Buy fancy new hardware and use 4.1 or buy older hardware and use 4.0?

Hi everyone,

I’m new and I’ve been testing QubesOS 4.0 for some weeks on my old PC now (e.g. 8G RAM, not upgradable). I really love it a lot!
It’s really amazing what the team has built and I’m positively surprised how well it works as a daily driver (even on such low-scale hardware).

Now, I’m considering to invest into a better desktop PC (especially with more RAM).

Even though I would generally prefer AMD, I read that Intel would be the safer choice.

I see 4 options:

1) Invest in a longterm PC that will be quite good for several years and use it with 4.1 alpha
From what I read in the forum, many people are already using 4.1 and seem quite happy with it.
But is it really stable enough as a daily driver? I think I read somewhere that Dom0 updates within the alpha can break things if you are not careful.

I was considering something like this as a setup:

• CPU: Core i7-10700K
• Mainboard: Gigabyte Z490M
• RAM: Corsair Vengeance LPX 2x 16 GB DDR4-3600

This hardware seems to be similar to this setup here: https://groups.google.com/g/qubes-users/c/R1ZjyNYZ1Kg/m/oJ5PqQS3AAAJ

2) Invest in a longterm PC that will be quite good for several years and use it with 4.0 and unstable kernel 5.11
In the link above, it says that kernel 5.8+ is needed. It seems that I can get kernel 5.11 in Qubes 4.0 through “kernel-latest-qubes”.
Would that be stable enough as a daily driver?

3) Wait until 4.1 is officially released and then buy a new PC
Looking at the past release timelines, it seems to me that this might be very far away (probably more than 6 months?) and probably not worth waiting.

4) Rather invest in older, well-supported hardware now and stick with 4.0 as a safer option
Here I would try to go through the Hardware Compatibility list and look for something older and hopefully more stable.
For example, something like this:

• MB: ASRock Z370 Pro4
• CPU: Intel® Core™ i5-8600K
  (see: https://groups.google.com/g/qubes-users/c/YjNkEM1srSk/m/ljMSWgNTBAAJ )

What would you do in my case?

Thanks a lot in advance!

Even though I would generally prefer AMD, I read that Intel would be the safer choice.

I guess you’re talking about what you see in the HCL, but do see "AMD appears to lack sufficient testing...and may harbor latent bugs" - Trail of Bits SecureDrop Workstation Review - #18 by tasket this post before judging.

In terms of latest vulnerabilities, AMD has been clearly superior to Intel, and due requiring less mitigations, performance is also better.

Regarding 4.0 and kernel 5.11, if you’re comfortable with building your own ISO, you change the kernel version to the minimum you need, although as you noticed, many people have good experience with Qubes 4.1 (myself included).

If going for newest hardware (which will probably be the best bet) my only recommendation is to carefully choose the Motherboard, specially IOMMU groups (which on some are terrible), I doubt you will have compatibility issues with any modern processor as long they meet Qubes requirements. Also since on Qubes hyperthreading is disabled, having a high core count is desirable (on which AMD offers the best pricing)

Thanks for your reply!

Yes, that was also my impression after my research on this topic.

With “Intel would be the safer option”, I wanted to refer to “safe” in terms of better compatibility with Qubes.

Any recommendations on a good motherboard? (I felt a bit lost on the AMD entries in the HCL)
Also: If I remember correctly, the better AMD processors don’t have onboard graphics, so I would risk incompatibility with the additionally required graphics card.

What would you do in my case?

I am not you, so I don’t know your needs. Let me paint it in extremes:

a) You are a Linux/Security/Tech enthusiast and enjoy troubleshooting
and figuring things out. This machine is your private PC and you do not
need it for work. If something doesn’t work or is unstable it will annoy
you but nothing bad will happen.

---> knock yourself out with the new HW and R4.1

b) You have a job and you use that computer to earn money. While you are
technical enough to use Qubes OS in its current state, you often find
yourself asking for help with Linux questions. Your PC not working would
be a major cause of stress.

---> get something from the HCL and stick with R4.0

c) You are really not technical but you need the security of Qubes OS,
your live or the lives of others depend on you handling of sensitive
information.

---> Get a PrivacyBeast or a NitroPad, stick with R4.0

(Or if you have a trusted nerd in your circle, get a ThinkPad x230 or
t430, upgrade it and install Heads and Qubes OS)

If going the AMD route, any x570 should do it. Exact model depends if you also want latest features like WiFi 6, USB 3.2 & 2.5G ethernet port, preference should also be given if it has at least 1 PS/2 port (to connect the keyboard and completely blacklist usb controllers from boot).

