Hello, I want to buy a laptop for qubes os. I am stuck between choosing thinkpad t430 or w541. I will coreboot my machine and disable intel me. I will use it for programming, web surfing, watching videos, and running windows 10 vms. Which one should I buy or do you recommend another laptop?
You want the x230. Not all thinkpads are compatible with coreboot (with the help of external programmers you realize) and not all thinkpads that are will be Qubes certified.
You might take a look at HEADS BIOS also since you are starting fresh.
ME compromise is part of your threat model?
It can be CPU consuming, be aware about performance issues, if you decide to buy outdated hardware for these tasks.
Uh, To have a laptop which indicates it is has not been tampered with, One could also include laptops from Nitrokey, and puri.sm (Librem).
Librem (sells from California (USA), ships wherever you want) and might be about to start selling a newer 16 inch model. Which might shake lose some used Librem 14s for a lower price. I don’t think they have Qubes Certification. Used different parts.
Not sure when Nitrokey, (sales out of Europe, ships wherever,) will start selling a later model laptop. https://www.nitrokey.com/
There are instructions for how to take a Lenovo X-230 or X430 and upgrade it to include all the features of the ones sold with which is sold by NitroKey. It is some real dollar expense in more parts, and a lot of effort. Might be necessary if one lived in a geographic place where one could not import one from a company like Nitro Key. Or maybe was handy with repairing computers.
Insurgo has not offered to sell computers for some time, but he has a complete list of all his chosen improvements. Also he is active in the movement to improve the firmware, and (I think) porting Heads to other devices, and giving advice to others on accomplishing a secure computer. Thanks to him.
There are others around. Once saw a fellow in Hong Kong selling refurbished, upgraded. The company which manufactures the ones sold by NitroKey, sells online.
and there are some who sell computers besides laptops, Qubes certified Mini’s Plus some really respected manufacturers, but not always with Qubes Certification.
if you want maximum security/compatibility/power I recommend the NovaCustoms laptop which can be found on the “certified hardware” page, with heads installed (which disables intel ME as well), and the microphone/webcam removed
I recommend StarLabs’ Starbook MK VI. Their website is starlabs.systems.
- They use coreboot
- Good built quality, reminds me of Apple
- Qubes compatible
- Intel ME (more accurately known as CSME) is disabled
- Entirely open source with exception of a few binary blobs (this is necessary in modern hardware)
How much? Does suspend work? How many USB Controllers are there and what are they connected to? Do wifi and bluetooth survive suspend/resume cycles?
You can check out pricing on their website. Different configurations. A fully loaded model will run you about ~$1700-1800 USD.
Comes with 3 USB ports
1 USB C port
You can check out their connectivity on their website for more info.
I have no issues using my USB devices with a usb-qube. The built in Keyboard and trackpad use ps/2 (I believe, uncertain) so they automatically work.
Suspend does work but it requires kernel 6.1 (or whatever the latest is)
WiFi survives suspend for the whole system. In some qubes (usually Fedora) WiFi doesn’t survive suspend so the individual qubes need to be restarted. This is only sometimes and based on my observations it only happens when the qube templates get updated but the appqube is left running. If there is no update, or if they are restarted to apply the template update before the suspend, then the fedora qubes WiFi survives suspend.
I don’t know about Bluetooth. I don’t use it. The laptop is compatible with it though.
Looks promising, thank you.
Can you elaborate more on USB ports, I mean are all of them connected to the same PCI device or different ones? Is wifi a PCI device or USB device? What other USB devices connected to which controller? Like bluetooth, webcam, fingerprints and etc.
I can be important, as quite often attaching usb device to some qube is not working as great as attaching the whole PCI device with USB controller. In this case it is great to have one USB controller connected to 1-2 USB physical ports and nothing else.
I am not sure about this question. You’ll have to contact support and ask them. I can confirm though that I have had no issues connecting various different USB devices to different qubes.
I can choose which qubes i want to individually connect the camera, microphone, USB ports, keyboards, mice, block devices, etc.
@Ursidae You can find out how many USB controllers you have by generating the HCL report. Sometimes the report shows controllers not connected to any ports (i.e. unusable), so you may need to do additional testing. In preferences of
sys-usb, tab Devices, you can find out how many controllers are attached to the qube. You can split them into separate qubes and try to start/shutdown such qubes to see which devices from which actual ports appear/disappear from the system.
All USB devices on the same controller are not isolated from each other, and potentially one of them can compromise all others. The best security practice is to have one sys-usb per USB controller.
True, and another disadvantage of such case: there is no way to pass some special USB device with the whole PCI USB controller to some qube (e.g. a special qube for this device), even temporary.
So, having 2+ USB controllers that are actually possible to use is always a preferable option.