Qubes hardware landscape

qubicrm · June 18, 2022, 7:08pm

Hi.
Is it me or choosing DESKTOP hardware for qubes is increasingly dificult?

-older hardware has PS/2 interface, but no microcode updates
-newer harware has microcode update, but no PS/2

On the LAPTOP side, it seems a lot of harware is affected by the latest QSB (that is, lacks microcode updates). What do you guys think of the security status of thinkpads xx30 (that can have coreboot, but not microcode updates).

It seems that if qubes enforces open firmware restriction, there is almost no options available.

Just want to know what the community thinks of these trends.

Regards

fsflover · June 18, 2022, 9:12pm

Have a look at the Community-recommended computers. Some of them should get the microcode updates AFAIK.

alzer89 · June 19, 2022, 12:24am

It’s difficult to find a desktop motherboard that is relatively modern, “has stuff in it that you can take advantage of with Qubes OS” (PCI slots, PS/2, lots of RAM slots, etc), and doesn’t have a bloated proprietary BIOS that does a lot more than a BIOS actually needs to do, making it very difficult to actually trust fully….

——-

Having an internal keyboard hardwired to a USB bus isn’t necessarily a bad thing, as long as you can trust it. And it is possible to have compromised PS/2 peripherals, but thankfully not as common any more….

——

I mean, any CPU that’s vulnerable to SPECTRE and Meltdown won’t be able to run Qubes OS anyway. That’s partly why you don’t see a lot of Apple hardware running Qubes OS (well, 4.1, at least).

——

I guess it all depends on the CPU, and whether the manufacturer can be bothered to continue support for it…

tanky0u · June 19, 2022, 7:16am

What do you mean by this? Wasn’t practically all CPUs vulnerable to these two?

qubicrm · June 19, 2022, 8:19pm

It seems to affect every intem and most AMD. I think these are families of harware bud they try to patch with microcode updates. But, intel only releses them for the most recent models.
As an example, thinkpads x230, x250 do not have microcode updates to patch thr latest qsb.

qubicrm · June 19, 2022, 8:27pm

Not true. Go to your dom0, type lscpu, i am sure you have a list of bugs, with some mitigatios. But, if the processor has more than a couple of years, intel will not relese fixes. in that case you will be flooded by the neverending flood of hardware bugs. The architecture is completely rotten

alzer89 · June 20, 2022, 1:41am

Is there any chance you know of any CPUs that are vulnerable and can run Qubes OS (even badly)?

I’d like to do some testing on them.

KarlinQubes · June 20, 2022, 5:56am

You can get USB → PS/2 adapters FYI. From what I’ve read it’s not a sure thing that your peripherals will work with them, but that trialing some to see what works and what doesn’t can land you on a workable solution in this area.

tanky0u · June 20, 2022, 6:21am

lscpu lists a couple of vulnerabilities, including Spectre and Meltdown, along side with “Mitigations.” Are the “hardware bugs” you mention, these “Vulnerability” reports of lscpu output?

renehoj · June 20, 2022, 7:35am

Here is the list of all the intel CVEs from 2022, the same site has a tab for 2018-2021 if you want to see the older CVEs. They no longer include data for 5th gen and older CPUs.

arkenoi · June 20, 2022, 11:07am

Screw the PS/2. This requirement is ridiculous nowadays.

fsflover · June 20, 2022, 9:21pm

I don’t think so. However, several USB controllers can be equally good (or even better).

qubicrm · June 20, 2022, 10:23pm

Yes. they keep adding them. And I suspect it is a fraction of the real problemsd, because if you stop receiveing microcode updates, the vulnerabilities will not appear under lscpu output, but are there.
Read QSB-081, and check sudo cpu-microcode-info in dom0. I suspect most hardware is vulnerable tos this last problem… and they keep coming

qubicrm · June 20, 2022, 10:27pm

I think you mean it is almost impossible to achieve. Agreed.
Nevertheless it would desirable, if achieveble.
If you have several usb controllers you can reserve une for USB and keyboard, but i still think it is not ideal.

qubicrm · June 20, 2022, 10:34pm

This is precisely what I mean. I think this is starting to affect the majority of qubesOS users.

qubicrm · June 20, 2022, 10:49pm

this only solves the proble if you have PS/2 sockets and want to use USB keyboard. But if you do not have PS/2 interface at tme motherboard level, your only option is use USB controller for mouse AND keyboard.

SteveC · June 20, 2022, 10:59pm

I have a hub I used on my old system.

When I wanted to read a DVD last night, I plugged one of those portable DVD readers into the hub, then the hub into my current box.

Any VM I tried to assign that DVD reader into last night would instantly shut down.

Skipping the hub, and plugging the DVD reader directly into my system, it worked.

I’m still very new to this and haven’t started investigating a USB Qube (I need USB for keyboard/mouse and have one controller) but ideally I’d like to be able to have ANY USB block device automatically assigned to one particular qube (and then make it disposable), likewise printer, etc. I don’t even know yet if that’s possible.

arkenoi · June 21, 2022, 7:28am

I think it could be somewhat scriptable on the dom0 side, and it would be really nice to have a usable UI for non-geeks. “Permanent attach” does more harm than good because USB devices ids are non-static. I have a script to do proper attachments on the Qubes start but that’s all

And, again, I really hate the discrimination against users that have no PS/2 input devices

qubicrm · June 21, 2022, 5:50pm

I also feel your pain!

fsflover · June 21, 2022, 6:01pm

Which discrimination? It’s just not recommended. Actually it would probably be more reasonable to recommend many USB controllers and/or PS/2 instead.