Let's build a low-energy / medium-cost Desktop

[bored lord]

Hey Guys,

i've been using Qubes OS on my T430 for almost 2 Years now and i am really really happy withit.

As the T430 is getting older and my current gaminggear isnt't compatible with Qubes at all. i started am looking for a Desktop-Solution. It should provide the following:

- cost-effective (means no server-like Motherboards)
- a minimum of 32GB-Ram
- a decent sized CPU
- a smooth user experience ( fast Boot, Smooth usage regarding office and webapplications )

it should range between 800-1000€. Sadly i am nowhere close of beeing a PC-Tech-Expert. Do you guys have any suitable hardware recommandations?

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You can start looking at:
https://www.qubes-os.org/hcl/#hardware-desktops

I think that is easy to find a desktop configuration which runs Qubes
properly. It gets harder if you want to run coreboot/libreboot and
avoid private firmwares/blobs, ME, vPro, etc... Also TMP for running AEM
.

What do you consider decent sized CPU? For office and web applications
there are plenty options, probably some recent i5 or even i3 is more
than enough. For fast boot and specially for Qubes 4 a fast SSD hard
disk is probably more important.

I don't know too much about AMD and their ME equivalent. But since
Meltdown and sepectre bugs, all obscure ME security problems, and
assuming single thread performance is not critical, maybe I would look
for AMD instead Intel.

I hope some more knowledge users about ME/firmwares/blobs help you if
you are pretty worried about it.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAls9JLoACgkQFBMQ2OPt
CKVPgg/7Bt1qMW7cKxiBEXudkWg2oBXqr/bRSr2r1CkzLyp12Uu4H0jtaWPYDBnn
UUVdXEWYSaQ3vLNWEc7GfecOSQNleLdq6C1RecXxlSAsjEtAxbGWCHOcllklKa1F
nemLaplFkMrGuMaslaYk0B/cMH9SJzXj8cOr2C/P+iBkWptaiwLcIvvo1hwD/DSV
xgv2f1rpUcDVcSulAly5rlWt+wNoTm6f3VDTcwGLrbZfT6ju0W8jK0rVcCgFYuf/
B6zNH3BjiApwMSGrRRfVfIwf4JdnvliTvscsexbq6LtyewLHjLBFCAtFNrzG/6Qp
Rh+L/s5RqFw+8QYQtjkkdAC83mVc/IhE4QjFc+aRFQsBgpwsFwbdJwcVmElzXz8L
AjeFKn05vSZvIk4t3TG4axdK4ZADCX9YPyp09BR2dxwuJ9cDuf/qpyMVQEjC2G9E
yFG8fZ+SJ9QxAWZWMKT+PCub5xwcjK+Gd3rX90fhUbViuuLpLoCdcCwRnB8HWgvK
vtYUP+heS4phs3mEikoV49M6oRJ3RcHUhiXSu2C6QBwwKUw3WuA1XGMvqYU18BtR
KJw3DrVGziJk+GrR5cdLSGZ9/qJ0Juw4otlty4uZE2H2FdLQLQNQY6fDuiXWIEDN
7HKsw02AzO5iZf3ljTDAQni7uB5xGb0ONqzCfZWMkBh8sk4bxwo=
=2oAy
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

On 07/04/2018 03:49 PM, donoban wrote:
> I think that is easy to find a desktop configuration which runs Qubes
> properly. It gets harder if you want to run coreboot/libreboot and
> avoid private firmwares/blobs, ME, vPro, etc... Also TMP for running AEM

No it isn't hard - it is very easy.

I have made many posts about this but here is a little info again.

Get a KCMA-D8 or KGPE-D16 - they are widely available and I have many
many posts about them - the D16 can have more PCI-e devices and it comes
with ASMB4/5 module for OpenBMC and can have more CPU cores/more ram but
it uses more power per CPU package (as the D16 is dual MCMdie per
package) - your choice - they both support coreboot-libre or libreboot
which is 100% libre/blob free and owner controlled including OpenBMC.

