Here in 2025, I am now designing the build for a new high security focused system, and so I’m seeking recommendations for owner-controlled secure motherboards (whether it be consumer, workstation, or server models) that work with Qubes OS.
I have been out of the market for the last ~4 years, so I’m not fully up to date on knowing the present state of owner-controlled systems available, and am therefore seeking to receive thoughtful education, tips, recommendations, etc.
Here’s what I’m aware of being available from from the past:
- Pre-ME Intel Systems
- Pre-PSP AMD Systems (Fam15, KGPE-D16, etc)
- ME-Neutered Intel Systems (me_cleaner through Intel 11th gen)
- ME-Desabled Intel Systems (creepy NSA HAP bit reliance)
- Raptor Talos II (however, not Qubes compatible)
Are there any other options known, more recent or otherwise? Or has the state of owner-controlled secure systems just gotten worse and more closed off?
Desired criteria:
- Required to support open source firmware (coreboot, etc).
- Required to support working HVM & IOMMU for secure sys-net & sys-usb qubes.
- Ideally no ME/PSP present, but fully neutered may be ok.
I would just go with the KGPE-D16, but sadly found out that the somewhat recent speculative execution vulnerability microcode patches have rendered the Qubes HVM compatibility non-working for secure sys-net & sys-usb qubes, allowing only the insecure Qubes PV mode for PCI device passthrough (see forum post #31575 & GitHub issue #9150).
I see that 3MDEB has come along with Dasharo, but since dropping the KGPE-D16, seems to be focused on systems that lack true owner-control, by seemingly offering an open “wrapper” style firmware around the motherboard blobs with having to trust the effectiveness of setting a HAP bit to request the Intel Management Engine be and stay disabled?
Is the following state of owner-controlled Qubes systems sadly true or am I missing something?
Currently Understood State of Owner-Controlled Qubes Security (please correct me if I am wrong):
-
Old Pre-ME Intel Systems still would seem to securely work with Qubes.
-
Old Pre-PSP AMD Systems do not seem to work with secure Qubes HVM passthrough anymore (not sure if all Fam15 are non-working or just some like KGPE-D16 are non-working?).
-
Old ME-Neutered (me_cleaner through 11th gen) Intel Systems still would seem to securely work with Qubes, but not as ideal as having no ME/PSP present at all.
-
Recent ME-Disabled (creepy NSA HAP bit) Intel Systems securely work with Qubes but not fully trustworthy/owner-controlled, as the ME/PSP code is still not neutered and HAP bit may not be fully effective.
-
Raptor Talos II is best owner-controlled hardware, but sadly still not compatible with Qubes.
Got any insights or recommendations on selecting an owner-controlled secure motherboard for Qubes OS in 2025?
P.S. WISH for Owner-Control community...
I wish there was an owner-controlled secure computing focused community that worked on providing open source firmware along with secure OS compatibility, since the main open source firmware hubs (coreboot, Libreboot, Dasharo, Raptor, etc) don’t seem to hold both owner-controlled hardware and OS security as prime first principles of their offerings (although they are second best and what’s available for now it seems). Wish some money and talents would come together to provide owner-controlled hardware & secure Qubes OS compatibility (as Linux is not reasonably secure), like we had thought we had just a few years ago with the KGPE-D16 before the speculative execution vulnerabilities were identified.