Qubes hardware landscape

Is it me or choosing DESKTOP hardware for qubes is increasingly dificult?

-older hardware has PS/2 interface, but no microcode updates
-newer harware has microcode update, but no PS/2

On the LAPTOP side, it seems a lot of harware is affected by the latest QSB (that is, lacks microcode updates). What do you guys think of the security status of thinkpads xx30 (that can have coreboot, but not microcode updates).

It seems that if qubes enforces open firmware restriction, there is almost no options available.

Just want to know what the community thinks of these trends.


1 Like

Have a look at the Community-recommended computers. Some of them should get the microcode updates AFAIK.

It’s difficult to find a desktop motherboard that is relatively modern, “has stuff in it that you can take advantage of with Qubes OS” (PCI slots, PS/2, lots of RAM slots, etc), and doesn’t have a bloated proprietary BIOS that does a lot more than a BIOS actually needs to do, making it very difficult to actually trust fully….


Having an internal keyboard hardwired to a USB bus isn’t necessarily a bad thing, as long as you can trust it. And it is possible to have compromised PS/2 peripherals, but thankfully not as common any more….


I mean, any CPU that’s vulnerable to SPECTRE and Meltdown won’t be able to run Qubes OS anyway. That’s partly why you don’t see a lot of Apple hardware running Qubes OS (well, 4.1, at least).


I guess it all depends on the CPU, and whether the manufacturer can be bothered to continue support for it…

1 Like

What do you mean by this? Wasn’t practically all CPUs vulnerable to these two?

It seems to affect every intem and most AMD. I think these are families of harware bud they try to patch with microcode updates. But, intel only releses them for the most recent models.
As an example, thinkpads x230, x250 do not have microcode updates to patch thr latest qsb.

1 Like

Not true. Go to your dom0, type lscpu, i am sure you have a list of bugs, with some mitigatios. But, if the processor has more than a couple of years, intel will not relese fixes. in that case you will be flooded by the neverending flood of hardware bugs. The architecture is completely rotten


Is there any chance you know of any CPUs that are vulnerable and can run Qubes OS (even badly)?

I’d like to do some testing on them.

You can get USB → PS/2 adapters FYI. From what I’ve read it’s not a sure thing that your peripherals will work with them, but that trialing some to see what works and what doesn’t can land you on a workable solution in this area.

lscpu lists a couple of vulnerabilities, including Spectre and Meltdown, along side with “Mitigations.” Are the “hardware bugs” you mention, these “Vulnerability” reports of lscpu output?

Here is the list of all the intel CVEs from 2022, the same site has a tab for 2018-2021 if you want to see the older CVEs. They no longer include data for 5th gen and older CPUs.

1 Like

Screw the PS/2. This requirement is ridiculous nowadays.

I don’t think so. However, several USB controllers can be equally good (or even better).


Yes. they keep adding them. And I suspect it is a fraction of the real problemsd, because if you stop receiveing microcode updates, the vulnerabilities will not appear under lscpu output, but are there.
Read QSB-081, and check sudo cpu-microcode-info in dom0. I suspect most hardware is vulnerable tos this last problem… and they keep coming

1 Like

I think you mean it is almost impossible to achieve. Agreed.
Nevertheless it would desirable, if achieveble.
If you have several usb controllers you can reserve une for USB and keyboard, but i still think it is not ideal.

This is precisely what I mean. I think this is starting to affect the majority of qubesOS users.

this only solves the proble if you have PS/2 sockets and want to use USB keyboard. But if you do not have PS/2 interface at tme motherboard level, your only option is use USB controller for mouse AND keyboard.

I have a hub I used on my old system.

When I wanted to read a DVD last night, I plugged one of those portable DVD readers into the hub, then the hub into my current box.

Any VM I tried to assign that DVD reader into last night would instantly shut down.

Skipping the hub, and plugging the DVD reader directly into my system, it worked.

I’m still very new to this and haven’t started investigating a USB Qube (I need USB for keyboard/mouse and have one controller) but ideally I’d like to be able to have ANY USB block device automatically assigned to one particular qube (and then make it disposable), likewise printer, etc. I don’t even know yet if that’s possible.

1 Like

I think it could be somewhat scriptable on the dom0 side, and it would be really nice to have a usable UI for non-geeks. “Permanent attach” does more harm than good because USB devices ids are non-static. I have a script to do proper attachments on the Qubes start but that’s all :frowning:

And, again, I really hate the discrimination against users that have no PS/2 input devices :slight_smile:

I also feel your pain!

Which discrimination? It’s just not recommended. Actually it would probably be more reasonable to recommend many USB controllers and/or PS/2 instead.

1 Like