It depends on the person, but for me, they are headed in the right direction and in general alignment with my values.
1 Like
Specifically to Tommy Tran.
Which company hardware, approach do you favor?
I realize some on the forum have issues with some personalities, or have had problems with some companies (like Purism, long delay in shipping) and such. But if we could put it aside.
Some talk about hypothetical, RISC/V Similar to (so I read) PPC, Or ARM Processors? I donāt think either is ported to Qubes.
I read of some folks who like the very old G505S with A10 Processor, but I do not know what OS works with that, and I donāt see a functional one sold.
Then there is the computer built by the Penquin.
https://www.thinkpenguin.com/gnu-linux/penguin-t4-gnulinux-laptop
Also, I guess it only comes up in my life, because I know a fellow who has a 3D printer, you know builds things out of plastic by design. Build my own computer. Which is I guess is only robbing a pre-built computer and putting it in a new case. I am of the hunch building a MOBO is not something one can do in a home basement. Then one is limited to a well known standard list of parts, with a close tie to a specific battery, and such. Just, for me, I see some laptops that need a better designed case. Better setup with antenna. Better cooling. But it is also about control of what I am using. Where I seem to be deceiving myself. It is not going to be more secure.
2 Likes
Purismās stated values are wonderful. Iām still using a librem 13 as my mini-me Qubes OS laptop (itās a mini-me of my desktop system; I even run the same salt setup on it with variations that are necessitated by differing hardware).
They way they have treated many of their customers, however, is abominable and until I see signs of a culture change in their company, theyāre hypocrites.
2 Likes
This.
3 Likes
My main concern is whether the hardware fits the requirements of my use case, while my experience with Purism does not carry much weight. Even so, my interactions with them and the community have been pleasant since 2019.
1 Like
off-topic (copy into new discussion if needed)
Which company hardware, approach do you favor?
For laptops: Apple (with the assumption that you will stick to macOS on their devices), Dell, and to a lesser extent, Lenovo. For Dell and Lenovo, you will want their business laptops (Latitude, Precision, Thinkpad) with vPro Enterprise.
Things I look for:
- Having an actual root of trust. Dell and Lenovo have Boot Guard set up. Apple has an equivalent too, but I donāt have the details off the top of my head right now.
- Regular system firmware updates: Dellās schedule for system firmware update is once a month (though they some times do skip 1-2 months). Lenovoās schedule is once every other month for 2023 and later models. Appleā¦ they do release updates, but I donāt know of any set schedule.
- Not having some ancient piece of hardware like a Wifi card with little to no firmware updates. (Purism is especially guilty of this with the stupid Wifi 4 Atheros card on their Librem 14).
- Long term support. You will want to get updates for 5-7 years. If a device will only get updates for the first year or two after its release like with some other vendorsā¦ it is basically worthless.
- LVFS support - Both Dell and Lenovo support LVFS for their modern business laptops.
- Memory encryption - which is why having vPro Enterprise is important. Apple devices do not have memory encryption, unfortunately.
- Some way to not store the disk encrytion key in RAM. Apple devices have the Secure Enclave which handles this nicely. Intel vPro Enteprise devices have Intel Key Locker, but I am not aware of anything with support for it outside of ChromeOS atm. Itās still nice to have though, in case OSes start supporting it in the future.
- Custom UEFI secure boot key enrollment. This is especially important for anything that is not Apple - you will want to enroll your custom secure boot key if you are running Linux. In the case of Apple + macOS, you donāt need to worry about this, since they already have verified boot out of the box.
- Secure cored certification - this is especially important if you run Windows. You will want the computer to meet all of the baseline hardware security for Windows, and to boot normally without the Microsoft 3rd party CA.
- Prevention of UEFI firmware downgrade via the UEFI capsule. Lenovo fails at this, and you can just downgrade their firmware using fwupdmgr. This is why I prefer Dell over Lenovo.
