d are both active and the BIOS certainly has TPM related config.

[cprise]

On 02/08/15 14:43, George wrote:

I have just got a new (Broadwell) X1 Carbon and have been trying to get Qubes installed.  First off, I know it will be fine because I have Qubes on a usb stick that I installed using a different laptop and I have managed to get that working.

Cool! How much RAM does it have? The info I got from Notebookcheck.net says it can go up to 8GB.

A straightforward up to date setup wouldn't work and as far as I could see it was due to the Intel HD Graphics 5500.  I installed the 3.17 kernel from the testing repo and then all was fine.

I didn't know we had 3.17 in testing... Oh its in unstable. :)

Maybe Qubes should release an R2.05 or R2.1 iso to accommodate the newer Intel hardware?

Installing to the X1 itself is another matter though.  Firstly the installer fails because it can't start a graphical session.  This is covered in various past posts - picking basic graphics doesn't help but putting a kickstart file on another usb stick allows the text mode installation to complete.

Naturally enough the newly installed system can't start a graphical session.  So I copied across the 3.17 kernel rpm and installed that but it didn't help.  I could see that it ran the 3.17 kernel but still no X.  I have also tried installing a few other rpms that have been updated since the installation iso but still no joy.

I thought I'd be able to do a qubes-dom0-update but I can't because the firstboot setup hasn't run (again presumably because it needs a graphical session) so I have no netvm etc etc.

All hints gratefully received for where to go next.  Once I get there I'll do a hcl report and write up what's needed.  Early news is that vt-x and vt-d are both active and the BIOS certainly has TPM related config.

I would try a regular Fedora 20 KDE x64 install. If it also has the graphics problem then you may get a workaround from them more quickly -- there are many more eyes on the Fedora forums.

[Dave C]

On Sunday, February 8, 2015 at 3:17:10 PM UTC-8, epic...@gmail.com wrote:

Hi All,

Thanks for the responses. I really want a laptop that is thin and sexy so the ultrabook makes the most sense.

Dave, what issues are you having with the lenovo X1 Carbon? And what generation did you buy? Looks like 3rd generation is out now.

The issue is described in another thread on this forum, see the thread about "cannnot start qubes-guid"

My X1 carbon is one I've had more than a year.  I don't know the generation.  I will attach output of qubes-hcl-report.
 

The only bummer with the Carbon is that it looks like there is 4GB of max memory available when I go to customize it:
http://shop.lenovo.com/us/en/laptops/thinkpad/x-series/x1-carbon/#tab-customize

Yes, my X1 is 4GB, and that's a bummer.  I find I can run two or three VMs at once, but it is not ideal.

[Dave C]

In my case, for my older X1, I put the qubes installer on a USB, and installed to another USB.  (I may eventually install to the laptop's drive).

The installer worked fine on my X1.

-Dave
 

[cprise]

On 02/08/15 18:17, epic...@gmail.com wrote:

Hi All,

Thanks for the responses. I really want a laptop that is thin and sexy so the ultrabook makes the most sense.

Dave, what issues are you having with the lenovo X1 Carbon? And what generation did you buy? Looks like 3rd generation is out now.

The only bummer with the Carbon is that it looks like there is 4GB of max memory available when I go to customize it:
http://shop.lenovo.com/us/en/laptops/thinkpad/x-series/x1-carbon/#tab-customize

Maybe there is a glitch on the config page. Or maybe you could try a different browser. The info I have says the max RAM is still 8GB.

Seems like you ideally want 8GB min if not 16GB for qubes?

Thank you again for the replies.

A number of us including Joanna have been using 8GB and that feels like plenty of room for me. More RAM would be a drag on battery life.

The T440s (and newly announced T450s) are also ultrabooks: only 0.8 inches thick and under 4 lbs. Notebookcheck.net says the T450s will have a carbon fiber body; Don't know yet what max. RAM will be, but the T430s is 16GB and T440s is 12GB.

