> Hello pals,
>
> for the last release of Qubes, what laptop would you recommend? Is there any cheaper option which
> does have HW compatibility with latest Qubes (ideally with shipping from EU), than this one:
>
> https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop ?
> Thanks for any tips!
>
There are two tested, but not certified, models: Thinkpad X1 Carbon gen 5, and Thinkpad x230. https://www.qubes-os.org/doc/hardware-testing/
In general Thinkpads are usually pretty safe. Personally I would try to avoid AMD systems, as well as consumer models. Look for business class or mid-range hardware where possible, as they tend to have more solid firmware. Look for Intel 4th gen (I think) and newer, as prior generations did not have integrated chipsets. Avoid buying the latest models. Qubes is based on older versions of Fedora and LTS kernels, so look for hardware that has been on the market for at least a little while. Look for models that advertise Linux compatibility or ship with Ubuntu preinstalled, and prefer vendors that tend to have good Linux support, such as Lenovo, Dell, and HP.
Other than that, check the HCL, and google around and see what other users have reported. Also search the mailing list for HCL reports, as it takes a long time for them to show up on the website.
Above all, make sure you can return it for a refund in case it doesn't run Qubes!
Now, all that being said, I recently took a chance on a very cheap consumer-grade Dell Inspiron with AMD, and I have to say I had pretty good luck, all things considered. USB Qube is not supported, and I still haven't gotten suspend/resume to work, but everything else works, and it was a steal for the price.
So even going against all recommendations you can still get lucky, it just depends how much risk you're comfortable with and how much trial-and-error you have time for. However, even following all the best practices won't guarantee success on the first try: case in point there are Thinkpads on the HCL with more problems than my cheap Inspiron.
Good luck!
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> qubes-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/8137b39c393fd7d7192a72a8620706ae13f4150b.camel@posteo.
> e.
https://www.mail-archive.com/qubes...@googlegroups.com/msg31520.html
Not scientific evidence or anything, just my personal opinion/experience.
My own longterm Qubes primary has been a used W520 quad core with four 8GB DIMMs for 32GB of RAM. Not bad for 2012 era laptop. [Avoid the dual core versions: they only have two memory slots and can only support 16GB Max.]
B
On Wednesday, December 25, 2019 at 10:09:24 PM UTC-6, brend...@gmail.com wrote:My own longterm Qubes primary has been a used W520 quad core with four 8GB DIMMs for 32GB of RAM. Not bad for 2012 era laptop. [Avoid the dual core versions: they only have two memory slots and can only support 16GB Max.]
What BIOS are you using? I have a W520 coming in soon that I plan to use for Qubes. I've been using a G505s for a while but it isn't terribly well built and suspend/resume doesn't work on it.
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com.
On 01-Jan-2020, at 2:15 AM, Thierry Laurion <thierry...@gmail.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznx%2BSgVSWOMvaohPf-im082uXqSqsu%3DLLL7P4N8rhXRKKA%40mail.gmail.com.
Thanks for the detailed explanation and thanks for the work you have chosen to do. Thanks even more for upstreaming as much as you already have so that others can benefit too.
I want too add a couple of points that I hope are supportative, but let me start with an analogy.
When I was an impoverished student I used to fix my own car when it went wrong: serious problems too, stripping down the engine at one point. I never enjoyed it, and as soon as I was earning I gave that work to the local mechanic even though I knew how to do it.
If someone wants the most secure laptop available on a turnkey basis then they would buy from you. Maybe they are not expert enough to know all the pitfalls you mention; but even if they do know enough they may make the same choice I made over car maintenance. They have things to do with their time that they prefer to be doing rather than doing IT stuff. AND they can afford to do so.
There are two sorts of people her who will want to do the work for themselves.
There are those of us who enjoy the process and want to actually work through the choices for ourselves as the best way to fully understand our own kit.
And there are also those of us who need to watch every penny, so will do the best we can for ourselves within a budget that makes a 230 affordable at second hand prices but not at refurb prices.
Actually I'm in both those groups when it comes to IT, and my security needs are not so pressing as to need to pay the security premium that your product offers. And I enjoy tinkering with software more than I ever enjoyed lying under a car in the road when it was snowing.
So you have my sincere thanks for the info you do share (both through the open source channels and through posts like this one). And if a friend asks me to install a secure OS for them I will send them to you rather than take on a lifetime commitment to give them free support.
Equally, from where I am at the moment I would actually prefer to buy the second hand laptop and work through the process myself. But please don't ever think that that means I disrespect what you are doing, or that I have any problem with your pricing policies. You've made this your work and you are totally entitled to make a living out of it. At the end of the day I'm a hobbyist.
