Best Laptop for Qubes 4+ and Heads

[jonbrown...@gmail.com]

Heyo,

I am looking for the best laptop for Qubes 4.0+ to take advantage of all the features along with Heads. I know Heads only officially supports Lenovo Thinkpad 230 but is that the best choice to future proof myself and take advantage of all security benefits?

How is the 230 on the binary blob front and other firmware? Is there any other technology besides Heads that could enhance Qubes or provide better/additional protection?

Here is more info on Heads http://osresearch.net/

Any help is greatly appreciated.

[Franz]

I own a couple of x230. Yes they support coreboot and Qubes runs pretty well. Also intel ME can be blocked. The problems may be that max RAM is 16MB and CPU has only two cores. The first one is harder to accept for me because I want to keep open more VMs than my RAM allows. But if you can accept these limitations then x230 is pretty good. There are also new motherboards on sale here: https://www.ebay.com/itm/LENOVO-THINKPAD-X230-TABLET-SYSTEM-BOARD-04X3744-I7-3520-WITH-CPU-FAN/322898398982?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/98cebf55-53a2-4e24-9e35-575e9d023106%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Franz]

On Fri, Aug 10, 2018 at 5:23 PM, Jonathan Brown <jonbrown...@gmail.com> wrote:

How bad does the RAM issue affect your VM number you want to run vs what you can run? Can it handle all the required VMs needed by default along with both Whonix templates and split GPG?

yes, a part from the system VMs, I usually run 6 VMs. When the machine is fresh started I can easily reach 9 VMs.  But after a couple of days working it doesn't let me start new VMs.
 

How does it actually run performance wise?

Smooth and fast.

But I never tried gaming or specially intensive tasks.

Please do not top post and do not drop the qubes-users group

[Chris Laprise]

On 08/10/2018 08:25 PM, Franz wrote:
>
>
> On Fri, Aug 10, 2018 at 5:23 PM, Jonathan Brown
> <jonbrown...@gmail.com <mailto:jonbrown...@gmail.com>> wrote:
>
> How bad does the RAM issue affect your VM number you want to run vs
> what you can run? Can it handle all the required VMs needed by
> default along with both Whonix templates and split GPG?
>
>
> yes, a part from the system VMs, I usually run 6 VMs. When the machine
> is fresh started I can easily reach 9 VMs.  But after a couple of days
> working it doesn't let me start new VMs.
>
> How does it actually run performance wise?
>
>
> Smooth and fast.
>
> But I never tried gaming or specially intensive tasks.

The ivy bridge CPUs are pretty fast.. the last generation before Intel
cut max wattage in half with haswell.

BTW there are little tricks to improving RAM usage, as my regular system
has 8GB. Net and proxy VMs can usually be set to max 350MB RAM, and I
find dom0+KDE works smoothly with max RAM at 1500MB. Most personal and
work VMs do fine with max RAM at 1500 - 2000MB.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Franz]

On Sat, Aug 11, 2018 at 1:36 AM, Chris Laprise <tas...@posteo.net> wrote:

On 08/10/2018 08:25 PM, Franz wrote:

On Fri, Aug 10, 2018 at 5:23 PM, Jonathan Brown <jonbrown...@gmail.com <mailto:jonbrownmasterit@gmail.com>> wrote:

    How bad does the RAM issue affect your VM number you want to run vs
    what you can run? Can it handle all the required VMs needed by
    default along with both Whonix templates and split GPG?

yes, a part from the system VMs, I usually run 6 VMs. When the machine is fresh started I can easily reach 9 VMs.  But after a couple of days working it doesn't let me start new VMs.

    How does it actually run performance wise?


Smooth and fast.

But I never tried gaming or specially intensive tasks.

The ivy bridge CPUs are pretty fast.. the last generation before Intel cut max wattage in half with haswell.

BTW there are little tricks to improving RAM usage, as my regular system has 8GB. Net and proxy VMs can usually be set to max 350MB RAM, and I find dom0+KDE works smoothly with max RAM at 1500MB. Most personal and work VMs do fine with max RAM at 1500 - 2000MB.

