Picking a machine

FollowTheRabbit · March 22, 2023, 10:14pm

Hi all,

I’ve decided that I am moving away from the apple Eco-system. I am currently looking for a laptop to run Qubes on as I am in favor of maximum security after being exploited in the past.

After reviewing the supported devices, I seem to have decided upon:

Lenovo ThinkPad P51 15.6" - i7-6th - 16GBRAM - 256 SSD
Lenovo ThinkPad P50 Core I7 6820HQ 2.70GHz 15" Laptop 16GB/256GB

Currently I have a budge of 300-400 euros.
I am shopping the second hand market.

I intended on using the machine for:
Programming (vscode)
Possibly MS Teams?
YouTube
Tor
XMR Wallet

My question is are these devices suitable? And is there anything else I should be looking for? or should these do the trick.

Thanks for any advice

Disposable · March 22, 2023, 10:31pm

I am not the best person to recommend … but I would start here

good luck

FollowTheRabbit · March 22, 2023, 10:35pm

Thanks!
I don’t mind tinkering to get it to work, but worried I pick something that doesn’t work in certain aspects or worse not at all.

T430 seems to be the favorite in here.

vxc · March 23, 2023, 4:39pm

If you’re set on Qubes or your threat model requires it, I’d recommend a T480 with 32-64GB RAM. Qubes won’t prevent you from getting exploited but may help mitigate being exploited. I’d actually recommend against Qubes if you’re planning to consume video. It might be better to run a “regular” OS and learn good security practices instead.

kate.mason · March 23, 2023, 6:17pm

on 16GB, if the system overloaded, In my experience MS Teams video conference calls cause the whole system lag, audio, choppy and your own voice because choppy too.

I would recommend a 32GB machine, if you can find it.

FollowTheRabbit · March 23, 2023, 7:52pm

Ended up going for the T450 with 32GB RAM.

Thanks for the help y’all.

renehoj · March 23, 2023, 8:39pm

Don’t get the T450, get the T480 with the 8th gen CPU. There is not much difference in price, and you get an 4 core CPU.

catacombs · March 23, 2023, 8:52pm

Any info with T480 and: Core Boot? Or Trench Boot? Or Heads?

renehoj · March 23, 2023, 8:57pm

I don’t think Trenchboot currently works with any laptop.

Coreboot/Heads doesn’t work on any ThinkPad after the T430/T440p and X230.

FollowTheRabbit · March 23, 2023, 10:42pm

Thanks, looking just now. Do you know if its easy to repair/clean the t480 housing?

Also should I get the T480s if I can get it for the same price opposed to the T480?

renehoj · March 24, 2023, 7:51am

Isopropanol doesn’t damage the ThinkPad rubber coating, it’s normally what people use to clean them.

If the chassis is damaged and needs repair I wouldn’t buy it, it’s most likely not possible to repair the chassis, and it could mean there is damage to the electronics as well.

Both the T480 and T480s works with Qubes OS, the T480s is slightly smaller but the T480 can be upgraded to 64 GB memory.

mike_banon · March 28, 2023, 1:50pm

@FollowTheRabbit If you’re after the “maximum security”, I would suggest a laptop supported by the opensource BIOS firmware like coreboot. Preferably a laptop without the ME/PSP “hardware backdoors”. I.e. the quad-core AMD Lenovo G505S , when fully upgraded (16GB of RAM etc.), may be suitable for your needs: it is supported by this opensource BIOS, doesn’t have ME/PSP at all, and doesn’t suffer from 20+ Intel-only vulnerabilities like Meltdown and Zombieload (for which the performance-crippling patches are required and even have to disable the Hyper-Threading)

fuel_can · March 29, 2023, 9:03am

I have P50 based on Xeon, one of my favorite laptops.
But i cant recommend it. I bought this laptop on well known marketplace and year ago it stop working stable (shutdown itself randomly). Change bios/cmos/ssd/nvme/memory/power supply didn’t help.

For your tasks best possible Qubes laptop is x330 from xyte.ch
Its more portable and have all benefits : 1080p/2k screen, 4 core 8 threads, heads/coreboot and classical ibm keyboard, ax210 wifi (you can also attach airpods) and nvme mod.
(one only disadvantage - custom eDP cable and the stock cooler is noisy - but it possible tuned too)

arkenoi · March 29, 2023, 12:55pm

At least 32Gb RAM (64 recommended), 11th gen, 512Gb SSD, and Intel Xe graphics.

tasket · March 31, 2023, 12:30am

This is an interesting choice from a security perspective, but I have found my G505S to be rather slow (I use it as a file server now).

