Short list of laptops/desktops that work well with Qubes OS

Hello @balko ,

I just saw your comment on one of the laptops we offer.

@Sven thank you for already pointing to some of the points I am mentioning here again. To you, I would like to let you know that the NV41 Series has the ability to disable Intel ME by using the HAP disabling method. It’s a UEFI firmware option.

I do not have the certified NovaCustom NV41 Series laptop, but to my opinion currently it looks a bit shady.

We are not a brand that is as big as Lenovo, unfortunately. This is why less information might be available. Still there are some important things to consider.

Despite the fact that the NV41 Series being the most sold Series of NovaCustom, there are not so many reviews about this device. This is mainly because we had a technical issue with our review system for months, which has been solved now. The NV41 Series has been reviewed at least twice:

NV41 Series 14 inch coreboot laptop - NovaCustom → tab review
Trisquel 11 on NV41PZ: First impressions – Simon Josefsson's blog

The fact that there are so few issue reports of this laptop series is rather a good thing. This isn’t a surprise, as the laptop is Qubes OS certified, meaning that the firmware is being tested with Qubes OS before every new firmware update. Likewise, each new Qubes OS version is tested by Qubes OS main developers on the laptop before a new version of this operating system is released.

You can find more details about the laptop on the Specifications tab of the first link. For example, the laptop supports S3. If you are missing any important info, I would be happy to answer your questions. You can also point me to unanswered questions if you would like.

I’m not sure if our keyboard and touchpad are initialised as PS/2 device. If anyone knows how I can check this, I would be glad to know it. Same for the USB controller and the WiFi card: I would be glad to know what output you need.

We are working on Heads integration. I suggest to join the Dasharo Users Group (DUG) online, or to visit or follow the Qubes OS Summit in Berlin in the weekend of the 7th of October this year.

What I and probably other possible buyers would be interested in:

1. What USB Controllers connected to. The HCL says it has 3 of them, but by itself it does not mean a lot (based on Thinkpad situation). Can you please provide information about what USB devices are shown in Qubes OS (run qvm-usb) and what exactly 3 USB controllers are connected to, including the physical USB ports on the laptop.
   E.g. something like:

• USB Controller 1: two physical USB 3.0 on the left side, one type-C on the right.
• USB Controller 2: keyboard and touchpad.
• USB Controller 3: nothing.

2. About keyboard and touchpad connection as PS/2, PCI or something else non-USB. it is kind of important.
   You can check it by running Qubes OS with sys-usb that manages all USB-controllers. When you shutdown sys-usb what happens with keyboard input or touchpad, how are they affected? Do they still work, do they freezes during shutdown process (it may happen in case it is passed back to dom0). Maybe, @Sven can provide more easy-to-understand explanation of what I am trying to ask.

3. The HCL table is missing information about TPM in your laptop, it will be better to fill it, too.

Thank you for supporting FLOSS and and all.

I just note, that the questions about laptop specs were once again ignored by NovoCustom representative.

Not ignored, just didn’t have the time to gather the needed information until now. Why not just asking what is the status @balko? Or tag me so that I get a notification .

1. Running qvm-usb only returns sys-usb:2-10 8087_0026.

2. I’m not sure what exactly you would need to find it out, but according to the following output of the command cat /proc/bus/input/devices, I believe the keyboard is not USB based.

input-devices.log (4.0 KB)

3. About TPM: the laptop supports TPM 2.0 only, which isn’t supported by the current Qubes OS release, but seems to be introduced for the next version: https://github.com/QubesOS/qubes-core-admin/blob/main/qvm-tools/qubes-hcl-report#L252

@novacustom
Well, I expected you would acknowledge the questions somehow, like “Thank you, I will gather information and reply you later”. I will tag you explicitly in messages addressed to you, if it is more convenient to you.

About your reply, I am afraid you did not completely understand what I was asking about in the first two questions. In case of the first second, of course you should populate all the USB slots to understand which is which (at least it is a simple way to find out). About the second question, I explained what can be done to check if the touchpad and keyboard connection is not USB, I am not sure that cat /proc/bus/input/devices can tell it reliably (note that you did not mentioned where you run it, dom0? sys-usb?)

If you are new to Qubes OS, then maybe somebody from the Team who is responsible for testing certified hardware can answer questions about the situation with USB controllers and USB devices?
Or maybe there is an advanced Qubes OS user of this laptop on forum that can help to do it? Let me know.

@balko
Thank you for your reply and for tagging me, it’s more convenient indeed.

The commands were executed in dom0.

There are 2 x USB 3.2 Gen. 1 port (Type A) ports, 1 x USB 3.2 Gen. 2 port (Type C) with Thunderbolt™ 4 support and charging over USB-C and Display Alt Mode (up to two external displays via USB-C) as well as another 1 x USB 3.2 Gen. 2 port (Type C). The command qvm-usb returned sys-usb:2-10 8087_0026. I’m not sure if this controller is responsible for all USB ports. I don’t know how to find that out. So if you or anyone could assist me with that, I would be glad.

Of course I can populate all the USB slots, but I don’t know what conclusion you can make by doing so - what output is expected, etc.

As you see, my Qubes OS knowledge is limited, indeed. I can follow up instructions, but I don’t use Qubes OS as my daily driver, so I’m not very familiar with its environment and commands.

We outsource the realisation of the firmware and the certification. So any effort will have to be paid for and will come off development time, which is why we are cautious with this. So it would be my preference if someone could give me instructions on what exactly to run where to make certain conclusions.

Thank you for understanding.

According to their current product page the Librem 14 “With an Intel processor you get years of coreboot development and a disabled Intel Management engine.”

So either they are falsely advertising, or they have implemented it since your post?

I think purism’s use of the term “disabled” may be quite different than
minimized and “neutralized”. If I understand correctly the Comet Lake
based Librem 14 you linked to is “disabled” via the soft-disable bit
whereas @fsflover earlier model was “neutralized”; to use purism
terminology.

c0d3z3r0’s open issue #340 ME cleaner still working for newer
platforms in the me_cleaner github appears to give more technical details.

To be totally honest I’m not sure what method purism is using on the
Librem 14 you linked to @ubersecure. Maybe there is minimal
minimization, maybe it’s just that they’re flipping the soft-disable
bit and calling that disabled.

I’d guess purism is playing semantic games, but hope I’m wrong. If you
or someone knows for sure, I hope they’ll chime in. Wish I knew more.
Best regards…

I think this is accurate:

So now I have a newer ME (version 11.0.18.1002) that is disabled thanks to the HAP bit

They invented simple words “disabled” and “neutralized” and stick to them. What’s wrong with that? IMO it makes it easier for the public to understand compared with “HAP bit”.

6 posts were merged into an existing topic: Discussion on Purism

Is there an exhaustive list of devices that are used by CI for Qubes OS development? It’s natural to assume that these devices has continuous compatibility assurance, and are frequently tested against updates that has yet made their way into stable repo, so update-introduced instability is likely to be ruled out, thus may act as a list of recommended devices that should work well with Qubes OS.

The certified machines.

The certified machines.

The certified machines, yeah, they are regularly tested. However I believe that CI workers include but not limited to certified machines. For example, worker 9001 Qubes OS openQA: Worker hal9001:1 can be identified as HP ProBook 445 G7/8730 through its journal, but that machine is not certified.

My purpose here is to extend the list of recommended laptops / dekstops, and openQA workers are a great addition to the list.