What if the BIOS was tampered with— does the Qubes installer have a way to deal with that?
And for sake of argument, if you were the target of a nation-state, couldn’t they make a tampered-with used device appear to be installing Qubes— i.e. how far can the Qubes installer be trusted?
No
Yes, that is possible, and that is a risk associated with buying used hardware. Qubes OS cannot do much to help you if the hardware you install it on was already compromised before you even downloaded the Qubes ISO.
However, it is worth noting that modern supply-chain attacks means that there is no guarantee that purchasing new (i.e., not used) hardware will be safe either. There have been reports of hardware tampering both at factories and en route to the user (see interdiction).
When Computer Security expert Bruce Schneier was going to receive the Snowden Documents he wanted to make sure he had a computer that would not rat out what he was doing.
He purchased a used computer, from a randomly chosen computer store (they used to exist), and removed the WiFI to create an air gapped computer.
After he read the documents, he deleted all the documents, as possession of the documents then might have - led to unfortunate circumstances.
Notice there are Qubes Certified Hardware at the bottom of the Qubes OS website; from Insurgo, and NitroKey. Which define all the ways they secure the computer to get it safely to you, and secure against firmware intrusion.
However, if a power group, like say a government is your adversary. You might have a problem which is more than can be fixed by just a really secure laptop. But you can make it difficult for even a power group to spy on you.
The safest way to buy a laptop is from a private individual with cash. Random people selling their old laptop are much less likely to have the skills or want to compromise hardware than stores or professional second hand sellers.
What about ebay? I think it is the best way to do this and then manualy install qubes.
If you trust ebay not to work with your attackers, it’s probably fine. And not to compromise things at scale.
Hi, my policy is to read second hand forums, and while I am traveling with my car, I pull over to a parking lot, read the forums, call the seller if they are in a range of 20km near me and then I call them and date for immediate buy at their house.
I pay cash and collect the computer.
Also I prefer 45nm core2duo, where the management engine (www.github.com/corna/me_cleaner) can be removed completely for security critical stuff.
Unfortunately Qubes needs 32nm Xeon or newer.
At AMD the opteron 32nm of revisions A,B - not C had no PSP (AMDs Management Engine).
So building on these Opterons is an option if you have cheap electricity and a good
air conditioner.
On the other hand running qubes on an old laptop is not so much fun, as older
CAD laptops only provide you with 4 real cores and 32GB max RAM.
So go for a used laptop based on Core2Duo or Core2Quad with 45nm,
and kill the Intel ME completely!
Be sure to remove the WWAN radio card before powering up the first time
at your place (intel computer trace, and “anti theft”).
Just pull (and discard) the WWAN card after purchase to be sure.
openbsd is nice for old computers…
That’s a good idea. But sadly is impossible to find specific configurations this way.
Thinking about it, that as much as we can get to a librebooted pc that is compatible with Qubes (Libreboot – ASUS KGPE-D16 server/workstation board with opteron 6200 and and Nvidia Gtx 780ti).
Yes, KGPE-D16, I know 
6200 mind the revisions!
Also this would qualify as a rack-mounted laptop
2nd option:
Just head for a junk yard and try to bribe some clerk who works there to give you an old PC for your kids to learn 10 finger typing.
Nobody would insert N$A-hardware at a junk yard, maybe, you just dump the computer somewhere else, as you found a fishy solder joint, or you might collect 10 junk computers and install windows XP on n-1 of them and play quake on n-1
The core2duo computers were expensive those days and are sufficient for ssh and other stupid stuff.
I dont need much computing power, as the other end of the ssh connection has it.
That’s probably the best way to get something electronic without someone knowing who you are.
Something that probably better to do with them then installing Windows XP, is to make a cluster, but I imagine that is cheaper to get some PI’s
AFAIK, there are no devices with Libreboot supporting Qubes (attempts: one, two). Moreover, these CPUs are vulnerable to Spectre and Meltdown, which break all Qubes security.
Can you give a link to this? Does it apply to opteron 6200 series?
Looks like AMD CPUs have not been affected. Making it possible to have a fully libre Qubes setup
In particular, we have verified Spectre on Intel, AMD, and ARM processors.
From here.
Also AMD CPUs are not fully libre: AMD Platform Security Processor - Wikipedia
I was reading the Wikipedia page. 
The exact model I’m talking about is listed on libreboot as recommended.
BTW, should this be split in a second topic?
These 45nm machines are not intended for cubes!
no IO-MMU
Only cubes 3.2 can work with 45nm xeon processors.
Those machines are operated using openbsd.org.
And they are used bare metal not virtualized to do administration stuff, hold
keys etc.
So you can trust them quite well if you remove me using me_cleaner and a flash programmer.
Dell Optiplex 965
Hi for a cheap laptop to run qubes I recomend Dell m6800,
4 Cores, max. 32GB RAM, relaxed 17 inch screen for the vision impared.
The keyboard is shity but it is Quite expandable: DVD tray may be replaced with 3rd party hdd adaptor, if available.
Internal PCB-SSD (m2?) supported.
Quick swapable HDD 2.5 inch.
Displayport and some nice other interfaces.
PCIe-slot ? (Would need to grab it from the laptop pile).
Note!
Qubes 4.x runs with processors of amd64 arch with 32nm or smaller.
Opteron comes without PSP on 2nd Revision of 32nm processor.
3rd revision introduced psp (management engine of AMD, which is less “documented” than Intel ME (corna/me_cleaner and forks) )
1st Revision of 32nm Opteron has many bugs.
Use Asus K9DSE? Board and coreboot with qubes (I need to build it).
Back to the topic, go for <45 nm.
Cheers
luja