Short list of laptops/desktops that work well with Qubes OS

Alright, in short:

  • sys-net’s only job is to interface with the networking hardware and provide that connection to other qubes; even if you’d use Android, the part of it that would do the sys-net job would be the Linux part. So all the stuff that makes Android would simply be unused, eating up disk space and increasing the attack surface. Not much sense it that.

  • SELinux deals with protecting the Linux kernel. Side channel attacks do not need to exploit the Linux kernel to work. Not much sense in that, IN THIS CONTEXT either.

I don’t want to discourage anyone from posting, but in some situations it makes sense to actually understand what the words mean one uses. Otherwise this is more like a metaphysical conversation where everybody projects their own hopes and dreams into magical words and is then upset when others disagree. We won’t make any progress that way.

1 Like

Would the minimized requirement not also disqualify the Librem?

I know they can disable ME using HAP, but can they actually clean ME on the Librem?

3 Likes

@renehoj sounds like they do both: minimize and disable …

While finishing our first coreboot port, we have successfully neutralized (zeroed-out) a very significant portion of the Intel ME, thanks to the great work of the “me_cleaner” project. By doing so, we remove the Intel ME’s kernel, network stack, and about 90-92% of the Intel ME binary in total (this figure varies across ME versions).

I assumed the Librem 14 would be the 10th gen CPU, their documentation is about using me_cleaner on 6th gen skylake.

I don’t think it works anymore, you can only use HAP on the new CPUs.

2 Likes

See the page dedicated to Librem 14:

No, it’s not minimized. Earlier laptop models (including mine) were neutralized as explained in your ilnks, but not the new one.

2 Likes

As far as I know, here are laptops that still get microcode updates (6th gen and later [11]) + have coreboot:

Laptop CPU cores ME EC Qubes suspend
NovaCustom NS51, NS70 4 x Intel 11th ? ? ?
Purism Librem 13v4, 15v4 2 x Intel 7th minimizable [12] ? yes - see HCL
Purism Librem 14 6 x Intel 10th factory-disabled FOSS [5] yes [9]
Starlabs Mk VI 4+8 x Intel 12th ? ? ?
Starlabs Mk V 4 x Intel 11th factory-disabled proprietary [7] yes [8]
System76 darp8 4+8 x Intel 12th ? FOSS no? - 12th-gen
System76 galp5, lemp10 4 x Intel 11th user-disabled [2] FOSS [A] no [10]
System76 oryp7, lemp9 4-8 x Intel 10th ? FOSS [A] yes? - S3
System76 galp3, galp3b 4 x Intel 8th factory-minimized? [4] proprietary? [A][B] yes? - S3

Note: Intel 11th-gen onwards dropped support for S3 sleep, replacing it with s0ix, which is not currently working in qubes.[1] Though certain Intel 11th-gen CPUs have working S3.[3]

[1]https://github.com/QubesOS/qubes-issues/issues/6411
[2]WIP: disable ME on galp5 and lemp10 · system76/firmware-open@f8c3962 · GitHub
[3]https://www.reddit.com/r/System76/comments/o19ew4/starlabs_better_than_system76_tuxedo_and_starlabs/
[4]while upstream coreboot has option to run MECleaner on these boards, Bootguard may prevent modification. Is vendor-signed firmware, ME-minimized?
[5]Librem-EC on Purism Devices – Purism
[6]Previous Models - System76 Technical Documentation
[7]Star Labs (@starlabsltd): "We appreciate the supportive feedback and we certainly are Ryker! We are looking to make this available over the next couple of months. The best suggestion we can make is to sign up to our newsletter as this will be the first place any details relating to this will be released 🙂"|nitter
[8]HCL - Star Labs MK V
[9]Hardware compatibility list (HCL) | Qubes OS
[10]https://github.com/system76/firmware-open/issues/151
[11]https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20220510
[12]Coreboot Firmware on Purism Librem Devices – Purism
[A]System76 open boot firmware / EC list: System76 Open Firmware Models - System76 Support
[B]System76 ec boards: ec/src/board/system76 at 60dfb62f90e039c9aa73eb15d71a56b4d00a02d5 · system76/ec · GitHub

6 Likes

Is there any reason why this model couldn’t become at least a candidate for a recommended laptop that works well with Qubes (check under “System Management”)?

https://www.dell.com/en-us/work/shop/dell-laptops-and-notebooks/latitude-5530-laptop/spd/latitude-15-5530-laptop

@enmus:

Is there any reason why this model couldn’t become at least a candidate for a recommended laptop that works well with Qubes (check under “System Management”)?

