Picking a machine

Thank you for the details and explanation above @mike_banon. What I meant above is having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit (btw on the website link the issuer certificate has expired, so no https). Officially Lenovo stated that 16 GB is possible but overRAMing i.e. 32 GB work as well (it’s on the site phs-memory too). That’s pretty neat.

NovaCustom is a great suggestion. I just discovered something interesting. Starlabs Starfighter laptops are offered with AMD Ryzen 7 3.20GHz 8-core 7840HS CPUs and Coreboot. Ram is soldered, so best to opt for max 64 GB as it cannot be upgraded later. It has nice specifications apart from coreboot. 16" matte screen, 4K, etc.

I see only one Lenovo G505S for sale. A bunch sold for parts.

Else G505s sounds really interesting

If one is only going to flash the Anti-evil Maid, and zap Intel ME bad part. Then there is a T480 (8th generation Intel -also comes with slower 7th generation) , which can upgraded to 64 GB, which I have done. (I know Lenovo does not show it can be upgraded to 64 GB, just 32 GB. Upgrading the screen to IPS must have the correct MOBO with to accommodate the correct cable. Don’t trust my opinion on that, just be aware of what you are getting. Also, seems some different MOBO’s were used in and marketed as T480, in different areas. Research to make sure you get one that will match your interests. Someone who has tried, said the Intel 8th generation Core I5, worked nearly as well as the I7, but used less battery. Cost less to purchase. I would prefer a 15 inch screen.

Or (I read, never held one) the T480s; which can be upgraded to 48 GB, but there are a number of renewed T480s laptops with an IPS screen. for not a huge amount.

My personal decisions are very much budget considered, (Also considering, I am not backing away from using Qubes) If I had the money. And I did not have a problem getting a shipment of a security device, which I personally do not have. I would purchase a brand new Qubes Certified laptop with CoreBoot Heads.

If the poster is not already experienced enough in testing Qubes. Spending the extra money to purchase a Qubes Certified machine might leave one unhappy with purchase.

I do understand that the T480 is great hardware. What I do not get is why would someone use Qubes on a machine having Intel ME inside? I mean it’s not only saying: That’s ok, it’s not my threat model. I’m more curious about how users deal with it on a mental level. Does it require a sort of “don’t care” approach? But in that case, if someone would not care, why would a user opt for using Qubes?
On the other hand, I know, there is the major three letters agency part of the coreboot project… But at least it’s open source.

Edit: You make a good point. I gave consideration to that before spending two fifty on a T-480. plus One fifty on 64 GB RAM.

Intel Management Engine is part of the boot process. It must be there to boot computer.

There is an explanation of turning off the part of the Intel Management Engine that is much talked about. being negative. Even so, I doubt the powerful groups like the NSA are going to use this technology just for me.

There is somewhere on github how to flash for 'Anti-Evil Maid" on a T-480. Which does the other big thing one wants from security. Keep in mind, if I did the flash, I could probably replace the internal wireless chip, Intel Management Engine, the bad part, so I read, I am not an expert, has only a few WiFi cards that it has drivers for.

Lots of other security considerations more likely to occur at me.

and if I had $2500.00 to use one something I do not actually have to have. I would buy a Qubes Certified computer.

Most of my other laptops have something odd happening with the hardware. I also wanted a laptop whose hardware seemed to be completely working. My actual thought is, that there are folks, I think business, finance people who might adopt Qubes, if they had a chance to learn it, without spending a lot of money. If this group wants to learn, they will not be concerned with flashing Core Boot, or Anti-Evil Maid (Trench Boot). Once they have determined they need Qubes. They will get, something that is very close to a Qubes Certified Computer. This list I want to create should be easy to access, not page for through the HCL for a long time, and never cost much money that can not be recooped by having a laptop that could be used as a gift for some family member. In that vein, the T480S with an IPS screen seems like a better candidate.

Solene offered the simple solution. “Nearly any of the Lenovo X or T series laptops.”

