recommendation for a laptop to use windows in qubes?

[pixel fairy]

management is interested in qubes, but still need windows for some tasks. this means buying a laptop that comes with windows, but still can run qubes well. any recommendations? any license issues to be aware of?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-11-15 03:52, pixel fairy wrote:
> management is interested in qubes, but still need windows for some tasks. this means buying a laptop that comes with windows, but still can run qubes well. any recommendations? any license issues to be aware of?
>

As far as I'm aware, any laptop with VT-x should be able to handle a Windows VMs, and in general, most laptops comes with Windows. So, you're basically just looking for a laptop that has good Qubes compatibility. Take a look at the following:

System Requirements: https://www.qubes-os.org/doc/system-requirements/
Hardware Compatibility List (HCL): https://www.qubes-os.org/hcl/

If you plan to be using the same machines for Qubes 4.x, you should also take into consideration the updated requirements for Qubes-certified hardware, which will go into effect for 4.x:

https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

Licensing is a tricky issue. I'm not sure whether the Windows license allows you to clone Windows VMs or to run multiple Windows AppVMs from a single Windows TemplateHVM. That's a question for the lawyers. Maybe others around here have information about it.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYKxG1AAoJENtN07w5UDAw0K8QAL6Be8uc70CalsVbMGR1A49y
rbf12cEp9kcaQdJl0zaGJhoD+UEGA3PbiSWDb2BwryMOyHPHdNLPysmVPDiE4NSh
gtFJbxxeXI9EoR1gm2TQewrkEMSYhQWPkGoRLZ5otWQuAmCLEtBcT7nrKKQXkENP
ZmmnjIjtYHXNAPL9Pcs5UMwBkuipQFEYQluXyn/cW7248qKupq4fgcNnU7R1kaKi
vIWHBHlZUvYtZwjM+dYrcn5tSAN56iioIcdFngl6UtzHIObKXX3olENtVQHPSEvu
cjkOic9EyHs+n9RiKLqyRzGH5E++OJBvW+doju1oURGbqSCugXWOa7ApdwqTZqeO
Z4E/FCLExuL+sUEWBDIvAAH2fT7IclOoXPtEoTiLbi76isKO38F7YiC+RyoraJZM
RaHTSPsZzYoEOwkzS1gqiw83kSFiKsRJO6ko/H7feGshDmHht1fW/D7JfJ9qrZ7a
/oc63EmcqIYr5dAl3LIEebcJaG+QZsbVKNB+oVqAwN1uq2BKHRfVnNmEzbUyByCV
AYv65IoPYYV5N3RcTKfLCc8/wPWXZw445K4kPg5SXUNjTr2UGp6WX7bYhnQpWJre
vvs8jn9UNDtOEXwiK/5B0gx6PKpGoW8Q75n771Ti5yOMPbPzvCK7mWB/nr4lMp20
VhLBMNEItM8JRIC9taq+
=lTFN
-----END PGP SIGNATURE-----

[Zrubi]

On 11/15/2016 02:46 PM, Andrew David Wong wrote:

> Licensing is a tricky issue. I'm not sure whether the Windows license allows you to clone Windows VMs or to run multiple Windows AppVMs from a single Windows TemplateHVM. That's a question for the lawyers. Maybe others around here have information about it.

If we are talking about a normal (OEM) desktop license you are allowed
to RUN a SINGLE instance of windows VM.

This means you are fine with running a single HVM instance.


Because of windows OS licencing is bound to the hardware. In case of
qubes, the hardware is a virtual one. Moreover if you are try to run a
template based windows you will face a technical issue You can't
activate your windows permanently, because:

- activate the template itself
One may think that this should be ok. and it is. Your template will be
activated - but You only use the template for OS updates. Once you start
an AppVM based on this template, that's gonna be a NEW virtual hardware
which will break the activation.

- activate the AppVM
You can do it for sure. However you have to do it on EVERY startup. Not
sure how many activation will be tolerated by Microsoft.


Conclusion:
Windows is not designed to be run as a template based VM.



--
Zrubi

[Unman]

This is true for oem licenses. It would be possible to acquire an add-on
under Software Assurance and run up to 4VMs, and that is probably the best
route to follow for template based Windows qubes.

In a business environment this might already be available. N.B, if you
want to connect to MS server products from multiple VMs that could open
a separate can of worms.