And it's not just free beer: I pay back when I can, not with currency, but in giving advice here when I see other ppl who are struggling with what I already solved, by making bug reports, and I've even edited the Qubes docs on a couple of occasions. For me free as in speech is a two way process: I come to ask questions here, but when I come I always find myself answering questions as well.
So much kudos to you for your choice of making your livelihood, and for facilitating hobbyists and those on low budgets by sharing info as well.
Have a great year Thierry
River~~
On Wed, Dec 25, 2019 at 6:03 PM <brend...@gmail.com> wrote:
Insurgo is providing a service.
If one can do the steps themselves, that’s fine.
If I were advising a somewhat less technical journalist or a potentially targeted human-rights worker or politically targeted activist who just wanted to get stuff done and had the resources, I’d point them to Insurgo.
Brendan
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes...@googlegroups.com.
> I use qubes on an AMD system (thinkpad with Ryzen 5 pro 2500u). While I'm happy with it, I've had
> to make some sacrifices. AMD systems are tricky with hardware forwarding, so I cannot (at the
> moment) use a sys-USB. There is an inherent security problem there.
>
> Also, I've had to make my own versions of the (horribly elitistic and class-hatingly named) AEM
> system. I use my machine's TPM2 to verify that my BIOS hasn't been infected, but that was difficult
> as hell to set up. AEM relies on Intel's TPM module, and doesn't work with AMD machines.
>
> So while most of it all works, it's been tricky to set up, and it's not all functional yet.
>
> <3
> /panina
Hi again, processor buddy. I have the Ryzen 5 (non-Pro) 2500U. I've also had a lot of problems with it. The IOMMU grouping is terrible, the kernel has a lot of problems with the firmware and ACPI, it doesn't support USB Qube, and so on. I haven't dared to even try AEM on this machine. But considering the performance for the money, I guess I really can't complain.
I recently got suspend/resume half working. Turns out, some or all of the Fam15h processors including the 2500U change their cpuid feature bits when resuming from suspend, which causes a Xen panic. This means the fans come back on, but the screen doesn't power back on and it can't save any logs, so it's really hard to diagnose. You can patch Xen to disable the feature check.
If you don't mind patching Xen, it's very likely that this will fix it for you (although you may run into other post-resume problems). And it's really not as difficult as it sounds.
This link contains a patch and instructions for building it.
https://www.mail-archive.com/qubes...@googlegroups.com/msg31697.html
Thanks for putting all this information in one place. I was earlier looking to buy Insurgio Privacy Beast, but it was not clear whether it could be shipped to India. I then ordered Librem 13.
Is there any comparison available between these two, based on privacy and security considerations?
Thanks for putting all this information in one place. I was earlier looking to buy Insurgio Privacy Beast, but it was not clear whether it could be shipped to India. I then ordered Librem 13.
Is there any comparison available between these two, based on privacy and security considerations?
Hello Thierry,Thanks for all that you are doing for the community. Do you see a possibility of a Qubes Certified Laptop with an AMD CPU?
Intel is affected a lot more than AMD by the sidechannel vulnerabilities in the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel stopped providing uCode updates for 1st gen in 2019, so this year is probably the last year they will support 3rd gen. More CPU vulnerabilities will most certainly be discovered in the coming years, so there is a need for an AMD based certified laptop, or at least a newer generation Intel based laptop, even though that may mean we're stuck with PSP or ME.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/df275a80-4ca6-45f9-b284-1ae34fc41fc4%40googlegroups.com.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
OTOH, since Coreboot seems stuck in c.2012 with Intel Ivy
Bridge processors, that could make the issue moot bc AMD units requiring
no such deactivation (containing no PSP) are available that are also a
year newer.
Regarding new hardware, which is important, I would rather take my
chances with AMD PSP firmware properly deactivating (when told to) than
with the equivalent Intel ME function.
It would be interesting to
compare errata between the two brands on this point.
>
> So what model would you suggest in the meantime for which firmware can
> be replaced by Open Source Firmware?
Given that c.2012 machines are being discussed, I think its worth
mentioning the Lenovo G505s as a workable candidate. But I don't hang
out in Coreboot forums as much as I'd like, so I'd just assume ask you
the same question about what AMD models work? Is this something Insurgo
has looked into?
Complicating the issue is that Coreboot's documentation is 100% geared
to developers; the only guidance for users are links to OEMs. However,
the MrChromebox site lists AMD Stoneyridge c.2017 as Coreboot supported,
which makes models like Lenovo 14E chromebook and HP 15-BW077AX
candidates for testing and porting.
TBH, I'm not exactly sure why, from a consumer standpoint, open firmware
must be a prerequisite when the hardware itself is closed.
Perhaps its
more important than correctly functioning CPU hardware, but perhaps not.
I think the perceived need that many have for it is rooted in reports
that some Intel ME versions don't deactivate properly, as deactivating
ME gained the Coreboot project a great deal of visibility.