Any AMD based laptop that works with Qubes 4 and doesn't have PSP?

[qubest...@tutanota.com]

Hello Qubes users

Does anyone have an AMD based laptop that doesn't have PSP (i.e. anything pre-2013), and if so, does it work with Qubes 4? Mainly asking for hardware recommendation and so that I can choose a stock model that does come with a working  AMD-V with RVI and AMD-Vi (aka AMD IOMMU).

Thanks infinitely for any help!

[Yuraeitha]

I can't say I know any pre-2013 models (unless its like 10-14 years back which is presumably too old, especially for Qubes 3.2 or 4). I can mostly speak about AMD Ryzen running on Qubes 3.2 or Qubes 4 though, since it's been what I've been running and also looking into recently. I can also share my experience with Qubes 4 and Ryzen if its somerhing you need, but if you want something pre-2013, I suppose it's no point to go there.

AMD has been known to be semi-open source over the years, and also less aggressively segmenting the market compared to Intel. Therefore they do not try to force chips without virtualization as aggressively as Intel do, by what I've heard and experienced.

Chances are that many pre-2013, but past-2012 AMD chips, can run Qubes 4 RC-2, by having the required features, but I'm not really sure which that would be. I'm guessing when it comes to older AMD's, it's more a question whether its powerful enough, than whether it has the right/correct features. Perhaps within the AMD FX series but going back to 2012-2013? or another series?

Also if virtualization works on other Linux systems or Windows for the given AMD chip you're looking at, then there are likely to have been people discussing this on the internet for any given chip, if it was common enough. If you find an AMD chip that have the right specs and looks decent on the benchmarks, then try follow up your search by googling (duckduckgoing) it up, and see what you can find on the topic.

Also make use of benchmark websites, but don't compare across/between websites/tool resources, as they can be different in how they calculate the benchmark. Use the same website for comparing between chips, one at a time, i.e. compare benchmarks with your current system/systems to the chip you're looking to maybe buying. It works best if you have experience with a few computers, and you can feel their calculation power when you used them (pushing them to their limit in various different calculative tasks), and then compare the benchmark numbers with your personal user experience, to get an impression/feeling what the benchmark numbers represent in real life. This way it gives a better idea how powerful the chip you're about to buy is, i.e. if it has 20% higher benchmark, it might be slightly stronger than what you experienced before. If 20-40% less or further less, for example, then it's risky, since you might hit a performance wall you didn't experience before. It takes some careful considerations to get it right before accepting and buying.

I'm sorry that I can't provide any suggestions, but hopefully it was of little use.

[Tai...@gmx.com]

Boom.
Lenovo G505S.
https://www.coreboot.org/Board:lenovo/g505s

Owner controlled.
The blobs for video and power management are removable as there isn't
any hardware code signing enforcement.

[Yuraeitha]

It's possible the Lenovo G505S may be a good suggestion, though there are some things to consider or reflect over. The OP both seem to know what he's looking for, but at the same time not entirely either, due to asking this question. It's really hard to know how much he knows from 3 lines of short information, and we should probably throw in more information, as to not risk having him buy something purely on recommendation alone. It'd be cool with more information though, as to what your needs are Qubest...@tutanota.com, or what you know already.

Some thoughts:

- A10-5750M is 2013 Q2, the request is pre-2013. For this chip, does it have the privacy invasive blob? or is it without?

- The A10-5750M isn't all that fast, but it isn't super slow either for normal requiring needs, like browsing, streaming, writing, in Qubes.
https://www.cpubenchmark.net/cpu.php?cpu=AMD+A10-5750M+APU
It depends on the users need, for example I got a Qubes laptop using
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+M-5Y10c+%40+0.80GHz
which is perfectly fine for many causal things. But its CPU a bit laggy/sloppy for example when running Windows AppVM. The recommendation is slightly more powerful in its benchmark. If having similar needs, then the performance is fine, if more needs, then not so much.
We need more information here before any recommendation. It may be plenty for normal Linux Qubes with some browsing and having a good basic amount of VM's running idle and sometimes spin up a bit to handle a task or two. But it can easily be horrible for running Windows AppVM which is more performance hungry.

- 6GB RAM is harsh for Qubes, while it may work with few VM's up, it can be a hassle. Need to ensure that the machine can upgrade its RAM, but it should also be considered an extra expense before buying. Never mind checking whether it can be upgraded or not to begin with. Is the RAM easily accessible? Does the current RAM have to be removed or does it have an extra free slot? etc.