You don't want ME/PSP junk, the new x86 stuff is dead freedomwise - in
terms of new hardware the only stuff with freedom and performance is the
POWER arch such as the TALOS 2 but as xen doesn't run yet on it it is
only for non qubes needs although it is very good for those being less
money than equivilant proprietary x86 stuff.

I would get a 4386 CPU for the D8 which idles at 20W - together all the
stuff required can easily be had for less than 1K euro if you get it
used although I would get a new mobo if you can find it (D8 harder to
find than D16 tho)

>
> I hope some more knowledge users about ME/firmwares/blobs help you if
> you are pretty worried about it.

I am an expert ask me :D

You can play new games max settings in a VM with a 4386 cpu and a
quality graphics card I suggest getting a cheap fanless AMD model for
dom0 and a higher end AMD new gaming model for games in a VM if you want

nvidia hates open source.

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/05/18 03:16, Tai...@gmx.com wrote:> I would get a 4386 CPU for

the D8 which idles at 20W - together all the
> stuff required can easily be had for less than 1K euro if you get
> it used although I would get a new mobo if you can find it (D8
> harder to find than D16 tho)

Is it this?
https://www.cpubenchmark.net/cpu.php?cpu=AMD+Opteron+4386&id=2264

There is some AMD better alternative with higher single thread
performance? I think that Qubes should scale fine with
multi-core/thread CPUs but maybe this single thread is pretty low.

>> I hope some more knowledge users about ME/firmwares/blobs help
>> you if you are pretty worried about it.

There are some options for mitigate this problems with an Intel
i7-6500U? Will coreboot (not official supported for my laptop) help?

> You can play new games max settings in a VM with a 4386 cpu and a
> quality graphics card I suggest getting a cheap fanless AMD model
> for dom0 and a higher end AMD new gaming model for games in a VM if
> you want

This sounds nice.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAls9/ZoACgkQFBMQ2OPt
CKVsRRAAlh9x6VOYTXO46OuB0rsKc84X67soMbN1nudKoz0GVL3E5pC8neDVrm/c
TbJKkvAyhdkI8uw6EQ/V1w3fy/W/lvAycKKeHFPK1uiOwmPws/wX/BpKq4YQhSeY
7OuNWjtL05IFHYDdQcXuNmcizE1hQCUsrx8wMZvfL/oyN+xU8eDedKCE7rr+NurV
LFzLxSsFZHx5S78tla9jkpJIo6aFYgjSkgYyZqk2VwYPf/sGFQ3SM4i2nlqVVmRH
HY6DUx0CtroDzbK3CaXF7MudHhXFioOiMwhsGfjEXgjDVXAkPqh+Pd6w7EUfHU6f
RyzPjtqrTQNyd+dodsZEYnqc2i+ZIkRUmxOh6S6h+B94SPe97l/8bV6zEb4/RTrm
5cUzPyVnAMui/ghldov6kWpHU05cnPu+CpBxa7l4TogqkCul1aSydHXTWXyat+x6
C+jn5KyPoa0Lo9dROA+qGho3LSGTy7IzQyL8hu5D76oGW646o03hRSRJPKg8OaRf
c3wK8jgyvNQ6P8mRIP2gEZnVVRkAeEs97BRqovGOHV1BpmE8DaYXPo/SeWu57fyB
5HPuhAiotEOIRKkpJIx/a6mvb2W5FNCOcPiVDibHopLY8Px7pHhcoleRwkGudoCy
nCZyFE/dzMyKkxLzFsHIoTGma2uhM0NwS9ihYfNvyZw71kkiYbA=
=LkVu
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

On 07/05/2018 07:14 AM, donoban wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/05/18 03:16, Tai...@gmx.com wrote:> I would get a 4386 CPU for
> the D8 which idles at 20W - together all the
>> stuff required can easily be had for less than 1K euro if you get
>> it used although I would get a new mobo if you can find it (D8
>> harder to find than D16 tho)
>
> Is it this?
> https://www.cpubenchmark.net/cpu.php?cpu=AMD+Opteron+4386&id=2264

That benchmark is very wrong (btw it says it is inaccurate on that page)
it is much faster than that, the real single thread is around 1300 not 400.

