Would the minimized requirement not also disqualify the Librem?
I know they can disable ME using HAP, but can they actually clean ME on the Librem?
3 Likes
@renehoj sounds like they do both: minimize and disable ā¦
While finishing our first coreboot port, we have successfully neutralized (zeroed-out) a very significant portion of the Intel ME, thanks to the great work of the āme_cleanerā project. By doing so, we remove the Intel MEās kernel, network stack, and about 90-92% of the Intel ME binary in total (this figure varies across ME versions).
I assumed the Librem 14 would be the 10th gen CPU, their documentation is about using me_cleaner on 6th gen skylake.
I donāt think it works anymore, you can only use HAP on the new CPUs.
2 Likes
See the page dedicated to Librem 14:
No, itās not minimized. Earlier laptop models (including mine) were neutralized as explained in your ilnks, but not the new one.
2 Likes
As far as I know, here are laptops that still get microcode updates (6th gen and later [11]) + have coreboot:
| Laptop | CPU cores | ME | EC | Qubes suspend |
|---|---|---|---|---|
| NovaCustom NS51, NS70 | 4 x Intel 11th | ? | ? | ? |
| Purism Librem 13v4, 15v4 | 2 x Intel 7th | minimizable [12] | ? | yes - see HCL |
| Purism Librem 14 | 6 x Intel 10th | factory-disabled | FOSS [5] | yes [9] |
| Starlabs Mk VI | 4+8 x Intel 12th | ? | ? | ? |
| Starlabs Mk V | 4 x Intel 11th | factory-disabled | proprietary [7] | yes [8] |
| System76 darp8 | 4+8 x Intel 12th | ? | FOSS | no? - 12th-gen |
| System76 galp5, lemp10 | 4 x Intel 11th | user-disabled [2] | FOSS [A] | no [10] |
| System76 oryp7, lemp9 | 4-8 x Intel 10th | ? | FOSS [A] | yes? - S3 |
| System76 galp3, galp3b | 4 x Intel 8th | factory-minimized? [4] | proprietary? [A][B] | yes? - S3 |
Note: Intel 11th-gen onwards dropped support for S3 sleep, replacing it with s0ix, which is not currently working in qubes.[1] Though certain Intel 11th-gen CPUs have working S3.[3]
[1]https://github.com/QubesOS/qubes-issues/issues/6411
[2]WIP: disable ME on galp5 and lemp10 Ā· system76/firmware-open@f8c3962 Ā· GitHub
[3]https://www.reddit.com/r/System76/comments/o19ew4/starlabs_better_than_system76_tuxedo_and_starlabs/
[4]while upstream coreboot has option to run MECleaner on these boards, Bootguard may prevent modification. Is vendor-signed firmware, ME-minimized?
[5]Librem-EC on Purism Devices ā Purism
[6]Previous Models - System76 Technical Documentation
[7]Star Labs (@starlabsltd): "We appreciate the supportive feedback and we certainly are Ryker! We are looking to make this available over the next couple of months. The best suggestion we can make is to sign up to our newsletter as this will be the first place any details relating to this will be released š"|nitter
[8]HCL - Star Labs MK V
[9]Hardware compatibility list (HCL) | Qubes OS
[10]https://github.com/system76/firmware-open/issues/151
[11]https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20220510
[12]Coreboot Firmware on Purism Librem Devices ā Purism
[A]System76 open boot firmware / EC list: System76 Open Firmware Models - System76 Support
[B]System76 ec boards: ec/src/board/system76 at 60dfb62f90e039c9aa73eb15d71a56b4d00a02d5 Ā· system76/ec Ā· GitHub
4 Likes
Is there any reason why this model couldnāt become at least a candidate for a recommended laptop that works well with Qubes (check under āSystem Managementā)?
Is there any reason why this model couldnāt become at least a candidate for a recommended laptop that works well with Qubes (check under āSystem Managementā)?
Itās all documented:
So letās look:
- there is not a single HCL report for this machine
- it runs Alder Lake (12th gen) ā¦ there are only 4 HCL reports for this generation, 2 of which show issues
So the only way this machine would be a candidate is if at least two community members buy it and submit HCL reports confirming that āQubes OS installs without any workaroundsā and āGraphics, networking, audio & suspend work without troubleshootingā ā¦ which frankly is extremely unlikely (especially the suspend part). Alder Lake is just too new.