It’s all documented:

So let’s look:

  1. there is not a single HCL report for this machine
  2. it runs Alder Lake (12th gen) … there are only 4 HCL reports for this generation, 2 of which show issues

So the only way this machine would be a candidate is if at least two community members buy it and submit HCL reports confirming that “Qubes OS installs without any workarounds” and “Graphics, networking, audio & suspend work without troubleshooting” … which frankly is extremely unlikely (especially the suspend part). Alder Lake is just too new.

3 Likes

Thanks for elaborating. I wasn’t specific enough. I meant something more like - potentially promising

Soo, I asked this question several times and got no answer: what is the recommended hardware if I want to get the most smooth experience on a 5k2k monitor?

I do not care much about firmware blobs or disabling Intel ME, I just want a desktop that would not be a disappointment.

I already asked for some more precise recommendations or just personal experiences in multiple places but all answers I got were vague at best.

Would intel native video be the best or are there better video cards? Are there issues with latest generations? No idea.

At least i hoped someone would say “it is my config and it works truly great!” but there was not a single answer like that even.

My current desktop is nuc10i7 and it is definitely not a performance monster. I have a strong feeling that if I upgrade my “4x1.5k” ultrawide to true 5k2k, it would suck, if it would handle this resolution at all which I am still unsure and no one confirms so far.

I’d like to have this one, without asking anyone anything.

How I see it, it’s mostly about CPU when it comes to Qubes. And i7-12800HX looks like a beast for a fair price.

1 Like

I’d disagree. Yes the CPU must support Vt-d/IOMMU, but also:

  • is mouse/touchpad on PS/2 or USB? …keyboard?
  • how many USB controllers?
  • integrated or discrete graphics?
  • what WiFi chip?
  • what Ethernet chip?
  • can the memory be upgraded?
  • how well is that motherboard supported on Linux in general?

… your CPU could be perfect and you might still not be able to install/use Qubes OS. I know you didn’t ask but then again others might see your post as a recommendation of sorts.

It’s (almost) all there on that hp link, customizable. It’s not about Vt-d/IOMMU, almost every modern CPU supports it today, it’s about

I just tried to answer the question.

2 Likes

I see, sorry for missing the context @enmus.

1 Like

Oh, I see now where it came from. I didn’t reply directly to @arkenoi’s post, nor I quoted him. Good you posted to make it clear for all, actually!

4 posts were merged into an existing topic: Lenovo ThinkPad T480

If that phrase is meant to be heard with a southern USA accent, I don’t find it offensive. Calling people MAC users, well, that’s another matter…

Is any way to determine how many usb controllers a Thinkpad has before buying it ? I looked at PSREF can’t find it specified

I very soon will be having two low/middle-range Thinkpads with Intel 12gen CPU (i5-1235U) and integrated Intel video:

  • Lenovo ThinkPad E15 Gen 4
  • Lenovo ThinkPad L15 Gen 3

According to my knowledge and HCL reports I have high expectations of making everything work properly on Qubes OS R4.1.1. Maybe except video artifacts on LVM password screen (irrelevant). Another downside I unfortunately expect - only one USB controller (like in Librem), but it’s not yet known.

If I am able to make everything work, I hope one of these or both will be added to recommended list. Because these Intel 12Gen-CPU with 10 cores is ~5-7 times FASTER than almost every current option from the list of recommended and certified laptops. Almost all of currently recommended devices are so outdated that are not allowing to play usual 1080p reliably from a youtube (vp9 codec), and it’s unacceptable for many people. I hope these new laptops will provide ability to play Youtube 1080p@60fps even at 2x speed with no issues.

I am asking the community to help me with this testing of these to devices. I have a list what I would check (like qvm-pci -vv, youtube playback and etc) but you may share yours if it’s important for you.

Another important thing - I have never installed Qubes OS on a USB drive. I’m not sure that buggy Qubes OS installer, that I had many problems before, is not going to mess with EFI and other partitions of existing OS on SSD. Any information on that? Because I’m planning to return one of these two devices and would prefer to return it in the original state without ever booting to Windows.

I hope this work will help me and community to have 1-2 of good options in case they need modern CPU for their Qubes OS.

2 Likes

Hi there,

We are working together with the Qubes OS team to realise full compatibility and certification for our Alder Lake devices! We will have to change our Dasharo coreboot firmware to S3 suspend mode which our team is developing as we speak. Hopefully, no major problems will appear and we are hoping for a quick release (within like 8 - 9 weeks from now). Moreover, the Dasharo open-source community found a way to HAP disable Intel ME on our devices :slight_smile: . We just have to make sure that the system is stable when using this method of cutting down ME.

Also, we use open source EC firmware.

Stay tuned, I’d say. :smile:

8 Likes