The qubes certified hardware laptops all come with qubes pre-installed.
The NitroKey laptops can come with a different OS installed, but the Insurgo cannot, it only comes with qubes pre-installed.
People seem to suggest Insurgo over NitroKey, and even on Qubes’ certified hardware page, it says the Insurgo “meets and exceeds” the requirements, while the NitroKey laptops “satisfy” the requirements.
With the common goal in cryptography and FOSS software is to not unnecessarily trust without verifying, is it a concern that Qubes comes pre-installed and you aren’t verifying it and downloading it yourself?
is it a concern that Qubes comes pre-installed and you aren’t verifying it and downloading it yourself?
It is a convenience targeted at users that are uncomfortable doing an install themselves. As with everything there are levels. You could mod the ThinkPad yourself, build and flash heads and then install Qubes OS. There will be a step by step guide published soon (working on it with @Plexus). I have all the parts here and will photograph every step.
If that’s too much work, you can buy a certified laptop and just download / reinstall Qubes OS yourself. While doing that you’ll also replace all the secrets stored in the TPM.
Or if you are not comfortable doing that and just want a Qubes OS install that works and get started doing you whatever your actual work is … you can get a certified laptop and run through the reowning wizard to exchange the secrets (passwords, keys) with your own.
Each step / level away from complexity towards convenience is a little less ideal from a trust/security perspective. That’s a very normal thing when it comes to security.
If someone is unable to install Qubes, they are likely going to have more problems maintaining it and making practical use it. Sure, options are good, but most Qubes users would likely opt to do it themselves. It’s not just the improved security but the benefit of getting everything set up the way they want. It also seems like a tech support nightmare to market preinstalled Qubes and Linux distros on custom built machines to new users. At least if the customer installs it, they can’t argue that someone else screwed something up. Have you read some of the posts on the Purism forum? I’m not sure the old Apple slogan “It just works.” will ever apply. Linux is more of a “I just made it work” type of experience.
If you trust the vendor with their hardware, why wouldn’t you also trust them to install software for you? I can only think about possible interdiction on the way to you. Some vendors offer anti-interdiction services to avoid this.
Thanks for the info, that makes a lot of sense. I’m excited to see the guide you will be publishing soon, thanks for doing that!
Could you explain more about the middle option: buying a certified laptop with Qubes pre-installed and then downloading and reinstalling Qubes?
Sorry for the stupid question, but what are the consequences of doing that after running through the reowning wizard? The passwords/keys will no longer be stored in the TPM? Does that mean the anti-evil maid will no longer work, or what are the consequences exactly?
Re-owning and reinstalling are different. Re-owning is when you to set your own disk encryption password and user info into an OS that has already been installed. As @fsflover mentioned, if you trust the company enough to make your laptop, you should be able to trust them enough to install the OS - but you should never trust someone to hold the keys and passphrases to your system.
Once you “re-own” and personalize your system, you can tinker with it, see what it “should” look like and when you inevitably screw something up and decide that you want to start clean, just reinstall Qubes.
Whether re-owning or reinstalling, if you are using a nitrokey/librem key or using other anti-tampering measures, you will need to re-sign and configure a few things to establish a new baseline to compare for unauthorized changes.
@Plexus was working privately on an instruction and allowed me to see / cooperate. I then started telling people about it and created an expectation.
Meanwhile there were changes in @Plexus’ life and he seems to not have the bandwidth currently to work on this. And since it is his work I can’t just take his stuff and share it widely. Also I don’t have the bandwidth currently to make a new walkthrough on my own that wouldn’t just be a thinly veiled copy of @Plexus’ original.