Any info with T480 and: Core Boot? Or Trench Boot? Or Heads?
I don’t think Trenchboot currently works with any laptop.
Coreboot/Heads doesn’t work on any ThinkPad after the T430/T440p and X230.
1 Like
Thanks, looking just now. Do you know if its easy to repair/clean the t480 housing?
Also should I get the T480s if I can get it for the same price opposed to the T480?
Isopropanol doesn’t damage the ThinkPad rubber coating, it’s normally what people use to clean them.
If the chassis is damaged and needs repair I wouldn’t buy it, it’s most likely not possible to repair the chassis, and it could mean there is damage to the electronics as well.
Both the T480 and T480s works with Qubes OS, the T480s is slightly smaller but the T480 can be upgraded to 64 GB memory.
1 Like
@FollowTheRabbit If you’re after the “maximum security”, I would suggest a laptop supported by the opensource BIOS firmware like coreboot. Preferably a laptop without the ME/PSP “hardware backdoors”. I.e. the quad-core AMD Lenovo G505S , when fully upgraded (16GB of RAM etc.), may be suitable for your needs: it is supported by this opensource BIOS, doesn’t have ME/PSP at all, and doesn’t suffer from 20+ Intel-only vulnerabilities like Meltdown and Zombieload (for which the performance-crippling patches are required and even have to disable the Hyper-Threading)
I have P50 based on Xeon, one of my favorite laptops.
But i cant recommend it. I bought this laptop on well known marketplace and year ago it stop working stable (shutdown itself randomly). Change bios/cmos/ssd/nvme/memory/power supply didn’t help.
For your tasks best possible Qubes laptop is x330 from xyte.ch
Its more portable and have all benefits : 1080p/2k screen, 4 core 8 threads, heads/coreboot and classical ibm keyboard, ax210 wifi (you can also attach airpods) and nvme mod.
(one only disadvantage - custom eDP cable and the stock cooler is noisy - but it possible tuned too)
At least 32Gb RAM (64 recommended), 11th gen, 512Gb SSD, and Intel Xe graphics.
This is an interesting choice from a security perspective, but I have found my G505S to be rather slow (I use it as a file server now).
My daily driver for Qubes 4.1 is a Thinkpad T14 Gen1 Ryzen 4750U, and it seems this model got “lucky” with firmware updates fixing the system timer bugs plus CPU frequency scaling works, too. The only thing I would not rely on working with Qubes at this point is suspend/wake. Oh, and it is pretty fast… 
@tasket Did you upgrade your G505S with 16GB of 1600MHz CL9 RAM ? It really means a lot here…
If more power than G505S is desired without sacrificing any security - and a desktop isn’t out of a question - you can go with the other coreboot-supported AMD boards like A88XM-E (with A10-6700 or A10-6800K) or even KGPE-D16 with two of 16-core Opterons, for a level of security even slightly better than G505S
Otherwise, if you really need a more-powerful-than-G505S laptop for Qubes, may pick the fastest coreboot-supported laptop regardless of ME/PSP status - at least it should give you the much better firmware security than the sloppily-coded proprietary UEFIs, and you could also do the stuff like “me_cleaning” as an extra measure. Haven’t checked for a long time, maybe there are coreboot-supported AMD Ryzen laptops by now (yes, with a PSP, but hopefully still better than Intel)
Moved to Hardware Issues under User Support
Do you use two 16GB 1600MHz CL9 RAM modules in the G505s? Such modules are really not easy to find. Btw I really like that G505s project, awesome work.
There is a System76 amd laptop called Pangolin. They were talking about coreboot support but it seems it is still not there yet.
Even for System76 Intel machines with coreboot like the Oryx there are reports with Qubes issues. But there are also models where Qubes works.
Does anyone know which is the fastest coreboot supported laptop? I only know that at the moment the latest Thinkpad is the w541 with coreboot but it still has only 32 GB ram support.
1 Like
Do you use two 16GB 1600MHz CL9 RAM modules in the G505s? Such modules are really not easy to find
Yes they are a bit rare, but still could be found if you know the part numbers. I.e. a couple of good examples of 16GB 1600MHz CL9 kits with fastest possible 9-9-9-24 timings: Crucial BLS2K8G3N169ES4 and Patriot PV316G160LC9SK . They are also sold as single 8GB sticks with slightly different part numbers. It is easier to find Kingston RAM modules but they are a bit slower (9-9-9-27), there are also G.Skill which are 9-9-9-28. So its preferable that you hunt for 9-9-9-24, please let me know if you have any difficulty and I might come up with more part numbers that could help to find them
Btw I really like that G505s project, awesome work.
