Questions
John Smiley
Are there laptops that haven't hit the market yet that would be worth waiting for (i.e. better than any in the list from above)?
Assume you want Anti-Evil-Maid and therefore need a TPM chip. Does that change which laptops are at the top of the list and why? Is it worth giving up the TPM chip if you aren't all that concerned about Evil Maid? Pretty much every laptop has them these days, so a follow up question to this one would be how the TPM is implemented (discrete, integrated, firmware, software)? Should the BIOS be set to use 1.2 or 2.0 for Qubes?
More on the BIOS - should UEFI be turned off? Thunderbolt? Secure boot should be disabled, I know. What about power management? Anything else (ex: if the laptop is Intel, ME should be disabled, correct)?
Do the keyboard and mouse/trackpad on a laptop use the USB interface? If so, what is the best way to address that (buy an external PS/2 keyboard and mouse)? If not, are the "safe" in the sense that only dom0 has control of them and no other qubes can snoop as would be the case for USB?
Are there things that can be done with a home router/firewall (such as a dedicated pfSense box) that improve security when using Qubes/Whonix and if so, what would they be?
Lot's of other questions, but this is is probably more than enough for one thread.
Hugo Costa
https://www.qubes-os.org/doc/certified-hardware/ and the HCL is the place to look. But right now, there is no new laptop that checks all the boxes. The one privacy advocates usually turn to as a "step in the right direction" is obviously Purism's lineup, which I advise you to check out.
Regarding network security, Qubes already has a firewall template, but there are alternatives. There are some open source alternatives regarding routers, both regarding software and the hardware it runs on. I'd like to point you towards this website https://infosec-handbook.eu/as-hns/, they have written a bunch on home network security. I'd argue it's a bit useless, assuming you use any type of VPN service.
