A brief note on finding a supported laptop

[Steven Collins]

Greetings,

I previously submitted a positive HCL report for my Dell Latitude laptop (https://groups.google.com/forum/?fromgroups=#!msg/qubes-devel/SI1yTGpZN9A/Dm3Qwm_8CjQJ). I had meant to say a few words about how I chose that laptop in the first place. Luckily I just happened upon the following in my Drafts folder. Here it is, in hopes it might be a bit of help to someone (mostly written several months ago, so some things could be out of date):

I [somewhat] recently purchased a laptop [the aforementioned Dell], and one of my explicit goals was to find one capable of doing Xen VGA Passthrough (which I realize is not something that Qubes specifically does, but the hardware requirements for that and for some features of Qubes are similar). As I'm sure many of you know, this is easier said than done, so I thought I would share a bit of my experience.

As, again, I assume most of you know, for VT-d (or IOMMU) to work one needs support from the CPU, the chipset, the motherboard, AND the BIOS. It's extremely hard to find out in advance all 4 of these pieces of information about a particular laptop. I totally gave up on finding an AMD-based laptop satisfying this; I just couldn't find ANY relevant information about their mobile CPUs and chipsets.  So then I spent quite a bit of time on http://ark.intel.com, which was frustrating; that site could certainly be much better indexed and cross-referenced. Still, there is a wealth of information there. Another valuable resource was http://laptops-specs.blogspot.com/ . Of course there is no guarantee that the information on that site is 100% accurate, but really, is there ever? :) I also when possible consulted the online manuals of laptops that were potential candidates. This was a big win for the Dell I eventually got; the system manual, which includes detailed and intelligible documentation of the BIOS options (a rare thing indeed) was available to download and reasonably convincing that it really had VT-d support and it really did work, as long as you made sure to get a CPU that supports it (Dell generally offers a choice of CPUs in their machines).

- Steven

[7v5w7go9ub0o]

On 10/23/12 12:43, Steven Collins wrote:
> Greetings,

Steven, Thank you for posting this!

I suspect many of us now are in the same boat that you were in then -
clearly you had to invest a lot of time, do a lot of research, and
were technically able to "interpret" the fine print (and/or you were
very lucky :-) )

This technical ability is not trivial, and one wonders if some of the
well-intended community posters to the HCL list are, as you might express
it, technically able to award a "100 percent".

(FWIW, All of this is frightening enough that I'm wondering if it might be
desirable to approach the task "backwards" - by upgrading an older (or
newer?) laptop with a contemporary CPU, chipset, motherboard, and BIOS
that is sure (most likely) to work.)

[Pedro Martins]

> (FWIW, All of this is frightening enough that I'm wondering if it might be
> desirable to approach the task "backwards" - by upgrading an older (or
> newer?) laptop with a contemporary CPU, chipset, motherboard, and BIOS
> that is sure (most likely) to work.)

I ended up reaching the same conclusion - I upgraded an old ~2007 ACER
Aspire 5920G (Core2Duo T7500 based, NVIDIA GeForce 8600M GT) laptop to
4GB RAM and a brand new 240GB SSD. This is barely ok for running Qubes
as it only supports VT-x (and no HT); I get no VT-d benefits :(. The
performance is acceptable though.

I first tried Qubes on a newer ASUS Eee PC 1215P (Atom N570 based,
Ubuntu certified!) but unfortunately the 2GB RAM limit makes using it
with Qubes a test on ones resolve - you can work with 3 + 1 VMs but
if you need to start a 5th VM, be prepared to take it slow... it does
really help to have more RAM.

Before upgrading the old laptop, I considered buying a new one; spent
a few weeks looking around for VT-x/d and TXT support, also up to 16GB
RAM support, but it seems that nowadays you can only buy appliances
disguised as computers - even though the cpu supports all that is
required to have the full Qubes experience, you get no luck with the
BIOS and/or motherboard chipset. I did only find a few which mentioned
explicitly VT-x / Virtualization support (VT-d isn't mentioned at
all), but considering the price for a new laptop (~800-900€) with the
cost of upgrading the old system (~240€), I went with the upgrade - at
least I knew what to expect.

