Best laptop for qubes?

What exactly the reason Qubes don’t support new hardware as others?

Because it’s running XEN and not really Linux, which has a poorer hardware support. Then Xen boots and starts Linux in dom0 (the “admin” VM) and delegates it a lot of devices.

I haven’t had any hardware issues since updating the firmware. Before that, the battery was the only issue I had. I mentioned in another thread that some USB devices had problems, but I’ve confirmed that those were problems with the peripherals and not problems with the laptop. I bought the laptop pretty soon after it was announced - I forget if it was technically a pre-order, if not I got it within a month of release - so unless later iterations shipped worse hardware I don’t think it’s a general issue. It’s unfortunate, but no manufacturing process is perfect and some percentage of items will turn out defective no matter how high the quality standards are.

While it does have worse hardware support than most distros from reading through past post lately it seems it’s been getting a lot better. If you’re willing to be a couple gen behind on device you can still get really good devices especially in the Thinkpad range. For the most part people can get Qubes working on many devices if you’re able and have the knowledge to tinker. I personally picked the T480S, I visited the HCL List and found a device that was green across the board and was still relatively modern and I havent had any issues. It appears one the main limiting factors of new devices being “Qubes Certified” is they all have TPM 2.0 which currently doest support coreboot. If you travel with your device a lot or if a physical attack on your device is in your threat model you may be stuck to either 1. older certified laptops 2. privacy specific brands who have support for boot protection tools.

TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that integrity actions were not subverted is derived.

Trench boot --Mentions for T480.

I have not attempted this.

Cheers

maybe I was supposed to be over here.

Oh wait, this was the webpage I recalled.

From what i was reading on Trenchboot is that it’s not ready for the limelight and isn’t a complete project? I had asked for confirmation on here if Trenchboot is a viable solution for Qubes now but I didn’t get a response on that one unfortunately. I’ll have to do some more searching and see if this is a viable solution now.

I’ve read this one also, but I’m kind of hesitant to rely on it. Seems like it’s better than nothing but not on the same level as coreboot etc.

This is similar - like a continuation - of this thread. I’ve seen a HCL report regarding a Lenovo P73. This machine offers good performance.
For me an older maxed out ivy bridge is good enough, having the better classic keyboard and a good ssd. As a next step I’d opt for a Purism Librem because of more ram, but this is just personal choice (having Intel ME disabled is a nice “non”-feature too).

I’ve been doing a lot of research on this lately, I want to build a machine with IME neutered, which means Ivy Bridge. In my research the best laptop would be a W530 with Skulls, but it seems dual monitors isn’t an option which kinda sucks.

Next to that is the T430, Sven has worked quite a bit on this and has two HCL’s posted but the T430 is capped at 16gb RAM…

I’m at an impasse personally

Your first criteria is met, the rest are not necessary to function.

I bought a used Librem 14, flashed the EC to the latest version and installed Qubes OS. This is my first time using the Librem 14 and Qubes OS. So far I’m very happy with both.

This is what I thought as well, it has been suggested to stick with the t430 for the reason of it being already on the HCL a few times and is functional, but the allure of 32gb RAM, a faster CPU and better monitor out of the box have me on the fence. It’s really too bad one can’t neuter IME on anything past Ivy Bridge…

Do not forget to update Coreboot/PureBoot, as they have been recently updated within the last week.

Thanks for mentioning this! I hadn’t been keeping up on this updates as well as I should have been.

In case it’s useful for anyone else, Purism uses GitLab, which has an Atom button in the top-right corner of the commit history page to watch commits. And it works on subdirectories! So https://source.puri.sm/firmware/releases/-/commits/master/librem_14?format=atom will tell you when there’s an update to the Librem 14 firmware in particular.

That’s true but you can get newer CPUs without IntelME from companies like StarLabs, System76 or Tuxedo.

I’m not sure if a W530 with Skulls works with dual monitors but W530 with Coreboot might work that way. I did not test Coreboot on this machine yet though.

Purism, as writen about ad nausem, is not worth the trouble.
Go with established companies such as Lenovo and visit the HCL for a gut-check

Purism laptop is my daily driver. It works flawlessly with Qubes, the performance is great. HCL reports from users confirm this.

Its nice to see proyects like purism, and Nitro and Nova. But personally getting a 1300USD laptop through customs and pay 60% (of the product) of taxes, to see if you can see that you daily driver works better in another machine.

I would love to see more people investigate, on hardware that all population can get hands on. Dont get me wrong I would love to be in another area, where you can access the topnotch hardware focused on privacy, but not everyone can.

OP:
I have an Dell Latitude E5470 with i5-6440HQ, that supports 32GB of ram, that works flawlessly with QubesOS 4.2.1. Its arround 200 bucks refubrished in Amazon. (with 8GB of ram).

Would you be able to submit the HCL?

Here you go:

We deliver DDP (Delivery Duty Paid), so all applicable taxes, import duties, broker fees and other charges are already included in the sales price for NovaCustom.com

Cheers!