>
> There is some AMD better alternative with higher single thread
> performance? I think that Qubes should scale fine with
> multi-core/thread CPUs but maybe this single thread is pretty low

For virt having many slower cores is better than a few fast ones
although like I said that benchmark is wrong.

I have the G34 version (6328) of that CPU and it runs qubes 4.0 quite
well you can even play video games on max settings in a VM on a libre
firmware kgpe-d16 or kcma-d8 with the CPUs I suggest although for a
KGPE-D16 I would suggest getting a 16 core 6386SE which will use the
same idle power for twice as many cores (according to sensors)

The D16 is more power hungry due to the dual MCM arrangement (two CPUs
in one package) it uses twice as much idle power per CPU according to
linux "sensors" but it has higher max cores, max ram and more PCI-e
slots and lanes - decide what you need.

>
>>> I hope some more knowledge users about ME/firmwares/blobs help
>>> you if you are pretty worried about it.
>
> There are some options for mitigate this problems with an Intel
> i7-6500U? Will coreboot (not official supported for my laptop) help?

Coreboot won't work on that board as there is no port; irregardless new
"coreboot" intel hardware has an entirely blobbed hardware init process
and thus is not open source firmware despite what the frauds at a
certain company are telling people.

It is impossible to disable ME you can only nerf it - there is still
more than enough ability for it to do god knows what just silently
creepily ticking away in the background. Of course you can remove less
and less of ME on the newer intel platforms vs the older ones too (ie:
ivybridge can remove more modules vs not as many on skylake)

In short you don't want a system with ME/PSP and for
workstations/servers on x86 these older AMD boards are the last and best
choice.

People must migrate to POWER and the TALOS 2 to have freedom - POWER is
now the only owner controlled performance CPU architecture and luckily
now POWER9 systems such as the TALOS 2/TALOS 2 Lite are more affordable
than equivilant proprietary x86 systems so all that is left is migrating
qubes/xen, games and other popular software - but already almost all
popular linux applications work on it :D

Like I said IBM (ironic - of all companies right?) is making great
strides for computing freedom with the release of firmware source code
and a litany of documentation and assisting with bringing the TALOS 2 to
life.

>
>> You can play new games max settings in a VM with a 4386 cpu and a
>> quality graphics card I suggest getting a cheap fanless AMD model
>> for dom0 and a higher end AMD new gaming model for games in a VM if
>> you want
>
> This sounds nice.

I feel very special using this setup lol xD

If you have to use some windows app or what not its great to run in a VM
with a graphics card attached so you avoid it being able to suck down
your serial numbers/mac addresses.

Both boards have dual onboard USB controllers via board headers/breakout
cables.

In terms of board accessories you would want to buy I suggest getting a
PIKE 2008 SAS controller while it is still cheap (I see some for only
$30 or so used on ebay ATM good deal for LSI 2008 chipset flash-able to
IT mode) and if you get the KCMA-D8 you need a ASMB4 or ASMB5 module to
run OpenBMC (you replace the junk proprietary asus firmware on it with
OpenBMC via flashrom)

The TPM for AEM is not that useful if after you install coreboot you
lock the flash descriptor to prevent internal flashing and place a
physical lock on your case although if you want one remember AFAIK only
specific models are supported (check the mailinglist)

Again I am happy to answer any questions :D and remind you of the
gotchas like needing to run fancontrol/pwmconfig so your fans aren't at
max speed.

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/06/18 02:26, Tai...@gmx.com wrote:>>> You can play new games

max settings in a VM with a 4386 cpu and a
>>> quality graphics card I suggest getting a cheap fanless AMD
>>> model for dom0 and a higher end AMD new gaming model for games
>>> in a VM if you want
>>

I have one doubt regard this. With this setup can you see this VM on
the same screen (with dom0, other AppVMS, etc...) or does it only work
on an external monitor?

