Sure, that’s a good argument. For most of us who don’t need to worry about state level actors and supply chain interdiction it is more likely that the previous owner didn’t take precautions with the device and it has picked up some persistent firmware level malware from e.g. bad USB?
Looks like a question for a separate thread.
I think that showing the year of hardware release would be much more helpful for all (especially inexperienced) users, as suggested in this table. The specific CPU model can always be seen in the specific laptop threads.
year of hardware release
What is useful about it? How is this MORE useful than listing the CPUs?
I’m curious to see if it will ever grow beyond the X230 and T430 without changing the criteria.
1 Like
W530 AFAIK meets criteria, (and AFAIK you can get Heads onto W530 ‘relatively’ easily - see: https://github.com/osresearch/heads/issues/616). I’ve not abandoned the thread, I’ve just been busy & since I created it I’ve also gone down some rabbit holes of firmware - and learnt alot about the existing models (see the thread for some cool X230 hacks).
For upto Intel ME 11.x (that’s intel-core gen 7/8), there are more coreboot options (and will open-up to a 64GB RAM laptop for the list). It’s currently in discussion to change the requirements. so anybody is welcome to add to the discussion - all feedback is welcome.
EDIT:
W530 added to list @Sven
W530
Unfortunately we only have a single HCL report from 2014 for the W530 and it’s for R2rc1.
If anyone is actually using a W530 with Qubes OS R4.x it would be greatly appreciated if they could send in fresh HCL reports.
It would be quite sweet as it allows for 32 GB on the quad-core CPUs.
2 Likes
Let us imagine that a non-technical user looks at the list of recommended laptops. The list says gibberish things like i7-3840QM, i7-10710U, i5-7200U etc. (Ok, maybe the user can guess that i7 is better than i5, but I’m not sure.) The corresponding links say even more unclear stuff. Only maybe the number of cores and CPU frequency are somewhat understandable. But aren’t all relevant things are just strictly better for newer CPUs?
The list says gibberish things like i7-3840QM, i7-10710U, i5-7200U
With the exception of the Librem laptops, I believe all the other models come in multiple variants with different CPU. Some of those variants won’t work with Qubes OS. So in order for the list to be useful, we need to call out the model+CPU as a basic identification of which computer is verified by the community.
But aren’t /all/ relevant things are just strictly better for newer CPUs?
It appears to me that your perspective of the list is, that the typical user will look at it and quickly try to identify the fastest/newest/“best” option and then attempt to purchase it. This would be reasonable, if all Qubes OS users would live in places and situations that allow them to get their hands on pretty much any of the computers listed.
I believe that perspective might be better served by this thread, while at least my understanding of the “community-recommended list” is meant to be helpful to a global audience of non-technical Qubes OS users.
The most important information is the list itself: these computers will install Qubes OS without issue. In a next step the user then checks the availability of each of these computers in their region and within their budget. For the vast majority of people on this planet including journalists, activists and people living in oppressive regimes that will narrow it to very few options. Neither the Librem nor a recently released high-end ThinkPad is likely to be one of them.
Thank you for this reminder.
As to whether “/all/ relevant things are just better for newer CPUS”,
this depends on what better means to you, and what you count as
relevant. Obviously.
If price is relevant, no.
In many situations, if anonymity is relevant, no.
1 Like
Lenovo ThinkPad T470s with core i7, is working great too
Is getting one of the certified hardware laptops (eg Nitropad) with Qubes pre-installed ok?
I’ve heard a few people say it’s better to install a clean version of the OS yourself for maximum safety?
Is getting one of the certified hardware laptops (eg Nitropad) with Qubes pre-installed ok?
The Qubes OS Project certifies only that a particular hardware configuration is supported by Qubes OS and is available to purchase with Qubes OS preinstalled. We take no responsibility for any vendor’s manufacturing, shipping, payment, or other practices; nor can we control whether physical hardware is modified (whether maliciously or otherwise) en route to the user.
I’ve heard a few people say it’s better to install a clean version of the OS yourself for maximum safety?
You can do that. You can even build your own heads version and flash it (with hardware clips if you want to be really sure). At that point however you could just as well buy a used X230 or T430 and perform all the work yourself.
The certified laptops are meant for people who are not able to do this themselves (time, skills etc.).
As I don’t find them in the list, I found the notebooks from Schenker/XMG very suitable!
SCHENKER Laptops & Desktops - individual like you and XMG | The fastest gaming laptops & desktop PCs.
One can at least tweak some components as they have some kind of modular concept. Moreover, are their notebooks manufactured in Germany and their service is great too!
In my experience they work very well with Qubes OS!
First of all does it perfectly support its hardware requirements so that if you follow the standard installation procedure everything usually works out-of-the-box even “suspend” and every single 4.1 release candidate ran through without any issue at all. 
BIOS settings for Intel ME are also great as they allow to easily import xen and grub efi’s - if one want to trust Intel ME to secure your boot chain of cause… 
@Sven Somehow I was convinced that sleep must work reliably in order to say that a computer “just works”. Do you disagree? You also wrote yourself earlier:
I don’t see it mentioned in the table for p51.
In my opinion, working sleep must be among the criteria to include in this list, especially given that Qubes OS does not have hibernation. If the machine doesn’t wake up from sleep, the standard system menu misleadingly suggests to users to loose all their data unless it’s saved beforehand.
We should go through the list and mark/mention when sleep doesn’t work for any particular machine. I am not sure I’ll get to it before the weekend, so if you want to take a stab at it…
If the user is aware that sleep doesn’t work, it won’t hinder the use of Qubes OS in any way. I’ve been using both a DELL and the Lenovo P51 without sleep for years. Sleep is a minor convenience that comes with a pretty big impact on security (in the wrong direction). So I would not support any notion to consider it “critical” or part of the “just works” criteria.
The T430 has reliable sleep/wake.
It strongly depends on your threat model. The main goal of Qubes AFAIK is to protect you from online and USB threats, and it does it very well. If you also care about physical access of you machine, you open a huge can of worms, which is likely unimportant for most users. I am not sure Qubes protects from it as strongly. Having suspend doesn’t prevent you from switching off your machine whenever you feel a threat. Most people work from home now btw.
Suspend saves a lot of time for me every single day: I do not need to open a ton of documents, windows and browsers anew and put them at the right places on the screens and virtual desktops. I wish Qubes had hibernate instead, but it seems like a big work (and not good for SSDs).
I’ll try to add as much as I can, although I disagree that such machines should be in the list.