Also, I was partially replying to: Hardware suggestions for Qubes OS Experimenters - #7 by Raphael_Balthazar

oxpoz, I hope you keep posting. You bring up good points.

having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit

The difference is there are no 2x16 GB kits of DDR3 SO-DIMM that are 1600MHz CL9, while there are 2x8GB kits of such speed. Considering that even while intensively working under Qubes I haven’t been using more than 12-13 GB of RAM - never went to slow HDD swap - I can’t justify spending extra for 2x16 GB while also sacrificing some RAM speed. If you can find any “as fast” 2x16 GB kits, please let me know and I will re-consider

(btw on the website link the issuer certificate has expired, so no https)

Yes, I know that no HTTPS on DangerousPrototypes; all the code of our coreboot’s semi-fork for AMD-no-PSP platforms like G505S laptop - is actually hosted on review.coreboot.org as a set of not-merged patches, which are audownloaded by csb_patcher.sh and applied after SHA256 verification

Officially Lenovo stated that 16 GB is possible

Maybe it is indeed so with a crappy closed-source UEFI with a lot of shortcomings (broken IOMMU etc.). This person who upgraded his coreboot’ed G505S to 2x16GB, did it after switching to opensource coreboot BIOS

The great advantages of G505S : no ME/PSP at all to worry about, + a coreboot BIOS firmware with 100% opensource AGESA library and good-enough Qubes support. Being AMD-based, G505S also isn’t affected by 20+ Intel-only vulnerabilities like Meltdown and Zombieload, for which the performance-crippling security patches are required and even have to disable the Intel HyperThreading feature

I see only one Lenovo G505S for sale. A bunch sold for parts.

The availability of G505S to you - depends on your location, and it may be easier to get a dirt cheap “broken” G505S & replace its motherboard: thanks to the socket’ed CPU & RAM, the replacement motherboards are really affordable - around $40-$50 with a free shipping from AliExpress/China. Also some working G505S are erroneously sold as “broken”. Just make sure it has A10-5750M CPU to avoid having to upgrade it

G505S has Compal LA-A091P motherboard at “with-discrete-GPU” version and Compal LA-A092P at “no-dGPU” version (btw to upgrade a “no-dGPU” G505S to “with-dGPU” motherboard, need to also get a different heatsink). More info about G505S parts, as well as a link to motherboard schematic (if you’d like to try a repair) - could be found at this page: Lenovo G505S parts - DP

Qubes-certified laptops all have coreboot support. NovaCustom NV41 series and Star Labs StarBook have 12th or 13th gen Intel processors, which means they are pretty fast.

@catacombs has posted a set of coreboot questions to my PMs and e-mail; since it may benefit a wider community, I’m going to publicly reply to non-personal ones in a privacy-respecting manner:

Which PI model should I purchase to flash with?

You don’t need a PI: aside from security considerations, USB CH341A programmer is a much simpler & reliable device and it is supported by the flashrom opensource software. Just make sure to get a green PCB version of CH341A (or at least a blue one, which is similar to green but has fewer pins) : popular black CH341A might be giving a 5V instead of 3.3V to the data pins - this is dangerous and a hardware mod is required to fix this.

For more info about G505S flashing, including a photo of doing this with CH341A and a small review of 4 types of SOIC8 test clips (for an easy no-soldering connection to a BIOS chip) - please see this article: Flashing a BIOS chip with Bus Pirate - DP

Battery question

The genuine batteries are not good anymore cause their capacity depletes with the time and I’m not sure that Lenovo makes them anymore; you’ll be better off with any 3rd-party one; if you need more capacity and don’t mind your laptop becoming slightly heavier/bigger, might get a random 8 cells G505S battery from AliExpress (at the same place you can get a 9.5mm optical drive caddy for peanuts, any should be compatible with G505S)

Cooling

There are at least two different fan models that might be found inside of G505S: aside from slightly different power draw (2W vs 2.5W), there is no much performance difference and you could get any that is labeled as “g505s fan”. As for the not-conductive thermal paste, personally I’m using Arctic MX-4 (easier to apply) and Gelid GC-Extreme (slightly better performance) and am happy with both.

Why would I add the added expensive of buying a PI computer to use as the programming computer for doing a ROM Flash?

