i’m searching for the Hardware for Qubes OS, which has some hardening like Nitro or Librem.
The problem by Librem is, that they are not offering the german keyboard layout. It’s not good for allday use. The great thing is, that you get the hardware switches!
The problem by NitroPad is that the hardware is rather slow.
So is there any other solution (better with hardware switches) with fast and hardened open source hard-/software for the german market?
The problem with any idea of such “hardened laptops” is that they all talk about open source solutions for booting and checking the boot process and also talk about the blocking Intel ME engine and so on… but the problem is that, there are more engines and more firmware that can not be controlled. so whats the point of such “security”?
Had terrible experiences with the OS and the Key. Check return policy and ask for clear signed emails. This is a personal experice and maybe there are tens of millions of “satisfied” customers. You can check this forum about the Key for a message that Qubes is not supported . Search Nitrokey or Libremkey here first! I can sell you an intercepted Libremkey for just shipping.
I find the x230 is a stalwart little workhorse. I combine it with heads firmware, Yubikey, ME neutering and the highest spec processor with good RAM. Its not going to be a gamers workhorse, but it does very well for what its supposed to. And im pretty sure the DE keyboards wouldnt be hard to find.
@qun yes thats the highest processor, though ive owned a few and I really find very little in terms of horsepower between i5-3360M and i7-3520M . Max RAM is 16GB DDR3/1600
As a reasonably secure little machine (when used with heads/yubi/QubesOS) I find they can easily be used for browsing tasks, terminals etc and perform well from SSDs. I have always found them very capable and I am a fan of the hardware Wifi kill switch. Though I do personally remove the entire bluetooth module when I am in with a SOIC clip on the EEPROM chips.
I use an x-230 i7, 2.9 GHz and 16gb. It runs three qubes if you don’t do a lot in them, but it runs two comfortably. It really hasn’t missed a beat since I’ve had it, now going on six months.
Alternatively I have two dells, i5 16gb E-6430 and E-6530 that both run qubes as well as the Lenovo. Although these laptops are older I’m very happy with them.
Purism are very firm that there laptops are qubes friendly and will run qubes. I think that they will even ship it with qubes. I may be wrong on that but I think that they do. My one caveat with Purism is that there are a few issues with their laptops that you can dig out via their forums. Poor, and I mean poor wi-fi, crappy hinges that have attracted multiple complaints, and inconsistent service and poor access to parts. Purism are trying to do a good thing but have some issues.
You might also want to consider System 76 who do qubes friendly laptops.
Today another screw up from NitroKey that does not work with gnupg!
I can’t help you if you choose to believe…
I did not have enough time to spend on System76 Java Bios. Overall appears to be nothing special. Pop OS is Ubuntu.
You probably heard it before! Build your own or at least supervise…
what is about this System 76 thing? Never heard about that.
Does is have java bios?? I see some of them with coreboot.
But what I also asking is, where is the real advantage of coreboot, heads, yubi and cutting the intel ME, if you have more engines of intel in modern cpus, which are closed source?
Not enough for what?
You’re looking for a jack of all trades device that’s rather wishful thinking than reality. At least to my knowledge.
When talking about the latest, fastest and fanciest gadgets available there usually are trade-offs to be made with regard to security.
Who are they and what engines are you talking about?
There are plenty of explanations out there explaining what each item of your listing is doing. There is no magic involved.
You should ask yourself what matters most to you and where to make compromises. You’d probably need to read more about these topics in order to make an informed decision.
“I use an x-230 i7, 2.9 GHz and 16gb. It runs three qubes if you don’t
do a lot in them, but it runs two comfortably.”
I’m sitting on an x220 i5, 16GB RAM. Currently running 15 qubes
comfortably on KDE. One of them is a caching proxy, and I’m updating
templates as I write, with another building Qubes in the background.
I’ve spent some time trimming memory, which imo works better than the
Qubes memory management out of the box. Also, I tend not to use YouTube
etc, although I do have a disposable vlc player running.
There’s been extensive discussion in the past about the merits/demerits
of Purism - as a marketing exercise it’s been fantastically successful.
System76 are (still, I think) rebadged Clevo machines which you can find
much cheaper. You’ll find regular claims from System76 about the amount
of work they put in to them, but the Clevo I had was almost
indistinguishable from the equivalent System76 machine.