--
Pedro

[Juergen Schinker]

Check this out


Hi Juergen.

All of our laptops support VT-x, but only the Gazelle supports VT-d. You would need to order the i7-3740QM or i7-3840QM processor to get VT-d support; the default (i7-3630QM) only supports VT-x.

- Ian Santopietro ( System76 Sales )

[Steven Collins]

For the record, I have purchased and used a laptop from System76 (not
for Qubes, specifically) and was pretty pleased with it. I would
recommend them - it's hard enough finding a laptop maker that even
officially SUPPORTS any open source operating system, let alone one
that exclusively sells machines with one pre-installed.

> --
>
>

[7v5w7go9ub0o]

> (~800-900€) with the cost of upgrading the old system (~240€), I

> went with the upgrade - at least I knew what to expect.
>

Thank You for this very useful post, Pedro!!

Some (newbie) questions, please:

1. ISTM you have a very respectable rig. I suspect you also considered
upgrading the CPU/MB as well - is that a project for the future; perhaps
after some price drops? If so, would the Aspire form factor, connectors
and power supply be compatible (plug and go) with contemporary MBs? (I
have a Sony VGN-tx650p from about the same era as yours.)

2. Are you using software encryption? If so, how much of a drag would
you guess that adds? I'm wondering if paying more for something with
hardware encryption (e.g. *small* Samsung 840 pro) would speed things up
significantly and facilitate a smaller CPU/memory? (IIUC, the BIOS would
have be able to hand off a passphrase to the HD, which may lead to UEFI
considerations for the MB)

3. IIUC, Marek is working on a lighter windows manager - any thoughts on
the performance implications of that on a smallish Qubes machine?

Again, Thanks for your post.

[7v5w7go9ub0o]

Thanks for posting this, Juergen!

Presuming one starts with one of the two processors, I'm guessing that
the next step "working backwards" is finding a MB that can use it to its
full advantage and meet Qubes and individual preferences! E.G. for me:
VT-x; EFI or BIOS works well with VT-d, TPM, and provides keys to
encrypted devices; BIOS/TPM validates hardware; on-board backup BIOS;
keyboard/touchpad not implemented as USB devices; works in my
laptop.......and more things that I - also - don't understand.) So:

1. Do you/your contact have any thoughts on a good laptop MB to contain
either of those CPUS and meet Qubes/other needs?

( 2. Heh.... In consideration of Steven Collins' post of a few minutes
ago, and if he is a good friend of yours, would System76 have any
interest in eventually offering a Qubes/Ubuntu laptop for personal, or
perhaps professional users? Just idle curiosity.)

3. Offhand, I don't see much difference in the two boards:

<http://ark.intel.com/products/70846/Intel-Core-i7-3840QM-Processor-8M-Cache-up-to-3_80-GHz>

<http://ark.intel.com/products/70847/Intel-Core-i7-3740QM-Processor-6M-Cache-up-to-3_70-GHz>

[Juergen Schinker]

Thanks for posting this, Juergen!

Presuming one starts with one of the two processors, I'm guessing that
the next step "working backwards" is finding a MB that can use it to its
full advantage and meet Qubes and individual preferences! E.G. for me:
VT-x; EFI or BIOS works well with VT-d, TPM, and provides keys to
encrypted devices; BIOS/TPM validates hardware; on-board backup BIOS;
keyboard/touchpad not implemented as USB devices; works in my
laptop.......and more things that I - also - don't understand.) So:

1. Do you/your contact have any thoughts on a good laptop MB to contain
either of those CPUS and meet Qubes/other needs?

Why don't you ask them yourself?

( 2. Heh.... In consideration of Steven Collins' post of a few minutes
ago, and if he is a good friend of yours, would System76 have any
interest in eventually offering a Qubes/Ubuntu laptop for personal, or
perhaps professional users? Just idle curiosity.)

I don't know Steven and have no affiliation with system76.com.
Why don't you ask them yourself?

3. Offhand, I don't see much difference in the two boards:

<http://ark.intel.com/products/70846/Intel-Core-i7-3840QM-Processor-8M-Cache-up-to-3_80-GHz>

<http://ark.intel.com/products/70847/Intel-Core-i7-3740QM-Processor-6M-Cache-up-to-3_70-GHz>

there is not much except the frequency

Maybe they create a Special Edition the so called Qubes Edition...

