Short list of laptops/desktops that work well with Qubes OS

I believe that the x250 will only support 16GB with an i7 processor.

I have one x250 i5-5300 with one slot with 16G.

I don’t want to reopen the pros/cons of Purism. But, there’s a degree
of special pleading here.
The Librem14 is at the bottom of the list because Purism start with a P
and the list is sorted by manufacturer.
The difference between “possible” and “optional” is that those machines
are primarily bought on the second hand market, so buyers should know that
it is possible to install coreboot. The Librem is primarily available from
Purism and you can specify whether to have Heads installed when you buy.
I see no value in stating that the Purism is “vendor tested” - since we
know that Purism will change models but keep the same name, I’m
reluctant to endorse them at all. But so it goes.

Where a supplier is actively supporting Qubes, we should take every
opportunity to promote their products. This is the case for Insurgo and
Nitro. They should be included here. It has nothing to do with “levels
of support”.

As to the other points, I think that “Heads” should be replaced by
“Coreboot”. I agree that it should be included.
I agree that “USB” is confusing between controllers/slots and that some
explanation is needed.
I don’t agree that users will not click on what you call “secret” text.

Let’s not forget this is supposed to be a simple list, and let’s not
burden Sven unduly.

1 Like

Good news - maybe it’s the i5-5200U that cant take 16GB.
Can I ask, do you see the full 20GB with that CPU?

Wonderful! Thank you @unman.

I’m using 20 GB. As unman said, it has a free DIMM slot.

But now that I think about it, requiring the user to obtain and install RAM might disqualify it from a “just works” list.

1 Like

Hi @fsflover thank you for your feedback and thank you to @unman for answering a lot of it already.

USB controllers

The problem is that “USB controllers” is pretty long for a column that will contain single digit numbers. Not sure how to solve that. Maybe “USB ctrls” … what are the chances people get that?

I hope someone here has a good idea how to solve this. @adw?

Heads

no = not possible
possible = if you have the skills and tools
optional = you can order it that way
yes = it always comes that way

sorting order

Alphabetical by OEM and to allow grouping of their machines when they have multiple possible CPU configurations. It makes the list easier to navigate and take in.

powerful CPU is critical for Qubes OS

I run Qubes OS on a 10 year old machine with one of the “slower” CPU (i7-3840QM) and it’s smoother and better then when I ran on the P51 (i7-7820HQ). Why? My guess is that the Linux graphics driver for the HD 4000 (i7-3840QM) works MUCH better than the one for HD 630 (i7-7820HQ).

The overall compatibility of the machine is WAY more important than the CPU in my opinion. I’d give up a “faster” machine with one USB controller every day of the week against an older with 3 or in my case 4 USB controllers. I guess it depends what you do with your machine.

So prioritizing by CPU speed does not accurately reflect the benefits one can get out of a specific machine.

certified / developer tested

  1. they fit the criteria, so they go on the list
  2. why exclude the best choices?
  3. show some love for Insurgo and Nitrokey (community members)

mobile

Checked that, if you tilt landscape it’s excellent.

Librem 14

This list is for people who need something that just works and the more I learn about what happened the less comfortable I feel to include the Librem 14 v1 in this list.

What happens when they do a v2?

Do we drop the v1 (there won’t be many used machines out there)?

How easy will it be for a new user to overlook the “v1”/“v2” thing, buy a Librem 14 and be screwed (assuming the v2 has some issues with Qubes OS)?

…that’s the exact thing that happened in the past.

Heads vs. Coreboot/ME neuter

This one I need help with. There are several things we could list:

  • Coreboot
  • Heads
  • Attestation with HW key (Nitro/Librem/Yubikey)
  • ME disabled/neutered
  • anti-interdiction

Heads means it supports Coreboot and also neutered ME (both are part of the build process). In addition Heads offers attestation with HW keys. All that together is what gives the teeth to anti-interdiction.

That’s why I choose Heads: it implies all the other things.

What is the argument to replace “Heads” with “Coreboot” @unman?

possibility to buy non-preowned

The more time I spend working the HCL / reports, the community-list and also the experiences I collected after @Plexus gave me a much needed push (thanks again man!) make me realize that older machines are just the better choice. Maybe with Linux in general, but for sure with Qubes OS. Maybe there are some machines from Purism, System76 or other specialized OEMs that fit the bill when they are new, but in general: older is better and way more affordable.

So giving any weight to machines just because you can buy them “off-the-shelf” is actually a disservice (in addition to the “showing your privilege part” @unman mentioned)… I really mean that. You spend more money to have more trouble, when you could spend way less and have smooth sailing.

In the criteria we just concentrate on networking, audio and graphics but all the other stuff is also way more likely to work smoothly in an older machine.

high-speed solid-state drives

Which machines do not support that?

links to the community reports.

