Thinkpad T430: Current Best Qubes Laptop?

I’ve been trying to put together what I believe to be the best laptop for the average person interested in security and QubesOS. The laptop would need the following:

• Ivybridge Generation CPU as a maximum
  This is so that Intel ME can be neutered/reduced with me_cleaner (I believe HAP bit is not enough - so no purism, and no modern gen CPUs)
• Supports heads!
  I see this as an absolute must since there is no real AEM/secure boot on qubes, leaving your device significantly more vulnerable to those with the possibility of physical access.
• Reasonable specs
  This is a lot more subjective, but some of the devices recommended here are just simply too slow for modern websites and applications. You will have trouble even running 1080p video. It would be a nightmare to get any sort of work done.

After going through these requirements, the following devices stand out to me:

• Thinkpad T430
• Thinkpad W530
• Thinkpad X230

I’ve purchased all three of these, and out of these devices, I’ve stopped using two.
X230 with an i7-3520M (16GB Ram Max) - I made sure to get one with the best possible CPU since it is not replacable, however the CPU is subjectively too slow for daily usage within QubesOS. Even websites struggle to load. I do not recommend this.
W530 with an i7-3840QM (32GB Ram Max) - The performance on this device was a lot more usable and I can actually recommend this, it worked great. However, it came with one big problem, each model of the W530 comes with an Nvidia Quadro card which is wired to the display output port. This means that heads and coreboot have lots of trouble using this. Through extensive testing/flashing of both heads and coreboot I found this to be a huge nightmare and was very finicky. If you do go this route, you will probably not be able to use an external monitor. However, it works.

This leaves me with the final device I can recommend - the T430. It is very similar to the W530 and also has a non-soldered swappable CPU, leading me to use a i7-3940XM which grants great performance. Even though it is limited to 16GB of ram instead of the W530’s 32GB, I have found its a lot more reliable. This is due to one fact alone; the laptop can come in a model without a dedicated GPU, leaving the Intel GPU for display out and allowing usage of an external monitor, and also being less of a large brick with a useless extra GPU inside.

These are my findings as I’ve researched and dealt with this subject a little more than I probably should have. If anybody has anything to critique or add that I have overlooked I would love for it to be brought to my attention.

I’ve installed i7-3940XM into my W530, overclocked to 4.1 Ghz via a coreboot patch - likewise finding performance acceptable. It was zippier on Qubes 4.0, but have to stay up to date with progress.

I’m still a fan of the x230 - it’s cheap, portable and very usable
for basic Qubes use.
I dont know what web sites you had trouble with, but most users I
support who are using x230 dont report such troubles in daily use. Heck,
I have users with x220 running 4.2 with no problems.
I’d still leave this on the table for the average person, if I knew who
that was. You need to be very clear about what requirements are, and in
what priority, before making any recommendation.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

• If you care about security, you shouldn’t be using IvyBridge. It’s EOL.
• CMSE provides security features (and a lot of them on modern laptops), don’t disable it if you care about security.
• Heads cannot actually protect you against physical tampering if an attacker has enough time to flash their firmware with a programmer: How exactly is HEADS/Pureboot secure? - All around Qubes - Qubes OS Forum (qubes-os.org)

Honestly, you are better off buying a vPRO Enterprise Dell Latitude/Precision 12th gen and above and wait for TrenchBoot to finish up their UEFI support.

Explain this “average person” interested in Qubes OS in more detail.

Interesting.

Brings up some questions:

If the X230, or other ivy bridge are EOL, and to no longer receive Intel micro-code security updates;
How many of those known possible breaches are possible with Qubes, unless someone can get their hands on the laptop itself for an extended period of time?

I am sorta asking, is the EOL such a threat, if I can keep my laptop physically secured.

And if it was taken from me at an airport - taken into the back room for several hours or several days. How am I sure it really was not tampered with, and my only option is to replace it.

Current best Laptop, What is the downside of a Lenovo T480: (choose the best screen you can get)
can have 64 GB RAM. ($$ - downside) I read the Lenovo T480 might have several different versions with different internal components. I have to ask which ones to avoid, which ones to seek?

