Given the above, this post ought to serve as a quick-hub ‘filter’ for individuals to find the right balance between new/old, moddable/shiny, etc.
Disclaimer
I will refine this as people criticise and give feedback, for now it’s quite high-level: But I hope somebody finds it useful.
Summary
This post is intended to be the ‘go-to’ place on the forum for all questions about Intel-inside laptops for qubes - relating strictly to layers 0,-2, -3 and -4 (explained below).
Extra Disclaimer
To prevent this becoming wikipedia, I will reference relevant links; much reading ahoy.
To keep the list slim, at each layer, (excluding layer -1), will be requirements. As this post is criticised and others give feedback, I will update the requirements accordingly.
Why Intel-only?
If, (you know of any open-source projects that document how to neutralise AMD-PSP, (and know of any heads equivs, etc)): I will revise this. Why would anybody worry about Intel ME as a threat?
We all have different Threat Models - Defense in Depth is always better than none. Why have you only mentioned coreboot & heads?
I am not aware of any ‘stable’ equivs. that satisfy the other requirements. Why 16gb ram min, 32gb preferred?
To tame R4.1 && most use-cases 16gb is required min. 32gb is preferred for long-term support. Why TXE removable preferred?
Because me_cleaner now supports this, and it is DiD at little added cost. Why 4 core-option minimum?
Because some of us like to pin CPU0 to dom0 for security. Why <= 5th gen intel-core?
Because only that year’s TXE has been confirmed removable.
Every additional generation is more complex hardware, not just Intel ME but the mobo, firmware etc, and I do not have a holistic understanding of all the extra complexity - so I deem it an unacceptable risk. How can I pin cores?
Guide coming soon.
Credits (not possible without):
@Sven for the HCL & Community-Recommended List @deeplow for keeping it tidy
All the core-team, mod and admin team.
All those who took the time to read, and everyone who is signed-up to the forum
Everybody on the osfw slack
Work in Progress
There is currently on-going discussion regarding me_cleaner and the security of gen >5. It is highly likely this will be revised ‘soon’.
Intel ME 11.x is the last ME publicly known, (to best of my knowledge), to be ‘cleanable’, rather than simply ‘ask nicely to disable*’(*aka HAP Bit). Hence, for now, this list will not go beyond Intel ME 11.x, so that is intel-core gen 7/8.
I may, (probably), have misinterpreted Intel ME vs TXE meaning. I am awaiting clarification on this.
Until somebody can prove otherwise, <=5th gen mandate is remaining in place. As although first 64gb-ram support for consumer-available laptop CPU is 6th gen - I am not aware of any instance where FSP etc (coreboot requires for >3rd gen, (thanks @airelemental for the tip-off)) and extra-new cr$p/firm-ware is neutralised.
The only exception I am likely to make is to 6th/7th gen - so we can get a 64GB ram laptop with intel ME partially nuked//neutralised onto the list.
If anybody is aware of progress R/E W530 & heads, please let us know.
“Layer Requirements” table is a little confusing, maybe make it hae 3 columns?
I don’t think quad-core or 5th-gen+ should be mandatory… for example, the qubes certified laptops are dual-core 3rd-gen. The T430 already on your list is 3rd-gen. An X230 makes a decent qubes system.
Coreboot laptops that may fit this list, organized based on blobs in firmware:
Coreboot with open source RAM init (may require a blob for video card, not sure)
Lenovo G505S (AMD-based, so no Intel ME, and predates AMD PSP)
Coreboot with open source RAM init, leftover ME (after running MECleaner)
Lenovo T420/T520/W520
Lenovo X230/T430/T530/W530
Coreboot with closed source RAM init, leftover ME (after running MECleaner)
Lenovo T440p/540p
Coreboot with closed source RAM init, ME 12+ (MECleaner not compatible), may have other blobs
Quad-core is covered in FaQ. It is because some of us, (intended post audience), pin CPU0 to dom0 - this would leave only 1 CPU for all VMs in a dual-core system.