Juergen

[7v5w7go9ub0o]

On 11/05/12 13:46, Juergen Schinker wrote:

> I don't know Steven and have no affiliation with system76.com. Why
> don't you ask them yourself?

Because I don't know them. (I thought you might (know them)).

It would be premature to ask this of someone with whom one doesn't have
a working relationship - Qubes/Ubuntu is simply a possibility.

[Marek Marczykowski]

On 05.11.2012 18:46, 7v5w7go9ub0o wrote:
> 3. IIUC, Marek is working on a lighter windows manager - any thoughts on
> the performance implications of that on a smallish Qubes machine?

I think the only difference in performance field is memory consumption - all
XFCE processes consumes together below 100MB (res).

BTW I've just noticed some memory leak in xfwm4 (most likely in my patch for
Qubes window decoration) - after about 80 days uptime it was at 400MB, after
restart (xfwm4 --replace) dropped down to 10MB...

Some minimal documentation:
http://wiki.qubes-os.org/trac/wiki/UserDoc/XFCE

--
Best Regards / Pozdrawiam,
Marek Marczykowski
Invisible Things Lab

[Pedro Martins]

On Mon, Nov 5, 2012 at 5:46 PM, 7v5w7go9ub0o <7v5w7g...@gmail.com> wrote:
> 1. ISTM you have a very respectable rig. I suspect you also considered
> upgrading the CPU/MB as well - is that a project for the future; perhaps
> after some price drops? If so, would the Aspire form factor, connectors
> and power supply be compatible (plug and go) with contemporary MBs? (I
> have a Sony VGN-tx650p from about the same era as yours.)

No, I didn't considered upgrading the motherboard and all that goes
with it: cpu, graphics, wireless, etc. I suspect psu, battery would
also need changing. In the end it's cheaper, and less troublesome, to
buy something new. I stopped building my own (just a couple) and using
desktop computers last century :). Laptops only since then.
Search 'ubuntu certified' if you want to check out hardware supported
on Ubuntu - these should also work (mostly) fine with Qubes (or any
Linux based distro) - my Eee PC does.

> 2. Are you using software encryption? If so, how much of a drag would
> you guess that adds? I'm wondering if paying more for something with
> hardware encryption (e.g. *small* Samsung 840 pro) would speed things up
> significantly and facilitate a smaller CPU/memory? (IIUC, the BIOS would
> have be able to hand off a passphrase to the HD, which may lead to UEFI
> considerations for the MB)

Yes, I'm using software encryption. Hardware encryption is good to
have but you need either:
a) to have software support for it, so you can enable/disable it at
will, e.g. so Qubes can control it; or
b) it being transparent to the software, e.g. by having the SSD
encrypt data by default without Qubes knowledge.
In this later case, from a "speed things up" point of view, since
Qubes also/always encrypts data, it seems wasteful - you end up with
data encrypted unnecessarily one more time: by the SSD by default, by
Qubes if you enable disk encryption, by Qubes for each VM disks.

From the limited experience I had so far with Qubes, on two systems,
it's better to spend your money to add as much memory as the system
can handle; and use an SSD, it really makes a big difference. If the
cpu has hardware support for encryption, the better.

Btw, the only "problem" I detect (which I attribute to the use of
encryption) is some lag when starting up - the progress bar
stops/hangs for a while; if I start pressing shift keys repeatedly the
progress bar restarts again; it is less noticeable if I have bluetooth
and/or wireless on. I suspect this is related to /dev/random, entropy
and not enough noise sources on the system or something like that...

--
Pedro

[Juergen Schinker]

get this for a good random generator

http://www.entropykey.co.uk/

[Pedro Martins]

Yes, these seem quite nice, affordable, and with good reviews by happy users.

I searched for this sort of thing recently, after having noticed some
lag while Qubes is starting/shutting down: progress bar hanging,
restarting again if I press shift keys repeatedly, which I attribute
to not enough entropy/noise sources for /dev/random.