I would like to have it for accelerated video rendering.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAltHktMACgkQFBMQ2OPt
CKWHfhAAorfz+qtfyqdnbjSmIUekNk7NPoB0UO9wqmaesUXBICycPA4MYdND+B20
RVN2rpc73QElps9rL7zzj+OpQadEq7V2rNakth+O2GPsx9mf3A8UBcSj0tRtFog9
j98lNNfldEwB3P1iM92m8yEhysRKVadCuNEty4Wz6TM/2YGG1GWPPPPE62N1oUIa
1b/c3BjikY9s4B23OGSP1EBbVSh2Y2UFD03s1uqNqhQNrYyVR/wDg5iclVZ6ndPk
sHAndB2vhke7hcl+g3UClapJQ19joq/qBDq2hfnCYw4ic8/GyE1T/MyTIJofSdQ+
qxQPYK5h8F/U63ih6VUs3Y9XEpPWcQFj1YIeUUdRd/yYc2ogfig7GCzqXdQa4BcA
CxtcS3kgeXTOPRWrK8SKZHHBg0DcXLjooqkjoZDamXbzc58DyZi72TmTZEAQN6vV
yy3cdhQrOva6Rz2IiDY78qAxyfPDB6KVes037Krt6+l+JyOb6Jypc7o6cF2l2/vB
rAc16nKeGM86ekjl/1PyR20IILMcJzkZ8jgvM4vzNklWyj5wCCOgLomjr+nQvBHK
lgeqWRN70HZEyf/Ce77vZHO1GwOxHJmG7wNM1083Uyr/zDsTT8a00tkaUQscE8fe
G33go8/8fugQftF8RvsurGqSgLuLESm02V2fH+xWaqlvvnUEU3w=
=QShk
-----END PGP SIGNATURE-----

[Sphere]

May I ask the names of all the graphics intensive games that you are playing with that setup?

[Tai...@gmx.com]

On 07/13/2018 03:11 AM, Sphere wrote:
> May I ask the names of all the graphics intensive games that you are playing with that setup?

Why you don't believe me?

Far Cry 5 and Battlefield 4 right now @ ultra settings 40-70FPS - I
unfortunately have a bad graphics card bottleneck right now as I don't
have the money to upgrade.

Those 43xx are the same as their desktop FX-83xx series equivalents at
the same clock speed - its identical piledriver silicon just with
different marketing.

The 63xx is arguably better than the FX as it has quad channel RAM and a
dual MCM arrangement for more bandwidth so two CPUs in one package
basically so a 8 6328 core is two 4 core and a 16 core 6386SE is two 8
core - but still the same silicon as the FX series.

[Neelix]

>Thinks he can game in Qubes


Goodluck mate

--
Regards,


Neelix
XMPP: n33...@creep.im
PGP: 289C 2E3B A021 FAE8 9529 A128 1528 9E56 B4BE 1DD3

[Tai...@gmx.com]

On 07/14/2018 12:53 PM, 'Neelix' via qubes-users wrote:
>> Thinks he can game in Qubes

https://wiki.xen.org/wiki/Xen_VGA_Passthrough

> Goodluck mate

Although I currently do my vm gaming on my server which doesn't run
qubes it is very much possible.

Like I have said my usual recommendation is a G505S+KCMA-D8 combo where
one would run qubes on the laptop and play games in a VM on the
workstation - it isn't the best security wise to game (even in a VM) on
your qubes/data hardware but you CAN do it if you are strapped for cash.

[pixel fairy]

> Like I have said my usual recommendation is a G505S+KCMA-D8 combo where
> one would run qubes on the laptop and play games in a VM on the
> workstation - it isn't the best security wise to game (even in a VM) on
> your qubes/data hardware but you CAN do it if you are strapped for cash.

its not much more expensive to get a console or used gamer box. ask around, some people might give you old hardware just to get rid of it. just put it on a separate network and treat it as already compromised. you could set up a pxe boot for windows images with different games, or even other images, like a linux one with gimp and blender for example.

long back when i used a mac as my host and ran everything in vmware (packer and ansible) i had a windows image with snapshots created for different purposes and that worked pretty well. the only draw back was having to do updates for the different purposes. looking back, it would have been better to do a vagrant style approach where you update the base image, then use a setup script for that purpose. again, something you could probably automate on pxe with cobbler or some home grown tool.

if you go the console route, the nintendo switches portable mode looks interesting. havent tried it. will probably get back into gaming when theres light, cheap, portable vr/ar.