A list of inexpensive hardware for the Experimenting with Qubes for a new comer. That is, some business people might find it easier to spend a few hundred dollars to acquire a laptop that will run Qubes (perhaps not fast, maybe not all the RAM that would be nice to have) and that laptop not be configured to be the most secure (Heads, for instance - Heads being the term used to verify the computer has not been tampered with by using a special installed BIOS/EFI together with a specialized USB Key, like Nitro Key, or Librem Key ).
If the experimenter understands that this laptop will not be the most secure possible, and is willing to accept slow response time.
And the experimenter is like, some business people, can afford a learning investment. Then I feel that - some inexpensive, used, (I am thinking renewed - which is the amazon speak for having undergone an inspection for functionality, maybe have heat sink reset) laptops.
For the experimented, rather than rushing off to do all the upgrades, just learn Qubes. Things like, leave the RAM at 8 GB, enough to run Qubes OS.
Recognizing whatever the experimenter decides, to buy a better laptop, or to give up. This laptop could still be a gift to another person, oerhaos with a different Operating System than Qubes, The other OS will not need more than 8GB RAM, or a larger SSD.
Experimenter should realize that while doing this experimentation, their efforts using Qubes can be detected by groups who watch the internet.
The experimenters list: As I said, low cost.
I think everyone would put on the list, Lenovo X-230, with at least 8 GB RAM.
After taking Qubes OS off. If you decided to this would be an easy one to give to a child, as it small. and durable. Install either Windows, or Ubuntu. Or both.
I lack the experience, and expertise to create an “Experimenters List” of low cost hardware, to use in learning Qubes.
Again, this will not be the most secure version of of Qubes in use, but could be useful for someone who wants to get up to speed with Qubes.
Any Thinkpad laptop series X or T that is a “Intel core” something (Not core 2 duo) should do the trick
Endless OS should be considered too, it’s really hard to break + auto manage itself with auto updates and possible rollback, the UI looks like a smartphone so people used to smartphones and not computers are feeling confident very fast, and you can load a lot of educative or offline content.
Endless company behind it make this OS for computers used in Africa and areas where people don’t have a constant internet access, so that’s why you could load a full wikipedia or class courses on it
I must say that I am absolutely sure there would be too few people out there “to experiment”.
There are only 2 situations that will make people use the Qubes as I see it:
They have to (one way or another).
They’re strongly willing to.
At some point we all had to learn our first OS. And we forgot how hard it was. But, we had to, right? So, my children started with Qubes. And, for them it was under 1. They don’t know what Qubes or WIndows is. I am so happy they will have hard times trying Windows at some point and finding it “hard and meaningless to use” eventually giving up on it. As long as I am able to, I’ll provide them with a Qubes fully setup for their use (just like other OS do, especially Windows and Apple), so that is what will make them stick to Qubes, until they’re grown enough to be explained in details why they have to use it. Beat other OS with their weapon.
What is truly needed for the OS to become a more useful, implementable, while staying secure OS is that there must be a lot more money donated to develop and test Qubes. (guessing here, I don’t actually know what the developers feel or think.)
Those in the best position to donate: Then the groups which must choose to use Qubes needs to be individuals, or companies who need the security features for Qubes. Business People. Bankers. Lawyers (gag). Financial sector. Sales People. People who handle the inventories and livelihoods of business companies. There was a recent news story about our local Regional hospital/clinic chain being hacked. Not just records stolen, but the system of medical information being unusable for patients already in Hospital, waiting in clinics. The cyber Security experts in the hospital, need to be using Qubes OS as a desktop, even if Qubes is not implemented throughout the entire hospital system.
While Journalists may say they need a secure OS, a lot of News Organizations are either owned by rich powerful interest groups. And the group of Investigative Journalists who are more likely amateurs, ordinary people who see wrongdoing, and speak about their experiences on Social Media, Blogs. Actually that does not require high security, because they have already taken the risk.
Those who want to be Confidential Informants to the rest of this world, should confine themselves to end to end encryption. Tails being one hope that it is secure. Consider though, If you want to give information to a news organization, it must effect their interest, by making them money. Or it is like reporting to the government that a company is cheating on a contract.
Some where. Money must be the driving motive in any one caring about the report of a Confidential Informant.
If an authoritarian government, kills so many of its citizens in six months. That is barely a foot note. Even if the government admits the executions, and then claims it is due process of law, or an accident. (such as: Person was in custody and somehow managed to die. Not the will of the government) Still it is, in today’s’ world, only a footnote that is less important than what dress was worn by what movie star. Or the big musician getting a divorce.
It is about money. Either Qubes OS gets better, or it is only a toolkit for a bunch of fan boys (girls are especially welcome in the club)… But Qubes does not become easier to use. Developers need money for their efforts. I am sure they have lives, families. Money can make life easier for them, and solve problems which otherwise take up the personal hours of those who keep Qubes current. I am guessing that our current group experts, know of very competent people who could contribute, but, they need to be paid, they need hardware.
I did not use the words, beginner or newbie, to Qubes OS was a good term for someone who was successful in business. I feel sure, most of those experienced in using Qubes a little, already know which computers, in their environment can be acquired at a fairly low dollar cost. I want to see the entry to Qubes as easy as possible.
I suspect many come here just being curious. Some feel they must have the most secure possible setup, (I am sure many would say, how the user uses the OS is as important. As they say, in the old days of code breaking, (when code breaking was easier to do) codes are often broken in practice, not in theory.