I have several older laptop computers to use for programming the flash, which I will attach the CH341A. These older laptop computers which may have unstable power fluctuations while attempting the ROM Flash. I am guessing that the PI computer is a more reliable solution. In my case, buying a new PI, would surely add a lot of extra time to my getting the buckitos together to buy it.

Fan, I have been told, that after enough years, and I can hypothesis that this particular Lenovo AMD A10 is from 2014, that is enough for the electromagnetic s in the fan to have worn down, and the fan to not actually be turning at the speed it is trying to. I am pretty sure the folks who gave me this warning know what they are talking about. But, if you have any input on this? Anyway, It is going to be difficult to find a new fan. So I may never get one.

All the hardware I had, either had a flaky hardware issue, or seemed fragile when I bought a T-480, which could be upgraded to 64GB of RAM. AND

GitHub - kennethrrosen/qubes-boot-verification: Verified boot hack for T480

Which is a partial substitute for Core Boot/Heads.
Disabling the part of the Intel ME that I do not like (gets surreptitious update of CPU from -supposedly Intel Mother-ship, of course I should know I can trust Intel.) and not some unknown malware from . . . That is also on my todo list.

I do not know the extent of the T-480 whitelist. In the Lenovo X-230 must be modified to allow a non-lenovo manufactured battery, to use another WiFi adapter than the one it came with. I think I recall the keyboard must also register as a Lenovo to work. White list goes away with X-230 Flash.

I did not ask those questions while considering the Lenovo G505s, because I am already committed to flashing it. Anyway, the G505s does not have the Intel ME.

On another Forum: Tommy Tran suggested that the verification through HEADS was 'Security Theater" and suggested that the some of the latest produced hardware, that v/pro could be used to be more secure. While ignoring the Intel ME, (which no one has shown has ever been used - in the wild) We spend a lot of time on an issue that has never occurred. Tommy Tran also suggested that some upgrades in security will happen with some newer hardware in upcoming Dells. Not to provoke a discussion about future hardware, just to be thorough on this subject I mention it.

There is another hardware project, which I think would be interesting for some in the Qubes community to have available to purchase. Being able to change the Wireless Adapter, upgrade to a later model, can be difficult. While I am not sure a USB connected Wireless adapter will give the same speed, as the same Wireless Adapter would if it was inside the computer. It would be useful to have a USB connected Wireless Adapter that would just work.

My first choice being one where the exact module (firmware for wireless adapter) was already in kernel. I have discovered no one selling "USB connected Wireless adapters is much honest about the difficulty in getting their product to work in Linux.

I would like to be able to easily change the Wireless Adapter (for a USB connection) to one I choose. I want a box which has Antennas on one side, and I can open the box to change the Wireless adapter inside. Yes, there is half height, full height wireless adapters, different size cable connectors sizes , from antennas to the Wireless Adapter. I could upgrade the Wireless Adapter to a late model Wireless Adapter. Useful for older hardware. Wireless Adapter choice I might trust. Well, I guess most of the ones I could purchase come on a slow boat from China.

Technically this is not a difficult build, a three D printer for the outside of the box. What I don’t see easily available is the USB connector to the slot where the Wireless Adapter plugs in. Antenna cables which tolerate being used more than once. Then some knowledge, a chart that shows size of Antenna Cable Connector plugs, and what is available on which Wireless Adapters. Size of Adapters, half height, full height. Blue tooth also?

Then we can have discussions about which Wireless Adapters that are good for a Qubes audience, for a high security Wireless connection. More trusted connections. More stable connection. Better speed connection.

For me, I am trying to create a more secure laptop, while waiting until I can buy laptops with RISC/x. Oh, that works with Linux.

UEFITool NE alpha 68 (Jun 2 2024).

Be nice if a tool like this could be substituted for Doing hardware Flashes.

Or if Intel could just issue a Firmware to disable what we consider the unfortunate part of Intel ME. since Intel still packages Intel ME that – some of us want to disable. I think that speaks to the intent of Intel to be trusted. The concept that Intel can keep the Intel ME usability to themselves is NOBUS, “Nobody But US.” Oh wait, all of you knew that. Sorry. Speaking too much again.