I tried reducing RAm allocated to various VMs and dom0  and it much improved: I am able to get 27 concurring open VMs

[stallm...@gmail.com]

I use x220 tablet and it is great laptop for Qubes OS 4

1. Heads support (no problems, easy install, works on my machine, many great features kexec etc)
https://github.com/osresearch/heads/tree/master/blobs/x220

Alternative :
https://git.lsd.cat/g/thinkpad-coreboot-qubes

ME disabled (works!)

2. Tomu support (30$ ) (works fine!)
https://www.crowdsupply.com/sutajio-kosagi/tomu

porting gnuk to tomu (opensource analog yubikey, needed to use heads)

https://github.com/osresearch/heads-wiki/blob/master/GPG.md

Dev: https://github.com/aze00/gnuk/tree/efm32
PR: https://github.com/im-tomu/tomu-samples/pull/35
Issue: https://github.com/im-tomu/tomu-samples/issues/4

Alternative - Nitrokey
https://shop.nitrokey.com/shop/product/nitrokey-start-6 (based on gnuk)

3. https://inversepath.com/usbarmory nice compatibility (works without any issues)

4. for good work you need a bundle i7 2gen, 16 RAM and good SSD disk ( I completely lack 256 gigabytes )

main templates :
archlinux
artful
bionic
centos-7
debian-9
dev (buster)
fedora-28
kali-rolling
void-template
whonix-ws-14
whonix-gw-14

works fine and easy build from https://github.com/QubesOS/qubes-builder

+ 8-10 services (vpn,tor,wireguard etc)
+ 3-4 disp vm's (internet browsing)
+ 8+10 domains

Total disk usage : 20.4%
lvm : 36.2% 77.4GB/213.8GB

So, 256GB is enough.

5. You can use it like tablet ;)

https://github.com/martin-ueding/thinkpad-scripts

rotate/touchscreen works great and works on every VM machine.

6. TPM ownership/reset (work!)

7. 10 open vms

temp 52
fan 3496 rpm

8. +3G modem or raspberry pi features

Cheers!

[stallm...@gmail.com]

Also, you can build your own linux and integrate it into Bios chip. It is amazing. ;)

https://www.coreboot.org/Payloads

Payloads

Linux-Kernel

The Linux kernel can be used as a payload, and, if it fits into the flash ROM chip, even a distribution can be a payload. But it’s more common to let Linux load another Linux kernel using kexec. Several projects exist to build such a Linux kernel and an initramfs image.

LinuxBoot
Heads
Petitboot – A kexec-based bootloader, How-to
Petitboot for coreboot
u-root

You could download this floppy from KolibriOS website and add it to your coreboot.rom with this command : ./build/cbfstool build/coreboot.rom add -f ./build/kolibri.img -n floppyimg/kolibri.lzma -t raw -c lzma Then it will be available for selection at SeaBIOS boot menu when you would want to launch it and have fun ;)

On Friday, August 10, 2018 at 5:00:43 PM UTC+3, jonbrown...@gmail.com wrote:

[Tai...@gmx.com]

On 08/20/2018 01:21 PM, stallm...@gmail.com wrote:
>
> ME disabled (works!)

It is a nice laptop and I recommend it sometimes BUT:

As someone with your screen-name I would hope you know that it is
impossible to disable ME.

In your case the BUP module still runs along with any mask roms - more
than enough to add a backdoor to your machine.

Of course in terms of laptops it is still better than newer intel stuff
like the skylake puri-craptops where the bup AND the kernel run on their
"disabled" ME - they changed the definition of disabled just like they
did with the definition of "open firmware" :[

The best and most free laptop is the lenovo G505S of which there is a
thriving little coreboot-qubes4 community thanks to me telling many
people to get it :D

G505S:
* pre-PSP AMD quad core cpu (the A10 model - the others suck)
* coreboot with open cpu/ram init (unlike the blobbed puri-craptop hw
init via the intel fsp binary blob)
* IOMMU that works with qubes 4.0 (Must apply latest microcode updates
or qubes wont work)
Blob status: video+EC but people are apparently working on freeing them
and the IOMMU protects you from any DMA issues.