Today, “Social Hacks,” and malware make it possible to steal passwords to encryption programs, which mathematicians say are unbreakable. “Operational Security” being as important as the equipment and OS one uses.
My point being, some come here, feeling: I have to get a computer that is as safe as possible, Firmware as much as OS. Leaving them to either want to buy the Qubes Certified Computers, or learn to hardware flash a laptop.
I wanted an easy hardware list for a business person to more easily grasp how to handle Qubes. Someone, unlike me, (I am really financially poor)
After they grasp the basic concept of spinning up a Qube to get a whole new clean, malware free OS, to work with. then they might move on to more expensive hardware. Some place, to keep from having to spend their own hours reading, they might pay a bounty to get have a particular third party software installed.
In my small town, I know have heard their are medical doctors whose hobby is flying small planes. Just for exhilaration. Paying hundreds of dollars for a morning or afternoon - taking a small plane out. I think there are those in the world, who are far better off financially than I am. Who might chose to experiment with Qubes, but not if the entry fee is a two thousand dollar laptop, as well as a lot of time. A three hundred dollar laptop, tolerating a bit of slowness. Hmm.
If you can suggest a better way to make the use of Qubes easier to start than that group. Please let us here from you.
I am neither willing to spend a lot of money on the latest hardware nor do I want to upgrade my stuff all the time. That’s why I am using low budget stuff from the second-hand market.
Over the years I have accumulated a handfull of laptops and flashing tools for coreboot. I started with libreboot and Parabola, failed to get the first versions of Qubes running on an old Siemes laptop (vt-x and vt-d were all Greek to me back then).
So, if you’re willing to experiment, get some flashing tools and start tinkering. Used tools can be bought for a song. For example, an old raspberry pi costs 10 bucks or less.
Regarding laptops the Lenovo G505s with an A10 AMD is best suited for experimenting because after flashing it is almost 100% open source (put in an Atheros Wifi module) - no Intel ME/ AMD PSP.
You can flash it by either taking it apart and flashing the BIOS chip or if you’re lazy & still able to work very concentrated you could also carefully cut a hole into the plastic that is covering the BIOS chip with a hot knive and flash it without needing to take the whole thing apart. I’ve done it both ways and both laptops are still working (years after flashing). Once flashed with coreboot updating coreboot can be done internally. Only if this fails it has to be flashed externally again. Then the little window mode is much faster. You could apply something in order to close the window again…whatever you want. The advantage of cheap stuff is that it doesn’t hurt so much when breaking it. I still hate it so it never happened for me this way, there were only natural causes of death like thunderstorm accidents.
The laptop usually costs around 100 $/€ but if you’re lucky it can be even cheaper. I bought one for 30€ and it was like new (it was advertised as dead but after flashing it came back from the dead). The other cost me 120€. There are different versions of the A10 with different discrete GPUs, the HD-8570M and the R5-M230. Both have 2GB and both work. With 16GB of RAM this laptop works very well with Qubes. It isn’t the fastest (just search for G505s, I’ve written down some startup times a while ago).
Another Thinkpad that works very well with Qubes is the T420, with or without coreboot. Also cheap, around 100-150.
I also tried out other laptops which don’t fulfill all requirements for Qubes, for example the Lenovo W510. It works with Qubes 4.2 but it lacks interrupt remapping. You can put 32GB of RAM in but you have to try the memory slots one by one. I think it’s best to start with the two below the keyboard because the two on the back are easily accessible. When the laptop is starting with 16GB below the keyboard it should work with the other modules as well. The thing is, if you put in all at once and the BIOS is complaining with a beep signal then you have to start over anyways.
I read a little about interrupt remapping and I think it does mean that without it Qubes lacks some layer of isolation but I don’t know the gravity of it.
I guess, for private use or experimenting it shouldn’t be the biggest problem, should it?
Another thing I noticed is the NVIDIA Quadro and sys-gui-gpu is working out of the box. Well, I don’t know if it’s working as it should because apart from trying out some stuff I didn’t do much. What I mean is, I set up sys-gui-gpu and put my Quadro card + HDMI in sys-gui-gpu, reboot and it boots into sys-gui-gpu. By todays standards the graphic card is anything but fancy, 1GB, but maybe it could bring some performance improvement. I know it does with other systems. I didn’t test much because I had trouble with how to deal with dom0 tasks in sys-gui-gpu, so I didn’t inquire much further if the graphic card is even recognized/made use of. Well, I tried, installed proprietary drivers but then I got stuck because of some nouveau/nvidia intolerance. I know that one of both has to be blacklisted at boot level in order to not mess things up but in connection with sys-gui-gpu, I failed to make progress until I lacked motivation.
Maybe for experimenting this laptop would also be okay. It shouldn’t cost much more than around 150, of course, you probably won’t find it with lots of RAM. I had several modules for all my laptops so it wasn’t hard to max out at 32 GB.
Thank you for the excellent post and your support! Btw in addition to G505S, there are a couple of desktop coreboot-supported AMD-no-PSP boards like A88XM-E - their freedom/security level is as good as G505S and might be even easier to play with them. My “G505S hacking” coreboot instructions work for A88XM-E almost as-is, and although no-one has submitted a Qubes HCL for it - it should be fine too: both have a working IOMMU thanks to coreboot and their firmware source code is really similar