All of these are fine, but for solid working machines at bargain prices
I don’t think you can beat Lenovo.
When I say three qubes, that is three open at once. I’m sure you don’t mean 15 qubes open at once! I haven’t counted the number of qubes I have but its probably around the number you run.
I agree that the Lenovos, although older, are a solid choice.
You can easily run 16 VMs at once on X230-generation laptops. They support up to 16GB of RAM, so 16 VMs using an average of 1GB per VM is not unreasonable.
They’re really trustworthy machines, with open source firmware available (coreboot with very few blobs, fewer than the coreboot in Purism/System76 laptops). Though one major drawback is that Intel no longer releases microcode updates for this generation. So they could be permanently vulnerable to a future Intel Spectre issue that can only be fixed by microcode.
I do mean that - 17 right now, but a number are service qubes with no
open windows and minimal allocated memory.
I use shutdown-idle extensively, and many disposableVMs, so I don’t
need to worry about shutting qubes down: they just get out of the way
when I’m finished with them.
Also, I force qube windows to KDE Activities, to help with separation between
domains, and minimise risk of accidental cross bleeding. Cant recommend
this enough, for 3 or 30 qubes.
sure, i do not understand much about such special things about hardware / firmware and should read more about it.
Here is a comment i read about purism (it’s directly translated with deepl):
"The main point of criticism on my part is the reference to privacy being respected. In my opinion, this is simply not given (even if this is only partly Purism’s fault). The devices use modern Intel processors, all of which not only have a (non-effectively paralyzable) management engine (Intel ME) on board, which in principle allows unnoticed, privilaged access from the outside, is closed source mystery binary, and due to the fact that it was signed by Intel, only Intel owns the private key, and there is no open signing process, cannot be replaced by an open source version either… They also require another set of proprietary firmware (video bios, microcode, etc.) where similar problems exist…
The coreboot used by Purism is all well and good - however, this loads the closed source mystery binaries (has to do that too) so that the machine can be used at all… Effective paralysis of ME & Co. belong today rather into the area of an urban legend. The computer wouldn’t boot if the ME was tamped and if it isn’t, it can’t be trusted - it runs as its own mini operating system on its own core and can’t be controlled from outside - it communicates with network hardware, has DMA, can access mass storage etc… God (and Intel) knows what all happens in there and what is possible with it and who can also possibly log in to it undesirably…"
I think you can understand the points better than I can.
I was talking about how many qubes open. Sorry, cross purposes. I can have three qubes open and use them providing I’m not doing too much that is heavy.
I understand that, but I dont understand why you face this constraint,
or what problems you really face, or what “heavy” means.
I assume that you mean by “open”, “have a window open” - but I still
dont understand. As I say I have a less capable machine and have far
more “open qubes” without problems.
Do you have a fast SSD? That really helps.
Some things you could try:
Limit the memory given to dom0 by editing the grub kernel command line,
to include dom0_mem=max:2048M
Limit the memory for sys-net, sys-firewall, and other service qubes to
400M - better, use the Mirage firewall.
In fact, limit the memory for all your qubes, except those which are
doing “heavy” work.
Sometimes you may find that Debian runs better than Fedora with limited
RAM, or vice-versa.
If RAM is an issue, then use the shutdown-idle service, trimmed as short
as you can push it, to get rid of idle qubes.
This will help even if “heavy” means, e.g, serious AI, or 3D manipulation,
or image reconstruction.
I don’t know how much more clearly I can describe it. I understand the difference between having a VM running vs having a vm open as a qube. I’m saying that if I have two vms open as qubes (I may have any number of other vms running in the background but not launched) with my 230 I can run pretty much what I want. So, if for example I’m web surfing on one with heaps of tabs open, listening to some music and maybe editing some photo stuff then these two will function well. Depending on what I am doing if I go to launch another vm to give me three vms open as qubes, it may tell me that there are insufficient resources to open up a third qube. If I cut back on some of my activities in the others it will quite often open the third one. If I then ramp up what I’m doing things slow down. In reality two qubes is enough open at any one time.
I understand the fedora/debian thing and I run a mix of things.
Does that get make sense?
I do thank you for your input however. It is appreciated.
I’m sorry, I don’t understand what you mean by “open as qubes” or
“running but not launched”.
Your experience is so far from mine, on this and every other x220 or
x230 I’ve used, that I would be looking at hardware issues, if it were
my x230.