Regarding the GPU, a 1060 will work without issues with open source drivers and will give you headroom to go multi-monitor.

it’s depends on what you need and if $ it’s not your problem you can go with anything

for myself old pc should be enough even with alpha 4.1, specs :

CPU: Xeon L5640x2
Mainboard: Asus Z8NA-D6
RAM: 8GBx6 1333 MHz
GPU: GTX 580

And i have Legion 5i 15IMH05 with dual boot qubes and windows with different disk, and place the bootloader into usb disk.

Hey, that was my HCL report you linked. I initially tested R4.0 on my machine, and it worked just fine except for my network card, as it’s driver is only included in kernel 5.8+
R4.1 works great, no major bugs or instabilities yet and I really prefer it over R4.0, lots of awesome improvements. Works fine as a daily driver for me.

Excellent advice!

Although I’ve been running mainly OSX for two decades I’ve installed and used lots of distros on/off on laptops mainly. There is always something that happens with Linux, even distros as smooth as Linux Mint…

Now ditching OSX and migrating to Qubes for anything other than mobile devices (hoping to run those on e.solutions later) I will use at least 2 laptops, and expect to put a lot of energy and time into getting backups, cloning and migrations to work well.

Reminds me of setting up RedHat on an old server in 2000 with VMware & then running Adobe on WIN98, took me a while to get it it right but once I had good routines it became a very productive environment where I could simply “reset” C whenever some driver or whatever acted up. Felt great to “tame” the horrible Windows creature!

I’m definitely in the camp of getting older hardware on the HCL list with as much support as possible, Thinkpad X230 was an excellent first choice - cheap, took the 16Gb ram from a broken Mac mini & will be my learner laptop

Don’t have time to read all the other comments, so don’t mind the overlap, if any:

I’ve been using Qubes on a laptop with i7-1065G7 for well over a year now. Both R4.0 and R4.1 work perfectly fine, especially after the R4.0.4 update that upgraded the initial kernel, so installation using older software that doesn’t support the latest hardware is no longer a pain.

There isn’t a real reason to jump into R4.1, as it’s still in its alpha stage and might be less secure than R4.0, but unlikey to be more so. For example, since R4.1 dom0 uses Fedora 32, which hasn’t reached EOL, it’s constantly receiving updates, so your dom0 (the most sensitive part of the system) is constantly being fed new, possibly troublesome, code. On top of that, the QRexec overhaul means that a lot of existing documentation involving Qubes policies no longer applies.

Furthermore, there are indications that R4.1 is actually slower than R4.0 due to changes in the newer Xen (as demonstrated in my Qubes startup test thread), and this might still be true now.

This makes it hard to justify the time and emotional cost of working with an unpolished, buggy system from a purely functional point of view (maybe you just like shiny new things, testing, and contributing, which is great).

If your current hardware is old and you’re unsatisfied running R4.0 on it, then by all means go for it; if you’re satisfied but just feel RAM-constrained, get more RAM (relatively cheap nowadays). All in all, I wouldn’t go out and get a new PC just for R4.1.

^{Not technically trained; consume advice with salt}

Now ditching OSX and migrating to Qubes for anything other than
mobile devices (hoping to run those on e.solutions later)

Made the same switch 4+ years ago and wouldn’t go back. As others in
this forum expressed before, running another OS on bare metal (without
Qubes OS) just feels wrong now. Like driving a car without seat belts
and air bags.

Regarding mobile I did keep using iOS all that time because I though it
was the most secure option and just took the privacy hit of Apple
knowing my every step. However meanwhile I think we are all disabused of
the notion that iOS would somehow be harder to compromise. There have
been plenty of high profile examples in the news lately.

Maybe a month ago or so, @Plexus made me aware of Graphene OS. It’s a
hardened and de-googled version of Android. It was extremely easy to
install on an relatively inexpensive Pixel 4a. Should have done this
years ago. Especially if you are into privacy you should look into that
solution. One of the things I value is that the phone will use my VPN
and if that doesn’t work just not use any data at all (leak proof).

Oh, I do enjoy driving my motorbike here with no protection whatsoever - guess its the other way around for me, but I agree

I’ve tried getting e.solutions running on some old Android phones, but its a LOT to learn - definitely a goal to get onto a better platform for mobile devices too…

Bought a Pinephone with Manjaro, great as an effort and platform for tinkering around, but not everyday use. Could be a very good companion to laptops with Qubes, got not GPS and so on, switches for hardware!