When things slow down a bit I plan this:

  • unify threads that deal with one machine (in the HCL reports category only)
  • link those threads from the respective entry in the community list
  • link to all the HCL entries from those threads

I hope this will lead to community members stepping up to become quasi-maintainers of “their” machine (e.g. you for the Purism Librem 14 v1, me and others for the T430 etc.) and then build out those machine specific threads to a treasure trove for that specific machine. I predict the X220 will dominate them all :wink:

3 Likes

Some general options off the top of my head:

  1. An explanatory tooltip that explains the header more verbosely.
  2. Not using a table format and therefore not having to worry about column widths.
  3. Not attempting to include so much information in the table and thereby eliminating this column altogether.
  4. Relegating such details to someplace outside of the table and therefore not having to worry about presenting this data in the table.
  5. Displaying the table in some manner and place that allows for greater total width and therefore not being forced to be so economical with space.
1 Like
  1. As I suggested above, add a link to explanation what is a USB controller and why it’s important to have many. In such case, maybe “USB” or “USB cont.” is good enough.

No, it doesn’t. We said that 16GB need to be possible. It clearly is as you demonstrate.

thanks @Sven

I see 3 Laptop that disable and neutralize Me and Qubes compatible:

  • privacy beast x230
  • nitrokey
  • purism

Actually, there are 2 more, that disable and neutralize Me, if not mistaken, also Qubes compatible:

  • system 76
  • star laptop
1 Like

I will check if there are sufficient reports and let you know. Currently I am a few days behind processing new HCLs. Will catch up next week.

1 Like

Ok, I went all in and transitioned to the “one thread per machine” model all linked from the master list. Each “page” now contains the details of the respective machine and the HCL reports that have been submitted in the forum have been merged in too.

Next steps:

  • link to (qubes-users) HCL report from these threads
  • add more machines to the list (there are several candidates tagged that I have to evaluate)

@fsflover, @adw, @unman: if you have a moment, please review what was done and provide feedback in case I messed something up … or if you have ideas how to further improve.

@adw wrote:

Qubes subreddit … I’d let you know

Thank you for the pointer!

I don’t think I will be actively monitoring this … the L420 has no HCL reports and the X1 Carbon Gen 5 is already on both the developer testing and the community-recommended list.

Restored the T450s to the list. Many thanks @unman & @adw!

A post was split to a new topic: Nouveau.modeset=0 option in R4.1 installer?

Thank you @newbie!

  • system 76
  • star laptop

… in both cases we are close. We just need the second HCL using the same CPU for any of the already reported configurations to be able to add it to the list. Will definitely have a special eye on any submission in this context.

Honestly, this is the worst design of all three in my humble opinion. The list just contains unknown names/numbers for a non-sophisticated user, forcing them to click tens of times and read every link. The table was much, much better. It could help to decide at least to a good approximation.

The Qubes team is so much biased against Purism, this is not even funny. I am greatly disappointed. This discussion is not about this company at all, it’s about a fair representation of the community choice. It should not have anything to do with the opinion of the Qubes team. Which is why, to me, it’s important to separate the certified list and community-recommended list (and maybe dev-tested list).

Purism names their products by their screen size, and IMHO has good reasons for that. And they always keep the compatibility with Qubes.

I don’t see any problem here. We can easily drop 14v1, and replace with 14v2, when we have the HCL reports. Also, since the list of ordered by the vendor now, we also can put two lines with a comment for v1 saying that it’s discontinued.

Every machine from Purism has been working with Qubes flawlessly. They specifically mentioned their intentional support of Qubes OS. Except maybe temporary problems with the support of newer hardware by Xen. Also, I said above, we can drop the old version from the list, it’s fair enough with the lack of the reports.

This is not what happened at all. Qubes never stopped working. Only certification process was misunderstood, which has nothing to do with the current topic.

My suggestion:
yes → by default
Others are good indeed, especially with explanatory links.

Every new machine becomes old and probably well-supported at some point. We expect that users want to buy a machine that lasts, don’t we? But I see your point.

Very much depends on the threat model and how much time users are willing to spend to achieve a higher compartmentalization/security. My guess is that for most users, performance is more important, but I see your point.

I never suggested to exclude them and decrease their visibility. I do love them. Quite the opposite: I suggested to put (link) them on top of all others. Was it really that unclear? But never mind.

I suggest to list these words in the comments/additional column, whenever the corresponding thing is supported, with links if possible. For Librem 14 it would be like this: Coreboot, Heads, HW key, ME disabled, anti-interdiction.

But sometimes I guess Heads is not supported, but other things are.

@fsflover:

“vendor tested”

It’s a claim not verified by the community or the project.

community choice. It should not have anything to do with the opinion of the Qubes team.

The team is part of the community.

Except maybe temporary problems with the support of newer hardware by Xen. […] Qubes never stopped working.

It’s a “just works” list.

Purism names their products by their screen size

Once a computer is listed NOTHING should change. This is an obvious issue.

We have listed the Purism Librem 14v1 without any caveat and equal to all the other machines. I think it is more than reasonable to leave it at that and move on.

Heads
yes → by default
Others are good indeed, especially with explanatory links.

I just changed to format (again) and moved the machine details on dedicated pages. I’ll see about working in more improvements on those machine specific pages over the next few days.

I suggest to list these words in the comments/additional column

dito