I was left wondering how to properly use this usb key with Qubes:
since AFAIK all VMs use encryption, it (device) would need to be
shared by all of them, which is probably not feasible. One other
option is to assign it to firewallvm (NetVM), setup a random number
server for remaining VMs to use, probably giving dom0 its own so that
it doesn't need to access firewallvm - two keys in this case.

Another option would be to use a software solution on all VMs.

I found this post quite informative concerning all this:
Entropy: random data for DNSSEC
http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/

--
Pedro

[Marek Marczykowski]

On 07.11.2012 19:03, Pedro Martins wrote:
> On Tue, Nov 6, 2012 at 7:17 AM, Juergen Schinker
> <ba1...@homie.homelinux.net> wrote:
>> get this for a good random generator
>>
>> http://www.entropykey.co.uk/
>
> Yes, these seem quite nice, affordable, and with good reviews by happy users.
>
> I searched for this sort of thing recently, after having noticed some
> lag while Qubes is starting/shutting down: progress bar hanging,
> restarting again if I press shift keys repeatedly, which I attribute
> to not enough entropy/noise sources for /dev/random.
>
> I was left wondering how to properly use this usb key with Qubes:
> since AFAIK all VMs use encryption,

No exactly, currently all disk is encrypted at dom0 level, there is no
additional disk encryption at VM level. But of course any software run in VM
will do all the operations in VM, including cryptographic one.

[7v5w7go9ub0o]

Sorry 'bout the newbie question: on the HD there is an unencrypted boot
partition; an encrypted XEN partition; and an unencrypted Fedora partition!?

(and that we could convert the Fedora partition to, e.g., LUKS or Loop-AES)

[Marek Marczykowski]

On 08.11.2012 00:46, 7v5w7go9ub0o wrote:
> On 11/07/12 13:42, Marek Marczykowski wrote:
>> On 07.11.2012 19:03, Pedro Martins wrote:
>
>
>>>
>>> I was left wondering how to properly use this usb key with Qubes:
>>> since AFAIK all VMs use encryption,
>>
>> No exactly, currently all disk is encrypted at dom0 level, there is
>> no additional disk encryption at VM level. But of course any software
>> run in VM will do all the operations in VM, including cryptographic
>> one.
>
> Sorry 'bout the newbie question: on the HD there is an unencrypted boot
> partition; an encrypted XEN partition; and an unencrypted Fedora partition!?

No, VM data is stored encrypted, on the same partition as rest of Qubes system
(including dom0) - in files: /var/lib/qubes. The only unencrypted Qubes
partition is /boot (which can be protected using Anti-Evil-Maid addon).

[Fidel Perez]

Hello,

Side note: the thinkpad line w520, seems fully supported with the i7-2720QM processor:

 http://ark.intel.com/products/50067/Intel-Core-i7-2720QM-Processor-6M-Cache-up-to-3_30-GHz

It can have up to 32GB RAM (i did the upgrade recently after the ram price lowered) and it fits 2 SSDs and the optical drive or 3 HDDS if you remove the optical drive.

And the best for me: the antiglare screen.

[Marek Marczykowski]

On 28.12.2012 04:24, drag...@dragon788.otherinbox.com wrote:
> I agree that Dell laptops are a good combination. I'm using a Dell XT3
> tablet with Qubes and I was flabbergasted when the touch screen worked
> without any fuss. This is one of the first times using it with Linux that
> it has worked correctly. Both the stylus input and finger input work quite
> well. The only downside is that the ALPS touchpad that Dell insists on
> using isn't correctly recognized so I can't use its multi-touch or
> scrolling capabilities, but I'll be posting that as a bug with some more
> info for troubleshooting soon.

Newer kernel (3.4.x) supports this touchpad correctly.

>
> A good source of Qubes friendly laptops would probably be the Dell Outlet
> or Dell Financial Services. They sell gently used or like new laptops and
> many of the more recently Core series processors that support VT-d and the
> like are quite common. My XT3 was such a find, for under $1600 I got a Core
> i7 processor, 8GB of RAM, a 256GB SSD and bluetooth. Haven't tried
> Bluetooth in Qubes yet but the Intel wifi works great. I need to try out
> the fingerprint reader and see whether that integrates as well.
>
> Ethan S.