Picking a machine

Thank you for the details and explanation above @mike_banon. What I meant above is having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit (btw on the website link the issuer certificate has expired, so no https). Officially Lenovo stated that 16 GB is possible but overRAMing i.e. 32 GB work as well (it’s on the site phs-memory too). That’s pretty neat.

NovaCustom is a great suggestion. I just discovered something interesting. Starlabs Starfighter laptops are offered with AMD Ryzen 7 3.20GHz 8-core 7840HS CPUs and Coreboot. Ram is soldered, so best to opt for max 64 GB as it cannot be upgraded later. It has nice specifications apart from coreboot. 16" matte screen, 4K, etc.

I see only one Lenovo G505S for sale. A bunch sold for parts.

Else G505s sounds really interesting

If one is only going to flash the Anti-evil Maid, and zap Intel ME bad part. Then there is a T480 (8th generation Intel -also comes with slower 7th generation) , which can upgraded to 64 GB, which I have done. (I know Lenovo does not show it can be upgraded to 64 GB, just 32 GB. Upgrading the screen to IPS must have the correct MOBO with to accommodate the correct cable. Don’t trust my opinion on that, just be aware of what you are getting. Also, seems some different MOBO’s were used in and marketed as T480, in different areas. Research to make sure you get one that will match your interests. Someone who has tried, said the Intel 8th generation Core I5, worked nearly as well as the I7, but used less battery. Cost less to purchase. I would prefer a 15 inch screen.

Or (I read, never held one) the T480s; which can be upgraded to 48 GB, but there are a number of renewed T480s laptops with an IPS screen. for not a huge amount.

My personal decisions are very much budget considered, (Also considering, I am not backing away from using Qubes) If I had the money. And I did not have a problem getting a shipment of a security device, which I personally do not have. I would purchase a brand new Qubes Certified laptop with CoreBoot Heads.

If the poster is not already experienced enough in testing Qubes. Spending the extra money to purchase a Qubes Certified machine might leave one unhappy with purchase.

I do understand that the T480 is great hardware. What I do not get is why would someone use Qubes on a machine having Intel ME inside? I mean it’s not only saying: That’s ok, it’s not my threat model. I’m more curious about how users deal with it on a mental level. Does it require a sort of “don’t care” approach? But in that case, if someone would not care, why would a user opt for using Qubes?
On the other hand, I know, there is the major three letters agency part of the coreboot project… But at least it’s open source.

Edit: You make a good point. I gave consideration to that before spending two fifty on a T-480. plus One fifty on 64 GB RAM.

Intel Management Engine is part of the boot process. It must be there to boot computer.

There is an explanation of turning off the part of the Intel Management Engine that is much talked about. being negative. Even so, I doubt the powerful groups like the NSA are going to use this technology just for me.

There is somewhere on github how to flash for 'Anti-Evil Maid" on a T-480. Which does the other big thing one wants from security. Keep in mind, if I did the flash, I could probably replace the internal wireless chip, Intel Management Engine, the bad part, so I read, I am not an expert, has only a few WiFi cards that it has drivers for.

Lots of other security considerations more likely to occur at me.

and if I had $2500.00 to use one something I do not actually have to have. I would buy a Qubes Certified computer.

Most of my other laptops have something odd happening with the hardware. I also wanted a laptop whose hardware seemed to be completely working. My actual thought is, that there are folks, I think business, finance people who might adopt Qubes, if they had a chance to learn it, without spending a lot of money. If this group wants to learn, they will not be concerned with flashing Core Boot, or Anti-Evil Maid (Trench Boot). Once they have determined they need Qubes. They will get, something that is very close to a Qubes Certified Computer. This list I want to create should be easy to access, not page for through the HCL for a long time, and never cost much money that can not be recooped by having a laptop that could be used as a gift for some family member. In that vein, the T480S with an IPS screen seems like a better candidate.

Solene offered the simple solution. “Nearly any of the Lenovo X or T series laptops.”

Also, I was partially replying to: Hardware suggestions for Qubes OS Experimenters - #7 by Raphael_Balthazar

oxpoz, I hope you keep posting. You bring up good points.

having 2x16 GB Ram on the G505s instead of a 16 GB/2x8 GB kit

The difference is there are no 2x16 GB kits of DDR3 SO-DIMM that are 1600MHz CL9, while there are 2x8GB kits of such speed. Considering that even while intensively working under Qubes I haven’t been using more than 12-13 GB of RAM - never went to slow HDD swap - I can’t justify spending extra for 2x16 GB while also sacrificing some RAM speed. If you can find any “as fast” 2x16 GB kits, please let me know and I will re-consider

(btw on the website link the issuer certificate has expired, so no https)

Yes, I know that no HTTPS on DangerousPrototypes; all the code of our coreboot’s semi-fork for AMD-no-PSP platforms like G505S laptop - is actually hosted on review.coreboot.org as a set of not-merged patches, which are audownloaded by csb_patcher.sh and applied after SHA256 verification

Officially Lenovo stated that 16 GB is possible

Maybe it is indeed so with a crappy closed-source UEFI with a lot of shortcomings (broken IOMMU etc.). This person who upgraded his coreboot’ed G505S to 2x16GB, did it after switching to opensource coreboot BIOS

The great advantages of G505S : no ME/PSP at all to worry about, + a coreboot BIOS firmware with 100% opensource AGESA library and good-enough Qubes support. Being AMD-based, G505S also isn’t affected by 20+ Intel-only vulnerabilities like Meltdown and Zombieload, for which the performance-crippling security patches are required and even have to disable the Intel HyperThreading feature

I see only one Lenovo G505S for sale. A bunch sold for parts.

The availability of G505S to you - depends on your location, and it may be easier to get a dirt cheap “broken” G505S & replace its motherboard: thanks to the socket’ed CPU & RAM, the replacement motherboards are really affordable - around $40-$50 with a free shipping from AliExpress/China. Also some working G505S are erroneously sold as “broken”. Just make sure it has A10-5750M CPU to avoid having to upgrade it

G505S has Compal LA-A091P motherboard at “with-discrete-GPU” version and Compal LA-A092P at “no-dGPU” version (btw to upgrade a “no-dGPU” G505S to “with-dGPU” motherboard, need to also get a different heatsink). More info about G505S parts, as well as a link to motherboard schematic (if you’d like to try a repair) - could be found at this page: Lenovo G505S parts - DP

Qubes-certified laptops all have coreboot support. NovaCustom NV41 series and Star Labs StarBook have 12th or 13th gen Intel processors, which means they are pretty fast.