[Marek Marczykowski-Górecki]

On Sun, Feb 08, 2015 at 07:27:46PM -0500, cprise wrote:
>
> On 02/08/15 14:43, George wrote:
> A straightforward up to date setup wouldn't work and as far as I could see
> it was due to the Intel HD Graphics 5500.  I installed the 3.17 kernel from
> the testing repo and then all was fine.
>
>
> I didn't know we had 3.17 in testing... Oh its in unstable. :)

Yes, and it is really unstable... There are many problems in VMs with
this kernel. Also dom0 doesn't work ideally there. There was a thread
titled "[qubes-devel] [bug] After upgrade to unstable, Qubes Manager
won't launch" about that problems.

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[George Klein]

On 09/02/15 00:27, cprise wrote:
>
> On 02/08/15 14:43, George wrote:
>> I have just got a new (Broadwell) X1 Carbon and have been trying to
>> get Qubes installed. First off, I know it will be fine because I have
>> Qubes on a usb stick that I installed using a different laptop and I
>> have managed to get that working.
>
> Cool! How much RAM does it have? The info I got from Notebookcheck.net
> says it can go up to 8GB.
>

I have got 8G

I'll give that a go then (subject to day job etc).

[Zrubi]

On 02/08/15 11:32, cprise wrote:
> A problem here is that the Qubes HCL script does not check for TPM
> presence, so the people sending HCL reports who do not care about AEM
> (or don't yet use AEM at the time they report) create an entry in the
> HCL that leaves the TPM column blank.
>
> I've suggested adding TPM support to the HCL script to help fill the
> voids and at least give readers a preliminary indication that a TPM is
> accessible by Qubes in a given system.

We have several blocking point about this feature:

- all the mentioned features like vt-d, vt-x, TPM are depends on the
BIOS in several ways. Even in the best scenarios the user can simply
leave disabled it in the BIOS.

In this case no script will tell why do get a "not supported" results.

- all the HCL reports are completely depends on the USER who reported it.
Even the script says all features are working and enabled we really
don't know if it is really working without any glitches or not.
So here we all depending on user reports.

- lots of users are not willing to provide any info about their devices
for several reasons.

- My current device is a corporate one and our corp using a mindlessly
stupid security policy. Because of that I'm not even able switch any
feature in BIOS on my own - so really not able to test anything about
TPM. (And I guess I'm not the only one in this boat)


But let me qo back to the TPM detection:
There was another thread about this and I just asked to get some
positive and some negative results about TPM status.

I only got one (1) single positive results. From that single result I'm
not able to write a TPM detection script - sorry.


So about to get better HCL info in general:

If any notebook provider would give me devices to test Qubes
compatibility I would love to do check them and post the results.

Feel free to contact me about this :)



--
Zrubi

[george]

Fedora 20 installs and runs OK. The difference I can see is that Xorg
uses the vesa driver whereas with Qubes that doesn't work for me.

Looking at Intel's site it seems that support for my HD5500 graphics was
only added at kernel 3.15 (and it is used when running the unstable
Qubes 3.17).

Advice on the relative merits of the options I can pursue will be
welcome ...

1. Try and get vesa graphics working with a stable Qubes kernel. I have
a vague memory of reading that the vesa driver had issues for Qubes but
I can't find anything now - maybe for running a Windows HVM (which I
will need to do)?

2. Install a Fedora kernel which is new enough. I've seen mention of
this but do I just need to get the rpm and install it or do the Qubes
rpms do extra things?

3. Try and get the unstable Qubes 3.17 working which sounds like a bad
idea from Marek's earlier reply.

4. Something else I haven't thought of ...

[Hakisho Nukama]

Working: https://groups.google.com/d/msg/qubes-users/suzkdQ0pnX0/xTw6zo1b-CEJ

For a negative result you can probe your system, if you can't enable TPM.
Unfortunately I need a 13-pin TPM module for my motherboard, so I can't supply
you a "TPM present but disabled" or "TPM working" test result.

