There are some lists maintained for different purposes.
The machines in the Certified hardware | Qubes OS are officially supported & tested, and can be purchased with QubesOS pre-installed.
The Hardware compatibility list (HCL) | Qubes OS contains a larger number of machines with compatibility details based on community-submitted results. Not all of these are 100% compatible, but you can see which parts are incompatible and maybe you’re OK with the compromise.
The forum also has a community-maintained list of recommendations (Community-recommended computers), which are not officially supported but have been found to work with minimal difficulty by experience.
Personally, I use a Librem 14 by Purism; I’ve run into no significant difficulties and appreciate the design of PureBoot. It’s not a certified machine but it can be purchased with QubesOS pre-installed. I’d be wary of some of the other products though. For example, the Librem Mini claims to support PureBoot but it does not have a TPM, so it is not clear to me how this protects from the threats that PureBoot is designed to protect against (I assume a physical attacker could read the software and replace it with a malicious version that knows the secret because the secret is not protected by a TPM, but I have not looked at this in great detail).
after a lot of research I landed on using a T480S (T480) would also be a good pick. Many of the certified laptops were much older than I wanted to use and the T480/T480S allowed for RAM expansions, if you plan to run a LOT of qubes the T480 can max at 64GB, I currently have my T480S maxed at 48GB (16GB soldered, added 32GB chip). For the most part it has worked out of the box perfectly well, all hardware functions as intended, suspend works, etc.
One thing I did do.
had a weird graphical glitch at default scaling, switched scaling to 1.1X which is basically no change at all and it fixed the issue.
Other than that any other change has been quality of life/customization for myself. Regarding the hardware it just WORKS. I’ve been very impressed with the T480 series as well, the keyboard while not the glory days of old thinkpads is still better than 90% of laptops I’ve ever typed on. It’s light and thin even by 2023 standards, it’s quite.
If you do decide on a T480
make sure you update all firmware before installing qubes. Especially the Thunderbolt firmware which is known to cause issues on this gen of Thinkpads
make sure you have the BIOS set correct before install, enable virtualization, disable secure boot, disable hyperthreading (qubes doesnt use hyperthreading and I’ve found it wakes up faster form suspend without it enabled, also theres not major reason to bother with the i7 version if you can get an i5-8350 cheaper)
i can confirm everything works great on the latest kernel (non testing) so jump straight to that
IMO this model is a great middle ground from the older “certified” units and brand new units with possibly compatible issues without going to OLD in design and specs. I’ve spoken with a couple guys who had tried the T14 G2 (AMD) with good results as well. If I even upgrade it will likely be to a T14.
I’m using a @novacustom NV41 where the camera and microphone modules have been removed.
I am fully satisfied.
The laptop review by @solene corresponds well to the reality of this product.
In the end, the two deciding factors (for me) is Qubes certified, and official Coreboot support. I intend to use Qubes as designed, and this laptop was my best option.
Oh, and leading edge technology too. Should hopefully get many years of productive use.
Maybe, someone should suggest, While the cost of getting any hardware you might choose is not a problem for you.
If you have never used Qubes, you might decide that you do not like it very much.
It is more like a geeky background person’s version of a an Operating system tool kit. Not a polished OS with easy to install Apps.
Any third party program that you add, increases your security risk. Increases your 'Attack Surface." At least for that Qube.
In hardware that you acquire, there is a frustration with how long it takes for a Qube to spin up. Trying to maintain a high security computer can be frustrating.
I am devoted to using Qubes. but I frequently wish I had a recent experience of four years of University classes with three courses each semester on Linux, Networking.
I want to use Qubes, and I have spent far too many hours tinkering with it. Learning how Qubes wants me to obey its needs, requirements, quirks.
Then the internet itself, is not a friendly resort. More like discovering one has been kidnapped and dumped off in the bad part of town, where most you meet want to make me their victim.
It depends on your threat model. I personally use the Librem 14 v1, and the experience is still sublime; the link below is my HCL report a few weeks ago after installing Qubes R.4.2.0.
That was the first thing I did, searched their forums for both qubes and coreboot. They have no intention of supporting coreboot “maybe some day” and a few people mention getting qubes installed and running, but no official support.
The parts changeability looks interesting at first, but after thinking about it, how flimsy will those parts get after daily usage? Wouldn’t want the keyboard falling out every time I lift the lid, stuff like that.
I own a librem 14 and i strongly advise you to not get one, pureboot is amazing but the hardware is bad. Ive sent mine in for 2 repairs. My USBc charging capability is gone, my barrel charger arcs every time i plug it in unless I unlplug the charger and power down my laptop first. Librem says that is normal and not to worry, even though they replaced the main board last time when it died after sparking when plugging in. Purboot is so cool, but the hardware is just not there. That being said, it runs qubes no problem, its cpu does the job, and i run 64gb ram so that isnt an issue. Its just the hardware quality that breaks it. Framework 16 is on order for me, I just hope my librem 14 survives until it gets here lol
I’m writing this from a Librem 14, and I never experienced the hardware problems you’re describing. Can only recommend this amazing, fast machine. Did you try to update the EC firmware?
They did make more than one lol. Everything is up to date, except pureboot. I had to roll back after the most recent update blacked my laptop screen until after boot.
Because it’s running XEN and not really Linux, which has a poorer hardware support. Then Xen boots and starts Linux in dom0 (the “admin” VM) and delegates it a lot of devices.
I haven’t had any hardware issues since updating the firmware. Before that, the battery was the only issue I had. I mentioned in another thread that some USB devices had problems, but I’ve confirmed that those were problems with the peripherals and not problems with the laptop. I bought the laptop pretty soon after it was announced - I forget if it was technically a pre-order, if not I got it within a month of release - so unless later iterations shipped worse hardware I don’t think it’s a general issue. It’s unfortunate, but no manufacturing process is perfect and some percentage of items will turn out defective no matter how high the quality standards are.
While it does have worse hardware support than most distros from reading through past post lately it seems it’s been getting a lot better. If you’re willing to be a couple gen behind on device you can still get really good devices especially in the Thinkpad range. For the most part people can get Qubes working on many devices if you’re able and have the knowledge to tinker. I personally picked the T480S, I visited the HCL List and found a device that was green across the board and was still relatively modern and I havent had any issues. It appears one the main limiting factors of new devices being “Qubes Certified” is they all have TPM 2.0 which currently doest support coreboot. If you travel with your device a lot or if a physical attack on your device is in your threat model you may be stuck to either 1. older certified laptops 2. privacy specific brands who have support for boot protection tools.
TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that integrity actions were not subverted is derived.
From what i was reading on Trenchboot is that it’s not ready for the limelight and isn’t a complete project? I had asked for confirmation on here if Trenchboot is a viable solution for Qubes now but I didn’t get a response on that one unfortunately. I’ll have to do some more searching and see if this is a viable solution now.
I’ve read this one also, but I’m kind of hesitant to rely on it. Seems like it’s better than nothing but not on the same level as coreboot etc.
This is similar - like a continuation - of this thread. I’ve seen a HCL report regarding a Lenovo P73. This machine offers good performance.
For me an older maxed out ivy bridge is good enough, having the better classic keyboard and a good ssd. As a next step I’d opt for a Purism Librem because of more ram, but this is just personal choice (having Intel ME disabled is a nice “non”-feature too).