[pixel fairy]

On Tuesday, November 15, 2016 at 10:17:59 AM UTC-5, Unman wrote:
> > ...

> > Conclusion:
> > Windows is not designed to be run as a template based VM.
> >
> > --
> > Zrubi
>
> This is true for oem licenses. It would be possible to acquire an add-on
> under Software Assurance and run up to 4VMs, and that is probably the best
> route to follow for template based Windows qubes.
>
> In a business environment this might already be available. N.B, if you
> want to connect to MS server products from multiple VMs that could open
> a separate can of worms.

Microsoft cant make anything easy! maybe it would be easier to just remote those apps.

[pixel fairy]

On Tuesday, November 15, 2016 at 8:46:51 AM UTC-5, Andrew David Wong wrote:
>
> As far as I'm aware, any laptop with VT-x should be able to handle a Windows VMs, and in general, most laptops comes with Windows. So, you're basically just looking for a laptop that has good Qubes compatibility. Take a look at the following:

a sad trend now is laptops that are bios locked to only run windows.

id also like to find a vendor that will still give us support and coverage on hardware issues, like ibm did before lenovo took over.

[raah...@gmail.com]

what I always suggest is to buy one that has a manual to view all the specifications. Preferably where you can see bios pictures in the manual. And for Qubes I always suggest one where you can see VT-d is enabled in the picture. or if it says its enabled by default then you are good to go for sure. TO get the full security benefits.

[raah...@gmail.com]

do see how it performs, you can search the model on linux forums, see if linux users use it, then you are good to go.

[Salmiakki]

On Tuesday, November 15, 2016 at 2:46:51 PM UTC+1, Andrew David Wong wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2016-11-15 03:52, pixel fairy wrote:
> > management is interested in qubes, but still need windows for some tasks. this means buying a laptop that comes with windows, but still can run qubes well. any recommendations? any license issues to be aware of?
> >
>
> As far as I'm aware, any laptop with VT-x should be able to handle a Windows VMs, and in general, most laptops comes with Windows. So, you're basically just looking for a laptop that has good Qubes compatibility. Take a look at the following:
>
> System Requirements: https://www.qubes-os.org/doc/system-requirements/
> Hardware Compatibility List (HCL): https://www.qubes-os.org/hcl/
>
> If you plan to be using the same machines for Qubes 4.x, you should also take into consideration the updated requirements for Qubes-certified hardware, which will go into effect for 4.x:
>
> https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
>
> Licensing is a tricky issue. I'm not sure whether the Windows license allows you to clone Windows VMs or to run multiple Windows AppVMs from a single Windows TemplateHVM. That's a question for the lawyers. Maybe others around here have information about it.
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org

Just to throw it out there. Lenovo has recently tried to lock down their laptops and prevent you from installing any Linux on them. You may run into significantly more problems if you take one of these Microsoft Signature PCs.

https://www.reddit.com/r/linux/comments/53ri0m/warning_microsoft_signature_pc_program_now/

https://mspoweruser.com/lenovo-denies-blocking-linux-windows-10-pcs/

[Tai...@gmx.com]

I have purchased systems that had just that but the proprietary bios
still did not properly implement the iommu.

This is considered a "pro" level technology and you are generally SOL if
you buy a consumer level laptop (even some "enterprise" ones) - If you
don't care about ME the best choice would be a dell business (latitude
or precision) laptop with ProSupport so you can get someone on the phone
who speaks english, isn't a moron and is able to escalate problems to
the engineering team in case you have any problems such as bad DMAR tables.

FYI - "VT-d" is IOMMU with the AMD marketing name of AMD-Vi - it is not
an intel technology.

[Achim Patzner]

Am 15.11.2016 um 14:46 schrieb Andrew David Wong:
> If you plan to be using the same machines for Qubes 4.x, you should
> also take into consideration the updated requirements for
> Qubes-certified hardware, which will go into effect for 4.x:
> https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

These requirements are probably the worst you can do for corporate
users; they prefer "standard hardware"; even I would rather stop using
Qubes than not being able to take any off-the-shelf Lenovo systems but
having to use underperforming boxes from unknown sources. Keep in mind
that the average company doesn't like hardware with broad maintenance
contracts and won't buy outdated designs (and that's about every system
supported by coreboot) either.