- I would also consider a HDD to be less optimal for Qubes. I haven't run Qubes on non SSD's, so I can't be entirely sure, but it strikes me as more different than between Linux/Windows running on HDD vs. SSD, due to all the loading and copying during Qubes runtime. While HDD seems entirely practical and feasible, it does also seems like it might cause some buttlenecks, which may not be desired. There is also a question of how big these bottlenecks actually are. Anyone have experience with Qubes on HDD's vs. SSD's here? If wanting an SSD, it'll be an extra expense in addition to the RAM, unless you have an unused SSD laying around already.

- Is the firmware blob really removable and truly user controlled? You hear a lot of claims like these, but I haven't actually seen anyone completely succeed yet on any decent laptops.

- Lenovo is known to be a customer- and privacy offender, as well as a proven lier in these regards, caught with their hands in the candy jar, multiple of times again and again at that. What reasons are there for this Lenovo laptop to be exploitable to the point, that it makes up for the bad and distrust rep of Lenovo? Can everything Lenovo can do to the laptop, really be undone?

- It's nice that a lot of threats can be reduced, like the UEFI --> Coreboot, and some of the firmware can re removed, but are these threats truly removed? I'm primarily thinking about the dangerous "feeling safe, thereby being less secure, since not on guard anymore, thereby caught off-guard". Is everything truly removed? Granted firmware like from the drives and such are still there, but I'm specifically thinking about whether the claims being made by these people are truly reliable or not.

- Has other people run Qubes 4 RC-2 on the Lenovo G505S? On paper it looks good enough, but has anyone tested this?

- Other things to reflect over? Suggestions?

[qubest...@tutanota.com]

First of all, thanks a lot Yuraeitha and Tai...@gmx.com, your help is truly appreciated.

@Yuraeitha

Concerning support for the required features for Qubes 4.x, AMD - unlike Intel - doesn't segment their market by removing certain features, and AMD-V and AMD-Vi are fortunately present and supported in most of their CPUs. The problem however is whether the motherboard/bios/... support those features. And that's why I'm asking to see whether an owner of an AMD based laptop (with no PSP) got Qubes 4.0-rc2 working as intended.

Now, concerning performance: I only do some web dev work so there's nothing  fancy about my performance needs. Also I do plan to upgrade the RAM to 16Go as well as buy an SSD.

> For this chip, does it have the privacy invasive blob? or is it without?

It doesn't have AMD's PSP, I used "pre-2013" to mean before or at 2013 :)

@Tai...@gmx.com

Thanks a lot for the suggestion, based on some forum posts on their support it seems that AMD-V is supported with the proprietary BIOS[1] but I could find nothing about AMD-Vi, and this HCL report didn't test for AMD-Vi support with the proprietary BIOS[2].



[1] : https://forums.lenovo.com/t5/Lenovo-B-and-G-Series-Notebooks/enable-amd-v-support-for-G505S/td-p/1496428

[2] : https://groups.google.com/d/msg/qubes-users/5dwZt4xANpA/0a8VkMQlaQYJ

[Tai...@gmx.com]

On 11/13/2017 05:58 AM, Yuraeitha wrote:

> On Monday, November 13, 2017 at 12:10:33 AM UTC, Tai...@gmx.com wrote:
>> On 11/12/2017 01:42 PM, qubest...@tutanota.com wrote:
>>
>>> Hello Qubes users
>>>
>>> Does anyone have an AMD based laptop that doesn't have PSP (i.e. anything pre-2013), and if so, does it work with Qubes 4? Mainly asking for hardware recommendation and so that I can choose a stock model that does come with a working AMD-V with RVI and AMD-Vi (aka AMD IOMMU).
>>>
>>> Thanks infinitely for any help!
>>>
>> Boom.
>> Lenovo G505S.
>> https://www.coreboot.org/Board:lenovo/g505s
>>
>> Owner controlled.
>> The blobs for video and power management are removable as there isn't
>> any hardware code signing enforcement.
>>
>>

>> Some thoughts:
>>
>> - A10-5750M is 2013 Q2, the request is pre-2013. For this chip, does it have the privacy invasive blob? or is it without?

It doesn't have PSP.

> - The A10-5750M isn't all that fast, but it isn't super slow either for normal requiring needs, like browsing, streaming, writing, in Qubes.