But here is my "TPM not present" result:
https://groups.google.com/d/msg/qubes-users/_fV28sDRlLU/z0iOVJf39y0J

> So about to get better HCL info in general:
>
> If any notebook provider would give me devices to test Qubes
> compatibility I would love to do check them and post the results.
>
> Feel free to contact me about this :)

Yeah, this is a good way. Dump us with devices. ;)
Or we visit the willing providers and teach them how to supply these
reports to us.

>
>
>
> --
> Zrubi
>

Best Regards,
Hakisho Nukama

[george]

Up and running now. How I did it is with the HCL report I've just
submitted https://groups.google.com/forum/#!topic/qubes-users/-9qRHSkwfy8

BTW sorry for hijacking this thread.

[HW42]

cprise:

If you have the possibility to test the device in question I would
recommend to not believe the notebook manufacturer about the maximal
supported RAM. For example the "datasheet" of my Fujitsu notebook says
it support only 8 GiB but it works fine with 16 GiB.

[Marek Marczykowski-Górecki]

Exactly the same with many thinkpad models.

[raf...@elitemail.org]

Regarding the broadcom wifi driver issue, this is native to Fedora, not
Qubes. One simply needs to get the broadcom-wl package from RpmFusion
to get those to work.

[Dave C]

It's not simple on a laptop with no wifi (because of broadcom), no bluetooth (because of qubes) and no ethernet port (because of steve jobs).  That is, no network at all.

Now, I happened to install qubes onto a live USB plugged into the macbook.  So I took that USB to my X1 Carbon and booted it there.  Actually worked, even the wifi!  So I added rpmfusion repos to a template VM.  And I attempted to install the broadcom drivers, just as you describe.  It didn't work, because the qubes kernel version didn't match the kernel modules built for rpmfusion (I don't think the qubes kernel is quite up to date).  

The error was rather cryptic, and I don't have it handy, or I'd share it.  I'm not an expert in fedora, but the task you describe was beyond my abilities.  IMHO not simple.  If I'm wrong please post a how-to.  I would love to be able to dual-boot that powerbook to qubes!

-Dave

[raf...@elitemail.org]

On 02/12/15 01:08, Dave C wrote:
> It's not simple on a laptop with no wifi (because of broadcom), no
> bluetooth (because of qubes) and no ethernet port (because of steve
> jobs). That is, no network at all.
>
> Now, I happened to install qubes onto a live USB plugged into the
> macbook. So I took that USB to my X1 Carbon and booted it there.
> Actually worked, even the wifi! So I added rpmfusion repos to a
> template VM. And I attempted to install the broadcom drivers, just as
> you describe. It didn't work, because the qubes kernel version didn't
> match the kernel modules built for rpmfusion (I don't think the qubes
> kernel is quite up to date).
>
> The error was rather cryptic, and I don't have it handy, or I'd share
> it. I'm not an expert in fedora, but the task you describe was beyond
> my abilities. IMHO not simple. If I'm wrong please post a how-to. I
> would love to be able to dual-boot that powerbook to qubes!
>
> -Dave

Sorry, my mistake. I hadn't thought of that when I replied. In that
case, it should certainly be possible, but not as simple.

You would most likely need to build the correct packages yourself,
similar to the steps here (directly beneath "Build kernel package"):
https://qubes-os.org/wiki/InstallNvidiaDriver
(replace the listed packages with the wl-kmod source rpm and the
broadcom-wl source rpm)

Unfortunately, I no longer have a laptop available with broadcom
wireless to test this.

[ad...@privacy.cat]

A lot of higher-end laptops (or "ultrabooks") will feature Intel VT-x/AMD-v and VT-d/whatever AMD calls IOMMU. As for TPM, I'm not sure.

I am currently using a Lenovo T440s (14", reasonably thin, excellent battery life) with Qubes, and it works well. It has a TPM module (two, actually), and supports VT-x and VT-d. If you decide to go with it, make sure you opt for the fingerprint reader as without it I'm not sure that a TPM module will be included (at least the physically separate, TPM 1.2 module).