Achim

[Tai...@gmx.com]

The "certified" program is stupid in its current form I agree but what
is stopping you from buying a dell business or hpe machine with
iommu/TPM and using that? Nobody says you have to buy stuff from
whatever company gives kickbacks. (purism "coreboot" with FSP is just a
shimboot loader, FSP does all the work so it is far from secure or open
source and it still has ME - dishonest)

If you want a new open source firmware machine that supports adv.
virtualization go hit up IBM, they'll happily sell you a high
performance OpenPOWER8 system with just that, complete with a nice fat
enterprise grade extended support maintenance contract.

Coreboot is hobbyist/embedded pretty much, the reason that only
"outdated" designs are supported is because intel (and now AMD) actively
tries to stop free firmware and people are mostly doing this on their
spare time - it boils down to an issue of funding.
If there were wealthy backers there'd be TALOS type machines on store
shelves complete with a "coreboot + linux" sticker on the front

Just remember that lenovo is not exactly trustworthy, 4x bios rootkits
in the past few years and they're owned by the PRC - the us government
no longer buys them for classified operations computing.

[Achim Patzner]

Am 16.11.2016 um 11:53 schrieb Tai...@gmx.com:
> The "certified" program is stupid in its current form I agree but what
> is stopping you from buying a dell business or hpe machine with
> iommu/TPM and using that?

The uncertainty whether it will work with Qubes 4.0 at all as it is very
improbable that it will support coreboot. And many companies require
hardware fulfilling all requirements of the software they are planning
to use so this will kill Qubes for them.

> If you want a new open source firmware machine that supports adv.
> virtualization go hit up IBM, they'll happily sell you a high
> performance OpenPOWER8 system with just that, complete with a nice fat
> enterprise grade extended support maintenance contract.

Can I carry it around with me? I once had a SparcBook... Nice thing, that.

> Coreboot is hobbyist/embedded pretty much,

That's the problem. Requiring it will exclude many from using Qubes. And
a disclaimer "Qubes 4.0 might also work on EFI or even legacy firmware"
isn nor enough reassurance.

> the reason that only "outdated" designs are supported is because intel
> (and now AMD) actively tries to stop free firmware and people are
> mostly doing this on their spare time - it boils down to an issue of
> funding.

I don't care for the reason. There is no applicable "serious" hardware
fulfilling the requirement so I cannot seriously try to move Qubes into
corporate environments. Which will in the end severely restrictspreading
of Qubes.


Achim

[Tai...@gmx.com]

If you really do belong to some massive enterprise I am sure your
dell/hpe/whatever rep will be able to give you a yes/no answer on what
laptops support IOMMU.
There is no "uncertainty", if it supports linux plus IOMMU and SLAT or
RVI (any recent cpu) it supports qubes. Ask your rep and get it writing
then buy one and test it.

Having coreboot with FSP is pointless, you shouldn't bother with that.

[pixel fairy]

so far dell is the only company thats said yes to this, but no one ive talked to has actually tried qubes.

[raah...@gmail.com]

this is why you find the picture of it preferably "enabled" in the manual before you buy it.

[raah...@gmail.com]

someone linked a laptop here the other day looked good for qubes. like yesterday or day before forget what it was. had a picture in the manual of vt-d enabled. seems the same board used in a couple diff brand laptops.

[raah...@gmail.com]

You don't always have to buy the newest computer. I wouldn't recommend doing that for a linux system. I built an i5 desktop for qubes I expect it to last for years to come.

I would say a i7 for laptop though, just check what people say about the model on linux forums. or what they have listed if they use it in their profiles.

[raah...@gmail.com]

the desktop mobo i bought was because it had txt and vt-d specified as enabled by default in the manual. So I didn't even need the picture lol. but imo thats what to look for.

[Tai...@gmx.com]

http://shop.amd.com/en-us/business/notebook
You could check out these to see if they have AMD-Vi/IOMMU
I don't know if they have PSP (AMD ME type thing), however.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please note that these are the requirements for *certification*, not the requirements to *run* Qubes 4.x. You (and I) should still be able to buy standard Lenovo business notebooks and run Qubes 4.x on them just fine. See the minimum requirements for 4.x here:

