Thoughts on whether the ThinkPad P15 Gen 2 is likely to work?
Re: Tiger Lake U Series Core i5/i7 see qubes-issues #6411
There are 2 positive R4.0 reports with i5-11500 (ASRock B560 Pro4) and i7-1165G7 (XPS 13 9310). Both mention igfx troubleshoot is required.
There are 3 positive R4.1 reports with i5-1135G7 (Lenovo ThinkPad E14, ThinkPad X13 Yoga Gen2) and i7-1165G7 (System76 Lemur Pro).
In the existing P15 report I see two USB controllers, but that doesn’t mean the Gen 2 has them too. The website only lists two ports (not controllers). I bring that up because you mentioned it as a reason that the Librem 14 doesn’t work for you.
Personally I would stay away from Tiger Lake for now. As I mentioned many times before, when using Qubes OS you will do much better going with a 2-3 year old PC. There is plenty of power there, but you will have to go for something preowned or refurbished. The P51 was a bag of trouble when I got it new (company PC) and then over 2+ years it reached the point where it made it on the “just works” list. Don’t know how many other ways I can shout it from the rooftop: “shiny new” and “Qubes OS dom0” don’t go together very well and probably never will.
Good advice!
What do you think to the 10th gen on clearance/refurb:
e.g. the P17 Gen 1 i7-10750H (20SQS28100) ,
X1 Extreme Gen 3 i7-10750H (20TKCTO1WW-R9109SC9)
the model I buy ends up working I’ll need many more units.
I see. In that case I would recommend you to download the HCL repo which contains all the reports in YML format and filter type=laptop, qubes=R4.0*, usb>1, works=yes (I don’t know how to do this with existing tools and would personally simply write a quick and dirty parser that does that. That would likely take less time than researching existing tools. YMMV)
That should give you a manageable list of computers to screen through whether they are still available to be purchased in bulk.
I suspect that whatever remains will be a quite short list. Each report has the name or alias of the reporter. You could then use the forum or mailing list to try and get in contact with folks owning these remaining machines in case you have any open question.
Please, if you end up doing the above work … share the result in the forum – it would be extremely helpful!
For this reason, I’ve been considering purchasing a brand new laptop and immediately tossing it in the closet for the next 2-3 years to let it age (like a fine wine?) before it becomes my next Qubes machine. Is that perverse?
I’ll add, to be helpful, that Lenovo does not accept non-US issued cards for payment when the order is to be shipped to continental US. This rules out new and refurbished Thinkpads. I would assume security conscious users don’t want unnecessary 3rd parties (previous users, computer stores, resellers) in their “supply chain”.
I would assume security conscious users don’t want unnecessary 3rd parties (previous users, computer stores, resellers) in their “supply chain”.
There is an argument to be made that it would be a lot harder to target you buying from a random seller on eBay then intercepting a shipment from a big OEM or reseller.
What you have said is untrue.
I assume you mean “Lenovo does not accept non-US issued cards for
payment, if the order is shipping to continental US”.
I do not know if this is true.
Lenovo uses authorised resellers in various zones.
There’s a repeated argument that a previous user/random computer store
purchase is likely to avoid any targeted attack, and therefore may be more secure
Yes, thanks @unman, I had meant to write that Lenovo US is not accepting non-US issued cards.
This part is probably off topic but it seems that as of today I can’t order a laptop from Lenovo with a US issued card going to an address in the continental US either.
It is unfortunate that we depend on either obscure niche suppliers (System76 seem perpetually out of stock on the Lemur Pro; many have raised issues about the the Purism laptops) or a single major corporate for the bulk of Qubes compatible systems.
If I have a small biz with 9 employees in Europe and North America how do I onboard the company to Qubes efficiently?
Sure, that’s a good argument. For most of us who don’t need to worry about state level actors and supply chain interdiction it is more likely that the previous owner didn’t take precautions with the device and it has picked up some persistent firmware level malware from e.g. bad USB?
I think that showing the year of hardware release would be much more helpful for all (especially inexperienced) users, as suggested in this table. The specific CPU model can always be seen in the specific laptop threads.
For upto Intel ME 11.x (that’s intel-core gen 7/8), there are more coreboot options (and will open-up to a 64GB RAM laptop for the list). It’s currently in discussion to change the requirements. so anybody is welcome to add to the discussion - all feedback is welcome.
Let us imagine that a non-technical user looks at the list of recommended laptops. The list says gibberish things like i7-3840QM, i7-10710U, i5-7200U etc. (Ok, maybe the user can guess that i7 is better than i5, but I’m not sure.) The corresponding links say even more unclear stuff. Only maybe the number of cores and CPU frequency are somewhat understandable. But aren’t all relevant things are just strictly better for newer CPUs?
The list says gibberish things like i7-3840QM, i7-10710U, i5-7200U
With the exception of the Librem laptops, I believe all the other models come in multiple variants with different CPU. Some of those variants won’t work with Qubes OS. So in order for the list to be useful, we need to call out the model+CPU as a basic identification of which computer is verified by the community.
But aren’t /all/ relevant things are just strictly better for newer CPUs?
It appears to me that your perspective of the list is, that the typical user will look at it and quickly try to identify the fastest/newest/“best” option and then attempt to purchase it. This would be reasonable, if all Qubes OS users would live in places and situations that allow them to get their hands on pretty much any of the computers listed.
I believe that perspective might be better served by this thread, while at least my understanding of the “community-recommended list” is meant to be helpful to a global audience of non-technical Qubes OS users.
The most important information is the list itself: these computers will install Qubes OS without issue. In a next step the user then checks the availability of each of these computers in their region and within their budget. For the vast majority of people on this planet including journalists, activists and people living in oppressive regimes that will narrow it to very few options. Neither the Librem nor a recently released high-end ThinkPad is likely to be one of them.