More generally, you can easily check if an Intel CPU supports VT-d and VT-x by looking up the CPU at http://ark.intel.com/ (though ultimately it is still dependant on BIOS/firmware). As for TPM, as Fabian noted, most manufacturers unfortunately don't list the presence of it .

[cprise]

Hi adin,

Could you run 'qubes-hcl-report' in dom0 and post the result? I think you are our first user with a T440s.

Thanks... :)

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ad...@privacy.cat wrote:
> On Sunday, February 8, 2015 at 12:48:09 PM UTC+10,
> epic...@gmail.com wrote:
>> Hi,
>>
>> I've been searching this user group over the past few days and it
>> seems like nobody currently knows of a current generation laptop
>> that meets the best achievable Qubes security level (green
>> columns in HVM, IOMMU, TPM).
>>
>> I don't mean to be a downer, but how can this project gain any
>> traction if nobody is able to find or buy hardware that supports
>> it? This is frustrating for me because I've long been a fan of
>> qubes, and I really want to use it, but it's not practical to
>> expect people to buy old Lenovo laptops and use them as their
>> primary.
>>
>> Does anyone know of an **ultrabook** that supports most of the
>> columns here: https://qubes-os.org/wiki/HCL
>>
>> I see there is one post on the subject, and a lot of the lingo is
>> overwhelming to me, I'm really just looking for an exact laptop
>> model I can buy and install Qubes-os on:
>>
>> https://groups.google.com/forum/#!msg/qubes-users/Sz0Nuhi4N0o/ZtpJdoc0OY8J
>>
>>
>>
Thanks
>

> [...] It has a TPM module (two, actually) [...]

Interesting. I've never heard of a computer having *two* TPMs. What's
the purpose of that?
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU36BaAAoJEJh4Btx1RPV8foEQAN3a/MQXOOAtt7iEgE3F40eo
WjdNGbNkjbcVqs2JRt8FPPGKyvyKz1eqGHUjxOAH1bHIHoSLzPfD+Pd20hcQ6+AA
NKFYt+JqL8jpA7J+pEC1J1mbzv6UDA1c+/faHZesf1V7CyniWOdnVXqrIo/BiGEf
jRObb7C4qDpmsIWB0uwadIq8rPAI3L4s1Bk12SfVcCdiwE44iiGIaJ9WTsmYKahr
pZtqtWFNV0tz9iFvRv1SGjL8wq/NiutBdcQ5Mb2vlS/QEBOGsHhQK9P5z/Y7IMS7
inqSE1tu4ejUcF6GPVKKyXD+HbQeZ0WvGaNcx0KC9mTv+q6LeOhjbO2p7Ly70hPJ
P1jw7bVhYMJ0qyz1RsHwKrIv01dhRY5XpZkrs3rg4ckrholy1YkJXBKEr62uxgag
TfcdSXuzr/M2vKiSy5ZJC0TuyN9X/i319eeGklXweSytVoVPxzIk7vuy1wWIPiz5
Tn2BUHohKtn1tDKryq9SG+qVcy89JrbXCzQxdlC3e9WJ1UeaKhHKz3l/Zs9XqQ8p
1kBDNm4KRPxdS17h13BoPUTZfmSgGHCF5lEYOHKXyKeI/TZWOH2YiyBZSwKxN+WV
ZxXIKOml7gfaofE2jaTDMy96vgjbv1EmfVc5bg4UDWuHUNMJUR0TMz/G+F1UHtYB
zG4uEvBub0PZgjyikCT8
=XZTD
-----END PGP SIGNATURE-----

[ad...@privacy.cat]

One of the TPM modules is a TPM 1.2 module, the other has something to do with Intel Platform Protection Technology (PPT) or whatever it's called and is a TPM 2.0 module. The 1.2 module is a physically separate module, and the other -may- be physically part of the CPU.

Either way, as far as I can tell the reason for the two modules is because only Windows 8.1+ seems to support TPM 2.0 modules (TCG definitely doesn't), so nothing else would otherwise be able to use it.

[ad...@privacy.cat]

Sure, I'll post the results later for my W530 and T440s.