Demand for Services? Secured hardware & software support

@Sven Recently commented:

The exiting part here is that @plexus has already demonstrated that it’s doable. Maybe he will start a business selling these. Maybe existing vendors like Nitrokey and Insurgo will replicate his work. We are close.

People who would consider buying such a machine could post in this thread and thereby show how much interest there is.

I am wondering then, is there demand for any of the following:
Secured Thinkpads with Heads and hardware upgrades
Hardened qubes:

Custom, Minimal kernerls

Minimal, hardened linux kernels
mirage-like VPN unikernerls
UI/UX improvements

Hardened Xen

CpuPools (offline cpupool, online cpupools, dom0 cpupool)
Memory balancing disabled
etc

These are services I could provide, if there is interest.

3 Likes

When I was putting my Thinkpad x220 together (16 GB ram, 512 GB disk space, coreboot’ed, etc.) I definitely felt the desire for having a thinkpad with these things pre-built/pre-installed.

I also would like the option of being able to pay with Monero (XMR) for such a service.

I personally have no interest, but I do hope this takes off. What UI/UX improvents are you planning with custom kernels?
And would you like to share some more details on how to harden Xen?

This sounds great but only if it’s doable on latest gen high spec thinkpads. Is already a host of low end compatible Qubes OS laptops. The 2022 purism librem 14 that I received earlier this year replacing my 2017 Thinkpad p51 benchmarks marginally slower than the laptop it’s replacing that is 5 years old, Hardly an upgrade.

Is space for high spec QubesOS laptops and willing to pay top dollar for it.

Performance:
From 2018 to now there has been a significant improvement in laptop processors (TDP 15W-45W).
However from 2012/13 to 2018 the passmark combined score was only double at the same TDP, or the equivalent power from 45W TDP to 15W TDP, see: Intel Core i7-3840QM @ 2.80GHz vs Intel Core i7-8750H @ 2.20GHz vs Intel Core i7-8650U @ 1.90GHz [cpubenchmark.net] by PassMark Software.

The main performance gripes are:
limited to SATA6/USB3 speeds for the storage-drive (it’s fine but modern NVME PCIE speeds would be nice).
X230 and T430 limited to 16GB RAM (it’s fine but 32GB would be nice).

Compatability:
Modern CPUs no longer use S3 sleep, and AFAIK Xen still hasn’t migrated to whatever intel calls their modern suspend (I’ve forgotten the name).
Heads is compatible on a limited number of laptops. If you know somebody familiar enough with coreboot who could port Heads to a modern laptop, let me know (but I doubt it will be cheap).
Coreboot is also only compatible with a limited number of laptops, porting to new boards is not a trivial amount of work.

Battery Life:
Given old thinkpads use 18650 cells, you can recell them and get a 100wh+ battery, meaning the battery life of an old thinkpad with 35/45W cpu can be comparable to a modern laptop with 12-28W cpu.

Security & Bloatware:
Even if you could port Heads to an existing laptop, why would you?
Modern Intel CPUs cannot have the Management Engine removed (at-least that is documented anywhere publicly), at the very best it is: ask nicely to disable.
See, https://twitter.com/markel__ for prime examples of how each new generation of Intel CPU is just more vulnerabilities and bloat.
And for AMD’s PSP, well: who knows?
These are the core concerns AFTER you’ve:
factored for all the new chips/computers on your motherboard with their own firmware
the need for newer linux kernels with more bloat, simply for compatability
etc

I would like a modern, reasonably secure laptop. And it is possible. However it would have a radically different design from anything currently on the market. (If you know anybody experienced with supply chain, let me know).

I can still install QubesOS with hardened Xen and minimal kernels on modern laptops which are compatible. (Though with the disclaimer that models in the past couple of years may not suspend/hibernate properly due to the aformentioned Intel migration from S3).
I can also flash pre-built coreboot images onto compatible devices (but I’m not willing to port coreboot it’s not an area I’m familiar with and either-way I know that the time required is not worth the money people are prepared to pay).

So, you can get Qubes installed on latest spec laptop but with exception hibernate/suspend will not work (and no coreboot) but everything else is all good ?

I be interested in that! Did I understand correctly ?

I’d pay for a well constructed guide to such improvements.

2 Likes

Might be worth reaching out to companies like Insurgo, Librem or Minifree. If the product you think you can architect is better than alternatives it would be worth entertaining the idea of piggy-backing off of someone else’s supply chain.

I don’t know who’s in charge of any of the above but they’ve been putting a considerable amount of effort into this space to indicate to me that they are motivated by more than business and you aren’t going to be unwelcome to competition.

Fwiw I’ve been mulling over obtaining a 16-core desktop ryzen equipped eurocom (or other clevo variant w/ 5950X) laptop or maybe even just going for a desktop threadripper w/ 32 or 64 cores just to start experimenting with security partitioning of cores or core groups.

The eurocom is somewhat affordable at around $3k spec’s well but the two-dimm → 64GB RAM limit (maybe more if 64GB DDR4 SO-DIMMs come out) is currently a bit limiting tho.

Not really a fan of the big/little option on the intel side, feels like asking for performance issues under xen.

B

If the laptop will run linux then in most cases it will run Qubes.
I’ve installed qubes on laptops others had troubles with; (really it’s just about finding the right tweaks in the ISO config). The main issues are that UEFI / modern ‘BIOS’ is an oxymoron of a specification. The comparison between vendors & models is considerable. When it comes to direct install linux it’s not so bad, but when your base is Xen you do run into issues on cutting-edge hardware due to the nature of dependencies (which aren’t considered necessary or are labeled ‘legacy’ on consumer hardware, and ‘who cares?’ because ‘most use KVM’ which is linux as your base anyway).

Yep.