Thank you for the kind words 
There is a System76 amd laptop called Pangolin. They were talking about coreboot support but it seems it is still not there yet.
The problem is - even if they release a coreboot for it, it won’t have the same level of freedom as G505S. In addition to A10-5750M CPU not having the AMD PSP “backdoor”, a coreboot for G505S has 100% opensource AGESA library - including such low level things as memory training a DDR3 controller (and this allowed me to add the previously-unavailable XMP / custom RAM timings support with some code injections)
32 GB RAM support
Someone actually put 32GB = 2*16GB SO-DIMMs into G505S and it worked with coreboot. But it was expensive and also he had to sacrifice some performance because there are no 1600MHz CL9 modules of such volume.
There are reports with Qubes issues. But there are also models where Qubes works.
Last time I tried Qubes on G505S, it worked flawlessly - thanks to the quality of coreboot and especially the IOMMU support. The quality of coreboot and the set of available features - may be different for various coreboot hardwares.
A88XM-E - another nice AMD-no-PSP coreboot-supported board which I maintain - should have equally good Qubes experience. Can’t say the same for AM1I-A which unfortunately doesn’t have a working IOMMU which is vitally important for Qubes (AMD started preparing for the introduction of PSP at the time and making the room for it, I think IOMMU isn’t even available at AM1I-A CPU’s hardware). For A88XM-E, you can find 1866MHz CL9 9-9-9-24 - i.e. Crucial BLT8G3D1869DT1TX0 and BLE2CP8G3D1869DE1TX0CEU . There is also a similar F2A85-M board with slightly older chipset - where you could put 4 RAM sticks instead of 2 - but there could be some confusion with different motherboard versions.
More information about no-PSP coreboot laptop/desktop - as well as a coreboot build instructions etc. - everything is available at DangerousPrototypes pages:
2 Likes
Does anyone know which is the fastest coreboot supported laptop?
Although G505S is the fastest no-ME/no-PSP laptop, some users may consider to sacrifice some freedom in exchange for much higher performance of more modern coreboot-supported laptops.
Check out this page of Novacustom Laptop with Dasharo coreboot firmware : their NV41 laptop is supported by coreboot and Qubes certified - so an excellent Qubes experience is 100% guaranteed It also has a Dasharo coreboot-based firmware that has been made by my 3mdeb company. Probably not as free as G505S, but definitely much faster
2 Likes
Thank you for the details and explanation above @mike_banon. What I meant above is having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit (btw on the website link the issuer certificate has expired, so no https). Officially Lenovo stated that 16 GB is possible but overRAMing i.e. 32 GB work as well (it’s on the site phs-memory too). That’s pretty neat.
NovaCustom is a great suggestion. I just discovered something interesting. Starlabs Starfighter laptops are offered with AMD Ryzen 7 3.20GHz 8-core 7840HS CPUs and Coreboot. Ram is soldered, so best to opt for max 64 GB as it cannot be upgraded later. It has nice specifications apart from coreboot. 16" matte screen, 4K, etc.
1 Like
I see only one Lenovo G505S for sale. A bunch sold for parts.
Else G505s sounds really interesting
If one is only going to flash the Anti-evil Maid, and zap Intel ME bad part. Then there is a T480 (8th generation Intel -also comes with slower 7th generation) , which can upgraded to 64 GB, which I have done. (I know Lenovo does not show it can be upgraded to 64 GB, just 32 GB. Upgrading the screen to IPS must have the correct MOBO with to accommodate the correct cable. Don’t trust my opinion on that, just be aware of what you are getting. Also, seems some different MOBO’s were used in and marketed as T480, in different areas. Research to make sure you get one that will match your interests. Someone who has tried, said the Intel 8th generation Core I5, worked nearly as well as the I7, but used less battery. Cost less to purchase. I would prefer a 15 inch screen.
Or (I read, never held one) the T480s; which can be upgraded to 48 GB, but there are a number of renewed T480s laptops with an IPS screen. for not a huge amount.
My personal decisions are very much budget considered, (Also considering, I am not backing away from using Qubes) If I had the money. And I did not have a problem getting a shipment of a security device, which I personally do not have. I would purchase a brand new Qubes Certified laptop with CoreBoot Heads.
If the poster is not already experienced enough in testing Qubes. Spending the extra money to purchase a Qubes Certified machine might leave one unhappy with purchase.