3 Likes
Thanks for elaborating. I wasnāt specific enough. I meant something more like - potentially promising
Soo, I asked this question several times and got no answer: what is the recommended hardware if I want to get the most smooth experience on a 5k2k monitor?
I do not care much about firmware blobs or disabling Intel ME, I just want a desktop that would not be a disappointment.
I already asked for some more precise recommendations or just personal experiences in multiple places but all answers I got were vague at best.
Would intel native video be the best or are there better video cards? Are there issues with latest generations? No idea.
At least i hoped someone would say āit is my config and it works truly great!ā but there was not a single answer like that even.
My current desktop is nuc10i7 and it is definitely not a performance monster. I have a strong feeling that if I upgrade my ā4x1.5kā ultrawide to true 5k2k, it would suck, if it would handle this resolution at all which I am still unsure and no one confirms so far.
Iād like to have this one, without asking anyone anything.
How I see it, itās mostly about CPU when it comes to Qubes. And i7-12800HX looks like a beast for a fair price.
1 Like
Iād disagree. Yes the CPU must support Vt-d/IOMMU, but also:
- is mouse/touchpad on PS/2 or USB? ā¦keyboard?
- how many USB controllers?
- integrated or discrete graphics?
- what WiFi chip?
- what Ethernet chip?
- can the memory be upgraded?
- how well is that motherboard supported on Linux in general?
ā¦ your CPU could be perfect and you might still not be able to install/use Qubes OS. I know you didnāt ask but then again others might see your post as a recommendation of sorts.
Itās (almost) all there on that hp link, customizable. Itās not about Vt-d/IOMMU, almost every modern CPU supports it today, itās about
I just tried to answer the question.
2 Likes
Oh, I see now where it came from. I didnāt reply directly to @arkenoiās post, nor I quoted him. Good you posted to make it clear for all, actually!
If that phrase is meant to be heard with a southern USA accent, I donāt find it offensive. Calling people MAC users, well, thatās another matterā¦
Is any way to determine how many usb controllers a Thinkpad has before buying it ? I looked at PSREF canāt find it specified
I very soon will be having two low/middle-range Thinkpads with Intel 12gen CPU (i5-1235U) and integrated Intel video:
- Lenovo ThinkPad E15 Gen 4
- Lenovo ThinkPad L15 Gen 3
According to my knowledge and HCL reports I have high expectations of making everything work properly on Qubes OS R4.1.1. Maybe except video artifacts on LVM password screen (irrelevant). Another downside I unfortunately expect - only one USB controller (like in Librem), but itās not yet known.
If I am able to make everything work, I hope one of these or both will be added to recommended list. Because these Intel 12Gen-CPU with 10 cores is ~5-7 times FASTER than almost every current option from the list of recommended and certified laptops. Almost all of currently recommended devices are so outdated that are not allowing to play usual 1080p reliably from a youtube (vp9 codec), and itās unacceptable for many people. I hope these new laptops will provide ability to play Youtube 1080p@60fps even at 2x speed with no issues.
I am asking the community to help me with this testing of these to devices. I have a list what I would check (like qvm-pci -vv, youtube playback and etc) but you may share yours if itās important for you.
Another important thing - I have never installed Qubes OS on a USB drive. Iām not sure that buggy Qubes OS installer, that I had many problems before, is not going to mess with EFI and other partitions of existing OS on SSD. Any information on that? Because Iām planning to return one of these two devices and would prefer to return it in the original state without ever booting to Windows.
I hope this work will help me and community to have 1-2 of good options in case they need modern CPU for their Qubes OS.
2 Likes
Hi there,
We are working together with the Qubes OS team to realise full compatibility and certification for our Alder Lake devices! We will have to change our Dasharo coreboot firmware to S3 suspend mode which our team is developing as we speak. Hopefully, no major problems will appear and we are hoping for a quick release (within like 8 - 9 weeks from now). Moreover, the Dasharo open-source community found a way to HAP disable Intel ME on our devices 
. We just have to make sure that the system is stable when using this method of cutting down ME.
Also, we use open source EC firmware.
Stay tuned, Iād say. 
8 Likes
JFYI, NUC11 works flawlessly. Unlike NUC10 before, no tweaks required.
3 Likes