Hi, as subject is broad maybe on topic

If desktop isn’t out of a question @mike_banon what you think of Asus KCMA-D8 ?
@Litter_Box refer in asus-kcma-d8 HCL to “Used” Samsung 128GB (8x16GB) DDR3 PC3-10600R ECC Reg RDIMM and 4200 and 4300 series Opterons. Might FollowTheRabbit’s below desires possible with kcma-d8 and budget? Curious anyone’s thoughts.

@Confused not know if in

or something that doesn’t work in certain aspects or worse not at all.

Because name is FollowTheRabbit ()https://cdn.wccftech.com/wp-content/uploads/2022/11/coreboot.png and say don’t mind tinkering. I mention D8. If anyone reading heads down nonlaptop pre-PSP rabbit hole likely will encounter D8 and D16 in hardware security wunderland. Sad in present, I not know if breadcrumbs -these machines- head home (mike_banon, 3mdeb, Insurgo and others may know more - good / bad) or to a witches house of problems with Qubes today.

@FollowTheRabbit if money were no problem, you hate tinkering, or need laptop I support and agree with

if understand and trust Intel vPro - What it can do, what it *can't* do, and what it means for your future hardware choices
and like

Sorry if I confuse. Best picking a machine. Best to all.

I don’t think the KCMA-D8 and KGPE-D16 are fully supported anymore, they are no longer compatible with the latest speculative execution mitigation.

Was gonna post that link re: D8 and KGPE-D16. The problem is there is nothing that compares to them in terms of open firmware at this time. My D16 is now booting VMs fine with the fix described in that link, but as explained there, it is by disabling a security feature.

Meanwhile, I have undiagnosed new issue with sound not working, and longer-term problem of sys-usb crashing on print jobs that has become unreasonable in its frequency.

So i’m watching threads like this, thinking about buying a replacement for my D-16.

@Confused , @renehoj , @scallyob , @Litter_Box , @catacombs , @oxpoz , @fsflover , @pirron , @Insurgo and @Raphael_Balthazar :

If to choose between KCMA-D8 and KGPE-D16 - KGPE-D16 appears to have a better quality of a coreboot source code; also, my 3mdeb company has done the additional efforts of supporting this board after it has been removed from coreboot - please see Dasharo coreboot firmware distribution for KGPE-D16 , it should provide a better user experience than a regular coreboot 4.11

An unobvious problem with both of these boards, is that - despite their undeniably high performance among the no-Intel-ME/no-AMD-PSP boards - their AMD platform architecture is older and the original AGESA firmware code was of a worse quality than i.e. for fam15h/fam16h. You see the evidence of this by the existence of RAM Hardware Compatibility List for these server boards (while you can throw any RAM into fam15h/fam16h coreboot AMD-no-PSP) and that they have been dropped from coreboot much earlier.

So, for a server-level features (performance, RAM volume, peripherals, etc.) - KGPE-D16 with Dasharo firmware seems preferable, but if you need a regular no-Intel-ME+no-AMD-PSP computer with a more refined firmware quality - I really recommend these 3 boards that I am maintaining:

• Lenovo G505S laptop with A10-5750M (preferably a discrete GPU version because of two heatpipes - has either HD-8570M or R5-M230 dGPU, R5-M230 is slightly better)
• ASUS A88XM-E desktop with A10-6700/A10-6800K and also RX590 GPU (the latest GPU without PSP, i.e. 11289-07-20G SKU)
• ASUS AM1I-A micro-desktop with Athlon 5370/5350 (has more connectivity - i.e. LPT port - but unlike G505S/A88XM-E, this AM1I-A has no working IOMMU, so not for Qubes but good for other tasks)

All the corebooting information about these boards above - could be found on DangerousPrototypes website - Lenovo G505S hacking - DP (a primary page which despite its name actually suits all 3 boards, since their coreboot is so similar and there is just a small difference in building/flashing).

These G505S/A88XM-E/AM1I-A boards have a similar level of freedom: no AMD PSP, have a few remaining binary blobs but - with the exception of an optional XHCI USB 3.0 blob (without it all USB ports are 2.0) - these few blobs have been researched relatively well during the reverse engineering attempts (i.e. such projects as OpenAtom for the opensource replacement of GPU’s AtomBIOS blob) and no backdoors found.