https://www.qubes-os.org/doc/system-requirements/#qubes-release-4x

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYMD54AAoJENtN07w5UDAw+YcQAJQ3iTflDvu1pGrHXvIYM4wo
c2EkFC+jfKV+zegu2EorwweFCNOHKQCQKo5vKOWdLq03xxyiSNREsa5l3/vxyTFo
Diht2cLsKMuSLtozh+Jz/1DzWA73AycVSzDGnr7c75CUyipHXud+ZeM1BZNM9eG3
nOnL5NdJqsRKc4sX+2F0f39Ayy8AbpPk1LqELf+AMVoq8SFNwDrrrtenV0KDcsSM
UVhoYN8HO1JQKbGm8i9DYobzz/MOJ+/YFI7QwM9muvw97VmIAJwxWJesH0Hn7ua0
C+Lc//xGWp3JE3TYbUzOZezj9JHHh0sz1bdJYc55WlQHY6vwJ5OYzb5RfTNgcFMG
rKp6Q2mLhYVrYFKdznx5tFsr57HF0YEC4AJtfkSGVYM0H8rYBTxPKwbRTS4KE0pl
F6GNzWgNwA041fUNzpeIcTZdv8DcV9MO07+7sSw4q7VtrdCMhcAEUs+RFgG7yMJG
B8+SCz07Srj5YSVvBMr1+m5XAaFiXdFEqg+w3qjdJDByYQOqUTGod7wyn9bbS5Jq
WlZvyaVOa2dCy3PVrdlxesc+5WZMf1T/Y+4oXTfiTk6hQA/LConenvWibn3AMqfE
6Cmwm5w735rdcyvjCE/7uo0ZacSnuWGQkUkQtOr981mSAwZZxtZAqx3qxI3KLp5W
z/uVRyCjR3gxQNJOhgE/
=uZNq
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-11-19 04:48, Achim Patzner wrote:

> Am 19.11.2016 um 12:58 schrieb Andrew David Wong:
>>> These requirements are probably the worst you can do for corporate
>> users; they prefer "standard hardware"; even I would rather stop using
>> Qubes than not being able to take any off-the-shelf Lenovo systems but
>> having to use underperforming boxes from unknown sources. Keep in mind
>> that the average company doesn't like hardware with broad maintenance
>> contracts and won't buy outdated designs (and that's about every
>> system supported by coreboot) either.
>>
>> Please note that these are the requirements for *certification*, not
>> the requirements to *run* Qubes 4.x.
>

> You might rephrase that part and stress the fact that you are not left
> on your own if problems arise with non-certified hardware (I guess you
> lack the experience of having vendor-related problems being ignored with
> a hint at "your hardware has not been certified by us running our
> software" – just try a round of that with VMware 8-) ). Anything ewlse
> will put off a lot of people...
>
>
> Achim
>
>

Yes, we'll be sure to point this out when we make the official announcement
closer to Qubes 4.x. In the meantime, I've added a clarificatory note here:

https://www.qubes-os.org/hardware-certification/#hardware-certification-requirements

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYME2ZAAoJENtN07w5UDAwNREP/ArFcBRcAU8nFerIFtlg76S6
CfDVs4LuKQWaz3vy8zGnnOQpLHNAg+1lseeSYbjD/MA/mdTMl8Kb1xpgzHP9N6gE
EO7ttgxyuBI0b9IV6KwmW0gBo5E2L04fK3IxDNFAVVEh9qjZFcoGWSKYyCLGhsae
MkO1Gd0DoqIi/Wra7TH16vzg6A7MhacJxLTXqctNa1BBDPF1B709ZulL06dnnUwm
BEZXLQTL0DmhNhTgT/aqT0tpOdKA9pUfvaCJfJ/gsSKcDj2aiodq669k2GfaMOug
nJYCem1Iycuodol+3o0YzkioISIo301U5caBzdjiMbM3U5X43I45YqaoBZ6rHMLU
9T6b5tWLN02sKqacK862y2iHTmzFAMMaavnYVztSmfyUp3oLQ4x6WKLmDVRMBK2+
wXK7HoliT7x4WDjIU1vkb3KpMPZf5PkJxF+T4EyczJZurHDRANS9T95KdbuqK1v/
NQ2TwZl4t6+bm6RZaIBlA4ImnZwjJWaIWVJp13bD0qrdg96many0vU6bYJMfiGg+
bvhciCR9cZhUeT3AOB8H9PZYTkdxjDVgFLgh0dmn1Pgoz5k6f1kT1j4XWNsDG0h2
z+ylO3ZgamHbsqApMa0sRmraAt3EnT21T21JPmUxlvoGveQMbj2UWvqzDi2G4wL2
gih9uT7NUwgIvykBogco
=wGWQ
-----END PGP SIGNATURE-----