My daily driver for Qubes 4.1 is a Thinkpad T14 Gen1 Ryzen 4750U, and it seems this model got “lucky” with firmware updates fixing the system timer bugs plus CPU frequency scaling works, too. The only thing I would not rely on working with Qubes at this point is suspend/wake. Oh, and it is pretty fast…

mike_banon · March 31, 2023, 10:41am

@tasket Did you upgrade your G505S with 16GB of 1600MHz CL9 RAM ? It really means a lot here…

If more power than G505S is desired without sacrificing any security - and a desktop isn’t out of a question - you can go with the other coreboot-supported AMD boards like A88XM-E (with A10-6700 or A10-6800K) or even KGPE-D16 with two of 16-core Opterons, for a level of security even slightly better than G505S

Otherwise, if you really need a more-powerful-than-G505S laptop for Qubes, may pick the fastest coreboot-supported laptop regardless of ME/PSP status - at least it should give you the much better firmware security than the sloppily-coded proprietary UEFIs, and you could also do the stuff like “me_cleaning” as an extra measure. Haven’t checked for a long time, maybe there are coreboot-supported AMD Ryzen laptops by now (yes, with a PSP, but hopefully still better than Intel)

Sven · April 2, 2023, 9:25pm

Moved to Hardware Issues under User Support

oxpoz · January 23, 2024, 8:57am

Do you use two 16GB 1600MHz CL9 RAM modules in the G505s? Such modules are really not easy to find. Btw I really like that G505s project, awesome work.
There is a System76 amd laptop called Pangolin. They were talking about coreboot support but it seems it is still not there yet.
Even for System76 Intel machines with coreboot like the Oryx there are reports with Qubes issues. But there are also models where Qubes works.
Does anyone know which is the fastest coreboot supported laptop? I only know that at the moment the latest Thinkpad is the w541 with coreboot but it still has only 32 GB ram support.

mike_banon · January 23, 2024, 10:01am

Do you use two 16GB 1600MHz CL9 RAM modules in the G505s? Such modules are really not easy to find

Yes they are a bit rare, but still could be found if you know the part numbers. I.e. a couple of good examples of 16GB 1600MHz CL9 kits with fastest possible 9-9-9-24 timings: Crucial BLS2K8G3N169ES4 and Patriot PV316G160LC9SK . They are also sold as single 8GB sticks with slightly different part numbers. It is easier to find Kingston RAM modules but they are a bit slower (9-9-9-27), there are also G.Skill which are 9-9-9-28. So its preferable that you hunt for 9-9-9-24, please let me know if you have any difficulty and I might come up with more part numbers that could help to find them

Btw I really like that G505s project, awesome work.

Thank you for the kind words

There is a System76 amd laptop called Pangolin. They were talking about coreboot support but it seems it is still not there yet.

The problem is - even if they release a coreboot for it, it won’t have the same level of freedom as G505S. In addition to A10-5750M CPU not having the AMD PSP “backdoor”, a coreboot for G505S has 100% opensource AGESA library - including such low level things as memory training a DDR3 controller (and this allowed me to add the previously-unavailable XMP / custom RAM timings support with some code injections)

32 GB RAM support

Someone actually put 32GB = 2*16GB SO-DIMMs into G505S and it worked with coreboot. But it was expensive and also he had to sacrifice some performance because there are no 1600MHz CL9 modules of such volume.

There are reports with Qubes issues. But there are also models where Qubes works.

Last time I tried Qubes on G505S, it worked flawlessly - thanks to the quality of coreboot and especially the IOMMU support. The quality of coreboot and the set of available features - may be different for various coreboot hardwares.

A88XM-E - another nice AMD-no-PSP coreboot-supported board which I maintain - should have equally good Qubes experience. Can’t say the same for AM1I-A which unfortunately doesn’t have a working IOMMU which is vitally important for Qubes (AMD started preparing for the introduction of PSP at the time and making the room for it, I think IOMMU isn’t even available at AM1I-A CPU’s hardware). For A88XM-E, you can find 1866MHz CL9 9-9-9-24 - i.e. Crucial BLT8G3D1869DT1TX0 and BLE2CP8G3D1869DE1TX0CEU . There is also a similar F2A85-M board with slightly older chipset - where you could put 4 RAM sticks instead of 2 - but there could be some confusion with different motherboard versions.

More information about no-PSP coreboot laptop/desktop - as well as a coreboot build instructions etc. - everything is available at DangerousPrototypes pages:

http://dangerousprototypes.com/docs/Lenovo_G505S_hacking

mike_banon · January 23, 2024, 10:04am

Does anyone know which is the fastest coreboot supported laptop?

Although G505S is the fastest no-ME/no-PSP laptop, some users may consider to sacrifice some freedom in exchange for much higher performance of more modern coreboot-supported laptops.

Check out this page of Novacustom Laptop with Dasharo coreboot firmware : their NV41 laptop is supported by coreboot and Qubes certified - so an excellent Qubes experience is 100% guaranteed It also has a Dasharo coreboot-based firmware that has been made by my 3mdeb company. Probably not as free as G505S, but definitely much faster