1 Like
I do understand that the T480 is great hardware. What I do not get is why would someone use Qubes on a machine having Intel ME inside? I mean it’s not only saying: That’s ok, it’s not my threat model. I’m more curious about how users deal with it on a mental level. Does it require a sort of “don’t care” approach? But in that case, if someone would not care, why would a user opt for using Qubes?
On the other hand, I know, there is the major three letters agency part of the coreboot project… But at least it’s open source.
Edit: You make a good point. I gave consideration to that before spending two fifty on a T-480. plus One fifty on 64 GB RAM.
Intel Management Engine is part of the boot process. It must be there to boot computer.
There is an explanation of turning off the part of the Intel Management Engine that is much talked about. being negative. Even so, I doubt the powerful groups like the NSA are going to use this technology just for me.
There is somewhere on github how to flash for 'Anti-Evil Maid" on a T-480. Which does the other big thing one wants from security. Keep in mind, if I did the flash, I could probably replace the internal wireless chip, Intel Management Engine, the bad part, so I read, I am not an expert, has only a few WiFi cards that it has drivers for.
Lots of other security considerations more likely to occur at me.
and if I had $2500.00 to use one something I do not actually have to have. I would buy a Qubes Certified computer.
Most of my other laptops have something odd happening with the hardware. I also wanted a laptop whose hardware seemed to be completely working. My actual thought is, that there are folks, I think business, finance people who might adopt Qubes, if they had a chance to learn it, without spending a lot of money. If this group wants to learn, they will not be concerned with flashing Core Boot, or Anti-Evil Maid (Trench Boot). Once they have determined they need Qubes. They will get, something that is very close to a Qubes Certified Computer. This list I want to create should be easy to access, not page for through the HCL for a long time, and never cost much money that can not be recooped by having a laptop that could be used as a gift for some family member. In that vein, the T480S with an IPS screen seems like a better candidate.
Solene offered the simple solution. “Nearly any of the Lenovo X or T series laptops.”
Also, I was partially replying to: Hardware suggestions for Qubes OS Experimenters - #7 by Raphael_Balthazar
oxpoz, I hope you keep posting. You bring up good points.
1 Like
having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit
The difference is there are no 2x16 GB kits of DDR3 SO-DIMM that are 1600MHz CL9, while there are 2x8GB kits of such speed. Considering that even while intensively working under Qubes I haven’t been using more than 12-13 GB of RAM - never went to slow HDD swap - I can’t justify spending extra for 2x16 GB while also sacrificing some RAM speed. If you can find any “as fast” 2x16 GB kits, please let me know and I will re-consider 
(btw on the website link the issuer certificate has expired, so no https)
Yes, I know that no HTTPS on DangerousPrototypes; all the code of our coreboot’s semi-fork for AMD-no-PSP platforms like G505S laptop - is actually hosted on review.coreboot.org as a set of not-merged patches, which are audownloaded by csb_patcher.sh and applied after SHA256 verification
Officially Lenovo stated that 16 GB is possible
Maybe it is indeed so with a crappy closed-source UEFI with a lot of shortcomings (broken IOMMU etc.). This person who upgraded his coreboot’ed G505S to 2x16GB, did it after switching to opensource coreboot BIOS
The great advantages of G505S : no ME/PSP at all to worry about, + a coreboot BIOS firmware with 100% opensource AGESA library and good-enough Qubes support. Being AMD-based, G505S also isn’t affected by 20+ Intel-only vulnerabilities like Meltdown and Zombieload, for which the performance-crippling security patches are required and even have to disable the Intel HyperThreading feature
I see only one Lenovo G505S for sale. A bunch sold for parts.
The availability of G505S to you - depends on your location, and it may be easier to get a dirt cheap “broken” G505S & replace its motherboard: thanks to the socket’ed CPU & RAM, the replacement motherboards are really affordable - around $40-$50 with a free shipping from AliExpress/China. Also some working G505S are erroneously sold as “broken”. Just make sure it has A10-5750M CPU to avoid having to upgrade it
G505S has Compal LA-A091P motherboard at “with-discrete-GPU” version and Compal LA-A092P at “no-dGPU” version (btw to upgrade a “no-dGPU” G505S to “with-dGPU” motherboard, need to also get a different heatsink). More info about G505S parts, as well as a link to motherboard schematic (if you’d like to try a repair) - could be found at this page: Lenovo G505S parts - DP
Qubes-certified laptops all have coreboot support. NovaCustom NV41 series and Star Labs StarBook have 12th or 13th gen Intel processors, which means they are pretty fast.
1 Like