I use a CPU which is much slower than that and I don't have an issue.

> - 6GB RAM is harsh for Qubes, while it may work with few VM's up, it can be a hassle. Need to ensure that the machine can upgrade its RAM, but it should also be considered an extra expense before buying. Never mind checking whether it can be upgraded or not to begin with. Is the RAM easily accessible? Does the current RAM have to be removed or does it have an extra free slot? etc.

Of course you can easily upgrade the RAM.

> - I would also consider a HDD to be less optimal for Qubes. I haven't run Qubes on non SSD's, so I can't be entirely sure, but it strikes me as more different than between Linux/Windows running on HDD vs. SSD, due to all the loading and copying during Qubes runtime. While HDD seems entirely practical and feasible, it does also seems like it might cause some buttlenecks, which may not be desired. There is also a question of how big these bottlenecks actually are. Anyone have experience with Qubes on HDD's vs. SSD's here? If wanting an SSD, it'll be an extra expense in addition to the RAM, unless you have an unused SSD laying around already.

You gotta have an SSD, but used laptops don't come with drives so you
would be buying one anyway.

> - Is the firmware blob really removable and truly user controlled? You hear a lot of claims like these, but I haven't actually seen anyone completely succeed yet on any decent laptops.

Yeah this is the real thing-- it isn't like purism's faux free firmware
where 100% of the init process is done via binary blobs.
The only blobs are for video and power management, so this is the best
option there is - in comparison the Lenovo X230 with coreboot will have
an open source init for those but you'll be stuck with a nerfed ME - in
my expert opinion the G505S is the better choice.

Trust me, I have 4 computers that run coreboot and I am a regular on the
mailinglist.

> - Lenovo is known to be a customer- and privacy offender, as well as a proven lier in these regards, caught with their hands in the candy jar, multiple of times again and again at that. What reasons are there for this Lenovo laptop to be exploitable to the point, that it makes up for the bad and distrust rep of Lenovo? Can everything Lenovo can do to the laptop, really be undone?

Lenovo's shenanigans were BIOS based, if you install coreboot you
replace their BIOS.

> - Has other people run Qubes 4 RC-2 on the Lenovo G505S? On paper it looks good enough, but has anyone tested this?

It'll work, trust me.

[Tai...@gmx.com]

On 11/13/2017 02:56 PM, qubest...@tutanota.com wrote:

> Thanks a lot for the suggestion, based on some forum posts on their support it seems that AMD-V is supported with the proprietary BIOS[1] but I could find nothing about AMD-Vi, and this HCL report didn't test for AMD-Vi support with the proprietary BIOS[2].

If you look on the coreboot wiki there is a dmesg log that confirms
support for both with coreboot.

[awokd]

I have a Corebooted G505S and it's hard locking up on the RC2 install.
Still haven't figured out how to begin to troubleshoot it, but it's not
working for me. See the thread:
https://mail-archive.com/qubes...@googlegroups.com/msg15824.html

[Tai...@gmx.com]

On 11/18/2017 03:30 PM, awokd wrote:

> I have a Corebooted G505S and it's hard locking up on the RC2 install.
> Still haven't figured out how to begin to troubleshoot it, but it's not
> working for me. See the thread:
> https://mail-archive.com/qubes...@googlegroups.com/msg15824.html

I will assist you with this, I provide free expert tech support for the
free firmware owners (anyone who has a device with open source silicon
init can email me off list for hardware/firmware/virt support)

> 1) Installer warns "interrupt remapping" is not supported.
> qubes-hcl-report shows IOMMU as enabled but "Remapping" is not. What
> exactly are they looking for?
IR is an additional security and performance measure, it is supported in
the firmware so I don't understand as to why it isn't present. I would
say that is a xen issue.

> 2) Install completes and reboots successfully after that but it only gets
> part way through the first default template installation (whonix-gw) then
> hard locks- no mouse or keyboard response. Is there a way to force these
> to install in compatible mode or something so I can work on fixing them
> later?

I would install qubes on different hardware on the same drive then swap
the drive back so we can get a better shell and see what is happening.

> When I boot debian stretch on the same machine, I see AMD-Vi enabling
> interrupt remapping. xl dmesg under 4.0 shows (Xen) enabling interrupt
> remapping. Qubes 3.2 worked fine on this too.
I would take a guess and say this is probably a xen issue, if you do the
above we can get more info maybe change the version/update to fix it.