In terms of other laptops the X230t (with better *20 series non chiclet
keyboard) I recommend if someone wants a tablet and the W520 if someone
wants a mobile workstation with 32GB RAM - both are of course a much
better choice than a puri-craptop as they have open source hardware init
via coreboot and the ME can be nerfed.

Nice! glad that still works

Did you install coreboot?

>
> 6. TPM ownership/reset (work!)
>
> 7. 10 open vms
>
> temp 52
> fan 3496 rpm
>
> 8. +3G modem or raspberry pi features

The RPI is not an open source firmware device FYI and I recommend
instead purchasing a beagleboard or novena.

[Franz]

On Thu, Aug 23, 2018 at 5:08 PM, Tai...@gmx.com <Tai...@gmx.com> wrote:

On 08/20/2018 01:21 PM, stallm...@gmail.com wrote:
>
> ME disabled (works!)

It is a nice laptop and I recommend it sometimes BUT:

As someone with your screen-name I would hope you know that it is
impossible to disable ME.

In your case the BUP module still runs along with any mask roms - more
than enough to add a backdoor to your machine.

Of course in terms of laptops it is still better than newer intel stuff
like the skylake puri-craptops where the bup AND the kernel run on their
"disabled" ME - they changed the definition of disabled just like they
did with the definition of "open firmware" :[

The best and most free laptop is the lenovo G505S of which there is a
thriving little coreboot-qubes4 community thanks to me telling many
people to get it :D

G505S:
* pre-PSP AMD quad core cpu (the A10 model - the others suck)
* coreboot with open cpu/ram init (unlike the blobbed puri-craptop hw
init via the intel fsp binary blob)
* IOMMU that works with qubes 4.0 (Must apply latest microcode updates
or qubes wont work)
Blob status: video+EC but people are apparently working on freeing them
and the IOMMU protects you from any DMA issues.

Thanks! Is there somewhere a tutorial to do all that?
 

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b13a5dc1-e446-888c-4d96-1e62abdf7e0b%40gmx.com.

[stallm...@gmail.com]

> Did you install coreboot?
Yes.
bios: CBET4000 4.8-1344-g982c7555ad

>Nice! glad that still works

Ericsson F5521gw - 3G/GPS/HSPA work out of box in a dedicated USB VM but only clearnet/VPN/wireguard. For Whonix and Tor need reed this
https://www.whonix.org/wiki/Security_Guide#Anonymous_Mobile_Modems.

So, You can sit in the forest next to the telecommunications tower))

>The RPI is not an open source firmware device FYI and I recommend
instead purchasing a beagleboard or novena.

>G505S:
* pre-PSP AMD quad core cpu (the A10 model - the others suck)
* coreboot with open cpu/ram init (unlike the blobbed puri-craptop hw
init via the intel fsp binary blob)
* IOMMU that works with qubes 4.0 (Must apply latest microcode updates
or qubes wont work)
Blob status: video+EC but people are apparently working on freeing them
and the IOMMU protects you from any DMA issues.

Thanks for info :)

I first wanted to take a try one W520 (i7 quadcore coreboot/32GB ram and Quadro 1000m/2000m)
but
http://www.cs.utexas.edu/~hyu/publication/pdf/wddd17.pdf
https://wiki.xen.org/wiki/Xen_VGA_Passthrough_Tested_Adapters

This cards not listed and intel news are sad:(
So, idea - gpu passthrouth to hvm ?! unsuccessful

I have 16GB ram - Xentop says 15GB are used

11 domains: 2 running, 9 blocked, 0 paused.

Mem 16696288k total, 15389884k used, 1306404k free.

which is quite enough, but hvm maybe eat more ram.

but now I think it might be better to buy G505S for comparison :)

Thanks :)

[Tai...@gmx.com]

> So, idea - gpu passthrouth to hvm ?! unsuccessful

You can't pass a primary GPU.

>
> I have 16GB ram - Xentop says 15GB are used
>
> 11 domains: 2 running, 9 blocked, 0 paused.
>
> Mem 16696288k total, 15389884k used, 1306404k free.
>
> which is quite enough, but hvm maybe eat more ram.

RAM is dynamically allocated as part of ram sharing - if you launch
another VM it will take a little bit away from the ones currently active.