I have been thinking about buying a new computer as a second computer. I have been thinking about getting a thinkpad. Reason being that many spare parts are available and easy to get at decent cost (even for quite some time after discontinuation), and that they generally are supposed to have good linux support. I have looked at both the certified qubes hardware list and the HCL qubes hardware list. I see that there are no thinkpads listed on the certified qubes hardware. The problem I am worried about with this is that future parts could be difficult to find (keyboard, trackpad, hinges, etc) on computers from nova, nitro, etc… and I am not sure about overall durability. I often need to use the computer outdoors in fairly harsh conditions so ideally want something that is robust. It doesn’t have to be toughbook level of robustness, but at least something that is pretty good and with decent spare part availability.
Now as far as the most modern thinkpads that seem to work with QubesOS from the HCL list these are what I have found.
Lenovo ThinkPad L14 Gen3 (21C5CTO1WW)
Ryzen 7 PRO 5875U
Lenovo ThinkPad T14 Gen 3 (21AJS4KF06)
i5-1245u
Lenovo ThinkPad T14 Gen 5 (21ML0046PB)
Ultra 7 155U Meteor Lake
Problem here is that it seems unsure if any of these work with AEM. As QubesOS cannot use secureboot, I really do need AEM. Also, The T14 Gen 5 (Ultra 7) also seems unsure is SLAT works.
Has anybody here used these particular models? As the T14 Gen5 is the newest out of these it is obviously the one I am most interested in, but both SLAT and AEM seems unsure and I need everything to work.
I don’t know what is SLAT and AEM but i5-1245U have TDP 15W and with more sustantial workload can power throttle.
12th gen P series can thermal throttle in turn.
AMD cpu’s are better with power and thermals in laptops.
No.
It not work with TPM 2.0 as is said explicity in Qubes OS documentation.
And I’m not leaving my laptop in hotel room unattended as it’s always in my home in my room.
What is Qube OS certtificate? That hardware is compatibile with Qube OS and shipped with Qube OS installed.
Can you install Qube OS without AEM? You can. It’s software additions not a core function. So hardware without ability to run AEM can be certified.
And yes, AEM don’t work on computers with dissabled/cleared IME.
Thanks Kitsune.
So basically AEM is useless to me all round.
I have seen heads as an apparent alternative but obviously that won’t work on modern thinkpads either. Seems then like I may have to look further into the Nova/Clevo computers as then at least I think I could run heads?
Also, is there a reason why AEM hasn’t been updated to work on TPM 2.0?
I’m not really sure if that completely stops meltdown/spectre. I think it helps, but I don’t think it is the silver bullet. And I don’t think 8th gen has had microcode updates for a while?
If you’re feeling intrepid enough you can roll your own for TPM 2.0. In fact you can further improve security by gating the unseal operation with an external smart card. I can send you some early userspace scripts along those lines if you’d like to see what’s possible.