- Some form of actual downgrade protection (against the likes of a programmer). This can be done by blowing BootGuard fuses, but Dell doesnāt do it frequently, and Lenovo does it even less frequently. Not sure what Apple does for their stuff. Unfortunately, I havenāt found any OEM doing it better than Dell either
- Meeting HSI 4 for Linux
I just avoid the likes of Purism, System76, StarLabs, etc. Most of them fails at even the basics like having BootGuard, let alone the other stuff.
Anything advertising that they have the āME disabledā, I avoid (since so many security features rely on CSME).
Heads laptops (including the Purism Librem) have this circular logic which makes their security theatre, so I just avoid them: How exactly is HEADS/Pureboot secure? - All around Qubes - Qubes OS Forum (qubes-os.org).
There are more nonsenses with these if you want me to list themā¦
2 Likes
Their values are based on the FSF nonsense rather than actual security or privacy.
1 Like
Thank you for this detailed and informative post.
-
āNot having some ancient piece of hardwareā ā Do you manually verify every piece of hardware in a laptop that youāre interested in? If so, what resources do you use?
-
Memory encryption ā Pardon my naivete, but why is it important beyond the context of cold boot attacks; and if itās that important, why would Apple choose to forgo it? Especially since it should be easy to implement given their other security features.
-
Iāve been using Dell for the last few years but Iāve personally experienced a rash of hardware defects and now Iām considering alternatives. What are your thoughts on HP?
Iām somewhat glad the mods havenāt shut it down this thread yet, but itās snowballing into something that belongs in the restricted category (and this post doesnāt help).
2 Likes
- Memory encryption ā Pardon my naivete, but why is it important beyond the context of cold boot attacks;
Spectre and its cousins.
It would be great to have per-VM memory (and disk) encryption.
// Somewhat off-topic of the off-topic 
2 Likes
FSFās values are not focused on privacy and security, but they do have incidental benefits by making code more auditable, making it possible for people to do in-house builds instead of trusting a separate build server (particularly important so long as most software is not reproducible), and insisting that the user gets to control the root of trust. This is why I have some amount of brand loyalty to Purism, even though I generally avoid brand loyalty: they developed the firmware required for the Librem Key (reskinned NitroKey) to authenticate the laptop in a way that the user can manage and set up boot drive authentication specifically so that the user controls which PGP keys are trusted. There is nothing that prevents this technology from being used in a traditional way - a distributor can ship laptops configured to trust the distributorās keys and tell customers not to replace them - but the technology would still let me choose whether or not to trust that distributor and change that decision at any arbitrary point in the future. Free software is not synonymous with security/privacy but they are related and as far as I can tell Purism does a better job of adhering to both than most companies (which is not to say that they are the only ones, I just see a lot of people hating on them while being entirely uncritical of others).
2 Likes
Which WiFi card should I be on the look for?
This is a point I have been looking for a way to ask on the Qubes forum. I have several old PCs, whose performance could surely be easier on me with a more recent faster WiFi card.
I guess nearly all of these come on a slow boat from China (I am in US) Which allows some of the major geo-political players a chance to tamper with WiFi card. Ha Ha Ha
1 Like
I donāt see how this is relevant. UEFI Secure Boot can have vulnerabilities that lead to bypasses, but they are not botched conceptually. As long as you have Intel BootGuard/AMD Platform Secure Boot and your vendor ships regular firmware updates with fixes, you should be okay, at least in theory.
1 Like
- āNot having some ancient piece of hardwareā ā Do you manually verify every piece of hardware in a laptop that youāre interested in? If so, what resources do you use?
I just check for components via the vendorās website, CPU model on ark.intel.com, firmware updates on their own website and LVFS: Device List (fwupd.org), and so on. I donāt manually verify everything because it is not always possible, but I have never had Dell or Lenovo giving me a Wifi 4 Atheros card cuz of āfreedomā on a modern laptop either.
