OEM vs. ISO in the context of security

Hello guys,

I would like to ask if you know what is the difference between ISO (downloadable here Download Qubes OS | Qubes OS) and OEM (downloadable for example here Index of /files/ci/nitropad/qubes-oem). If I understand correctly, you can’t install the ISO on the corebooted device, but you have to use the OEM? What are the security implications? Is OEM less secure? (We only have the ability to verify the checksum and not the digital signature as with iso, we have to rely that it hasn’t been OEM backdoored, etc.) Is there a plan to update the coreboot so that a regular ISO can be installed?

Thank you

The Nitropad OEM is probably a special version from Nitrokey in Berlin (Germany), which they use for their hardware - available for users/customers, which brought their hardware in the past and need to reinstall QubesOS in any way.
Assume the new 4.1 OEM release will appear there asap, when they’re starting to sell their hardware with the new QubesOS version.

If you’re not using a Nitrokey product, I would suggest to download an iso.file from Qubes-OS.org

1 Like

Thank you for your reply. What is the specific difference between ISO and OEM? Why is the OEM not issued directly by Qubes and has to be prepared by a 3rd party? Is Nitrokey trustworthy that their OEM is not backdoored? Do we have any way to verify authenticity (as with ISO’s digital signature)?

OEM always is a special release by an original firm or a 3rd party. From what I know from Nitrokey, I would trust them for the time beeing or someone tells somethings different. I trust them also, because I’m running a product from them (Nitro-PC with QubesOS on it) - guess I don’t have a chance to do the opposite :slight_smile:

But I don’t would use their OEM version for any other hardware, which isn’t from them (a System76 Laptop for example). Then I always would use the original Qubes-OS iso or some OEM version from System76 I guess.

I also think, there isn’t any specific difference between the original ISO and a OEM except from the removement of some driver or other software, which is included in the original ISO, but not needed in this special OEM for a special product from a firm.

1 Like

Thank you!