Apologies, table says less than or equal to 5th gen. This is covered in FaQ, and is currently being discussed, (as mentioned in Work in Progress).
Thank you for the laptop recommendations, I will check the other requirements soon - I am currently talking with some dev.s on slack regarding me_cleaner.
This looks very, very, interesting. Can you reference the coreboot support/board link/report?
I have updated title to reflect, thanks very much for this contribution
UPDATE: This is why G505S is not being added to the list.
IMHO I think few enough people do this that dual-core should not be disqualifying. There are already very few eligible systems out there, no need to put additional constraints. I would just note which systems are dual-core vs quad-core and let people decide.
I will consider this. But given that the T430 & X230*, (*which I am just double-checking meets requirements), can both be upgraded to quad-core - I cannot actually think of a relevant device that is limited to dual core? The ‘system’ in the table is defined as a ‘model’. I.e: you can have dual core, but this list is intended for those who want to keep a system to 4.1 stable (whenever that may be) and beyond; (and are highly likely to pin cpu0 to dom0) - hence I am keeping it for now (unless I am missing something else??).
6th/7th-gen Core platform devices (Skylake/Kabylake), as well as Kabylake Refresh (KBL-R) 8th-gen devices use ME 11.x, but not 8th-gen Coffeelake-U/Whiskeylake-U/Cannonlake platform devices – those are ME 12.x
EDIT:
Whilst searching Intel Ark for some 64GB ram <= gen 5 equiv. processors with laptop-level TDP, I came across some ‘spooky’ ‘communications commercial temp’ processors (and chrome died:(
For example:
Here is the ARK-dork:
I would really like to know what products use(d) these CPUs, and where I can buy one
im new to qube os. Does the computer lenovo x230 have to be production model from year 2012 and earlier, rYar 2012? I more or less have to buy it used? Do I have to do ME cleaner on the motherboardchip like shown in this movie, with a Raspberry pie or similar?
DIY: Disabling Intel ME ‘Backdoor’ on your Computer
the answer is yes. Or you can pay someone to do it. Or buy it from some company that does it for you.
Be aware that these machines do not have microcode updates anymore, and intel platform seems to be melting with a neverending stream of bugs that can not be addreessed in software. Meaning, these machines are not as secure anymore.
Ok, but I can swap the cpu for this cpu [i7-3615QE] and I have to do the ME cleaner and then install coreboot or libreboot?
What about the router, If i install pfsense on a device with Intel ME or amd PSP wouldnt this be a problem? If i want a home server too I would essentially need three thinkbad x220 laptops from 2012 and earlier with ME cleaner and coreboot. One for computer, one for router and one for server?
Would it be possible to use AMD Ryzen 5000 series CPU with integrated graphics on cube OS for better graphics in gaming or would you have to pass throug theis gpu to the virtual machine like any other gpus in the motherboard PCI?
If i install libreboot on thinkpad x200 core duo, would I be able to play games on it with an external gpu or would the cpu be bottleneck? Im thinking 1080p 120 fps, games like dota 2 or pubg (pubg is not linux, but just an example).
Would not that mean that it’s clean from start even with default firmware and bios? And then already more secure and privacy respecting then most laptops out there?
Or do people need coreboot to remove PSP? Is it a fact that its hardware is clean even? How do you know this?
You make it sound like there couldn’t be a backdoor in the bios firmware, which probably is a lot more likely than someone placing a backdoor in the PSP.
So yes, even without PSP there could be something to remove in the firmware.
I just wanted to point out that there is neither ME nor PSP when talking about the G505s, nothing more, nothing less.
Edit: @renehoj
Maybe there’s been a misunderstanding from my side. In order to use this laptop with Qubes you have to run Coreboot. So when defending this laptop as a nice alternative to more expensive laptops I always talk about it under the assumption that it has been flashed with Coreboot.