Pardon my naivete, but why is it important beyond the context of cold boot attacks
Stuff like per VM memory encryption is really nice.
if itās that important, why would Apple choose to forgo it?
Or maybe itās just that they havenāt implemented it. Even in Intel land, it is new technology - you need a Intel vPRO Enterprise CPU 12th gen and above. In AMD land, it has existed for longer, but you need to buy Ryzen Pro or Epyc CPUs for SEV.
At least, with Apple, the disk encryption doesnāt stay in RAM.
What are your thoughts on HP?
I took a quick cursory look at HP on LVFS - they do not seem to support nearly as models as Dell and Lenovo, and they donāt seem to release firmware updates as often either. I just lost all interest in HP from that point on.
2 Likes
Which WiFi card should I be on the look for?
I dunno, just whatever is reasonably new from a reputable vendor like Intel. They do give you firmware/driver updates.
I guess nearly all of these come on a slow boat from China (I am in US) Which allows some of the major geo-political players a chance to tamper with WiFi card. Ha Ha Ha
You are supposed to have IOMMU to prevent the Wifi card from DMAing you. Enable Preboot DMA protection and kernel DMA protection support. Just double check that it is its own IOMMU group and not in the same group with other sensitive stuff
If you are using qubes, be sure to add it to the xen stub driver so that it is never initialized in dom0
1 Like
What is the exact model of the Wifi card that Purism uses?
1 Like
Yeah, you are getting mislead big time.
They do have incidental benefits by making code more auditable, making it possible for people to do in-house builds instead of trusting a separate build server
This only means something if the followings are true:
- The firmware design and implementation are actually secure to begin with
- People actually read the code, check the code changes every update, and apply them in a timely manner.
Letās see how it works out in realityā¦
Insisting that the user gets to control the root of trust
This is the problem. Where is the root of trust with Pureboot/Heads? It doesnāt exist. Refer to this link: https://forum.qubes-os.org/t/how-exactly-is-heads-pureboot-secure/23092
Nothing is stopping an attacker from flashing malicious firmware that will just lie about the measurements to the TPM. In a normal laptop, Boot Guard will malicious firmware from being flashed, but this means that you need to trust the laptop vendor and they control the root of trust.
If you really want the user to control the root of trust, you will need to somehow provide them with a way to enroll their key into the PCH with an eFuseā¦ That way, they can have BootGuard with their own key. This is not what Purism is doing though. Oh, and BootGuard is proprietary Intel technology, so I doubt their FSF ideology even allows for it.
they developed the firmware required for the Librem Key (reskinned NitroKey) to authenticate the laptop in a way that the user can manage and set up boot drive authentication specifically so that the user controls which PGP keys are trusted.
This does not work even conceptually because of the reason I mentioned above. But even if we were to ignore that - an attacker with access to both the key and the laptop will be able to fool you anyways. They will just replace the GPG key on the key and sign their malicious firmware with that key. You need to fall back to TOTP or something and not actually using the PGP key.
a distributor can ship laptops configured to trust the distributorās keys and tell customers not to replace them - but the technology would still let me choose whether or not to trust that distributor and change that decision at any arbitrary point in the future
No, because the keys are not supposed to be replacable - that will defeat the whole security model. After a key is enrolled, an eFuse should be blown, and it should be impossible to change the key from that point on.
Free software is not synonymous with security/privacy but they are related and as far as I can tell Purism does a better job of adhering to both than most companies
They do a much worse job than Dell and Lenovo with proprietary firmware 
This is not to mention the stupid RYF certification mandates that they do not ship any proprietary firmware updates in their OS, and they even go out of their way to select stupid things like ancient Wifi cards with no firmware updates.
1 Like
Atheros AR9462 
1 Like
This is literally freedumb tier stuff.
This is like almost the same stuff Nova Custom puts a giant warning on when you try to order a āblob freeā card that is definitely not bob free:
2 Likes
Of course it is 
1 Like