T 480 can have vPRO. Which some say is good, and I really am not technically knowledgeable enough to dispute that. Just the thought, more firmware, seems to open more doors to being exploited. Which is why in a previous post I gave a link to recent Intel CPU -Flaws, potential exploits that Intel admits are there for more recent Intel Processors.

Tommy, How corruptible is the Trench Boot for the T480? How could this be exploited?

And Tommy, while you criticize Heads, it was the security feature for its time. My question being, how could one still find an extra step(s) to make part of the Heads process secure? Such as to boot a program from a USB key, that would create the numbers used, that would be encrypted by a PGP key. I can guess that program booted from USB could be a process a corruptible process?

Tommy, thank you for replying and bringing your experience/knowledge set to the discussion. I am a bit envious of how much you know.

Actually, I am depending on you to suggest a better option, if you were trying to add a feature to Heads.

Anyway, one of the things that one gets from Heads ROM flash on T430, gets rid of whitelist, and allows one to install a better, faster WiFi adapter. Install some other hardware.

OP:
To make the T430 even more desirable.

I should search for a T480 Modding guide? Does the T480 have a white list? If I pulled out the internal wireless adapter, would it still boot?

Another reason the T430 is valuable, is $ cost. And if one were in a country, desiring a fairly secure laptop, a T430 is hopefully available. Partially modding it up is possible. So it would seem to me as an X-230. Anyone who has a human rights problem, is likely not very well off financially. Usually not able to receive a computer from another country.

Sorry about so many edits. This post has changed a lot since I first posted.

If the X230, or other ivy bridge are EOL, and to no longer receive Intel micro-code security updates;
How many of those known possible breaches are possible with Qubes, unless someone can get their hands on the laptop itself for an extended period of time?

Lots. Xen Project Spectre / Meltdown FAQ (Jan 22 Update) - Xen Project

For stuff like Spectre and Meltdown, you need microcode updates to mitigate. These can lead to VM break outs as documented.

I am sorta asking, is the EOL such a threat, if I can keep my laptop physically secured.

It is. It’s also quite problematic Qubes certify these impossible-to-keep-secure laptops.

Current best Laptop, What is the downside of a Lenovo T480: (choose the best screen you can get)
can have 64 GB RAM. ($$ - downside) I read the Lenovo T480 might have several different versions with different internal components. I have to ask which ones to avoid, which ones to seek?

It ain’t the best laptop and it is near EOL.

T 480 can have vPRO. Which some say is good, and I really am not technically knowledgeable enough to dispute that. Just the thought, more firmware, seems to open more doors to being exploited. Which is why in a previous post I gave a link to recent Intel CPU -Flaws, potential exploits that Intel admits are there for more recent Intel Processors.

Not how it works.

Tommy, How corruptible is the Trench Boot for the T480? How could this be exploited?

I don’t know how to good TrenchBoot actually is once it is completed, but…

Trenchboot currently only supports legacy boot. UEFI support is further down the roadmap.

I got a Thinkpad T14 Gen 1 Intel (the last generation of Lenovo laptops with legacy boot) to try it out. WIth the latest build (pre-release phase 4) available by Trenchboot - it doesn’t work, there is this bug: Trenchboot AEM crashes on Lenovo Thinkpad T14 Gen 1 (Intel) · Issue #25 · TrenchBoot/trenchboot-issues (github.com). You need to wait for them to fix it.

The phase 3 stuff have their limitation listed here: Thoughts dereferenced from the scratchpad noise. | TrenchBoot Anti Evil Maid - Phase 3 (3mdeb.com)

Those builds are also quite old by right now so you shouldn’t be using them. You don’t want outdated Xen, do you?

My question being, how could one still find an extra step(s) to make part of the Heads process secure?

They need to get BootGuard working, otherwise it’s all theatre.

Tommy, thank you for replying and bringing your experience/knowledge set to the discussion. I am a bit envious of how much you know.

I know very little. I am not a firmware developer. The stuff I said are just general knowledge .

This was a sticking point for me. Downgrading Xen severly impacted my T480’s performance.

On a x230 i5, I quite concur. I also get frustrated with slow qube launches, running out of room for qubes and strange little glitches that seem to come and go with a reboot.