So: for a Qubes desktop, I’d recommend A88XM-E with A10-6700/A10-6800K (A10-6700 is a few % slower but is 1.5x times cooler) that is maxed out with RX590 and 16GB by 2 of fast 1866MHz CL9 RAM (such as BLT8G3D1869DT1TX0) 8GB sticks. Please note that, despite a socket of A88XM-E is FM2+, you can only put A10-6*** there for coreboot usage; A10-7*** won’t work because AMD started blobbing AGESA around this time, preparing for the introduction of PSP crap, meanwhile there is a 100% opensource AGESA for A10-6*** and full coreboot compatibility.

Unfortunately, RAM with higher density - 16 GB sticks - are rare/expensive and also slower, so - if you really need more than 16GB of RAM (16GB is enough for Qubes last time I tested), it makes more sense to go for F2A85-M desktop: although its onboard chipset is slightly older than A88XM-E, it has 4 RAM slots; but there are too many hardware versions of F2A85-M (LE, Pro, etc.) which brings some confusion, so for me it was easier to just buy A88XM-E which just two versions: a regular one (coreboot-supported), and USB 3.1 (not supported). As for F2A85-M, I don’t maintain it, but its source code is quite similar to A88XM-E and therefore I expect it to work too.

For those not afraid of some coreboot porting experience, I would recommend getting A88XM-A - or, even better, A88XM-PLUS - and try to port A88XM-E coreboot source code there: they have 4 RAM slots and more connectivity.

These AMD-no-PSP boards - if maxed out - are more than enough even for the modern tasks. And, although personally I am using Artix Linux at the moment (Arch without SystemD), I know that both G505S and A88XM-E could run Qubes fine - thanks to a working IOMMU. The only more powerful no-ME/no-PSP option - is a Raptor Computing Systems - Talos II Secure Workstation and perhaps would be the upcoming GNU/Linux Open Hardware PowerPC notebook (haven’t checked it vs A10-5750M of G505S), although there is no Qubes version for anything else than x86_64

If you have any extra questions about any of these boards, feel free to ask them below and I will try my best to help you. Also, to learn more about the opensource firmware/hardware in general, I’d suggest going to our vPub online parties like this (no mic/webcam required, text chat is also available) . I really suggest subscribing to our tiny-volume event notification newsletter (no spam, just ~4 e-mails per year) because my manual invitation may not reach you in time

I meant this – to be a PM. not on forum, sorry

@catacombs , a clarification reply to your message above (sorry I can see your post edit history and could not resist ) :

1. “WiFi whitelist” is an anti-feature of a proprietary closed source UEFI BIOS, therefore it has nothing to do with Intel ME
2. a coreboot project by itself - does not do anything with Intel ME; that is a goal of a separate project, called me_cleaner, which tries to minimize the size of a closed source Intel ME blob as much as possible - in hopes to deactivate its spying functionality, but without a 100% guarantee
3. Although AMD also got a “backdoor” equivalent - called AMD PSP - it arrived much later than Intel ME, therefore the latest-AMD-without-PSP is much more powerful than the latest-Intel-without-ME
4. There are NO computer manufacturers that sell the modern PCs with Intel ME disabled - because a simple toggle of some obscure bit is not enough to ensure the security and that Intel ME is indeed fully disabled; it is not impossible to fully disable on anything newer than Core 2 Duo - the first generation of this “backdoor”. Any contrary claim by the laptop manufacturer to “disable the ME” - like your Dell example - is a scam aimed at non-tech-savvy governmental employees in attempt to land a big contract: they don’t even use me_cleaner during their “disablement”
5. Any belief in the “security through obscurity” - and also in “trust the big guy (i.e. government), but be afraid of small guys (i.e. hackers)” - is dangerous for your security, because its more probable that a “big guy” will be hacking you using the secret backdoors shared by the manufacturer, and plenty of “vulnerabilities” are just the holes/backdoors the general public wasn’t supposed to know about