What would ideal hardware for Qubes look like?

I wanted to ask about the ideal Qubes CPU, but figured this would be a good place to talk about ideal hardware specifications as well. This is related to the VM start time survey, but isn’t on-topic, so I pre-empted the mods and split the thread before I even made the post.

What I want to know is: If cost isn’t an issue, what would the ideal CPU for Qubes OS look like, in terms of technology available today or in the near future? What attributes of the CPU would, for example, lower VM start-up time, or make it more suitable for Xen workloads, all while being secure? Is there a planned or released CPU that’s closest to this ideal?

In general, what makes a computer well-suited for quickly handling VM workloads? Ultimately, I hope to have a computer that can open a Firefox dispVM at comparable times to a middling modern computer running bare-metal Windows.

Also note that people have different usages for Qubes–some want maximum security while others want to have high efficiency (speed, workflow, QoL) while retaining the core security benefits of the OS. There are also some who have more specialized uses for the OS (as a networking hub, or a research machine, or an aquarium, for example), but they are fragmented and vastly outnumbered by these two ideals.

While they don’t seem to be mututally exclusive ideals in terms of hardware, it would make sense to clearly separate the two main ideals, so people won’t end up having proxy arguments over which ideal is better. I think we should name those who want high speeds and smooth workflows, ‘hares’, and those who strive for maximum security, ‘tortoises’. I picked the animals from the fable named after them, but I’m not making assertions about which is better.

tl;dr–When posting, it’d be helpful to say if your ideals are represented by ‘tortoise’ or ‘hare’.

There are other tricks to achieve this besides raw compute performance. For example, an idea that the devs floated many years ago was to always have a disposable already started and ready to go. When the user asks for one, immediately serve that one up, then go through the slower process of starting another one to keep in reserve for the next time the user asks for one. One obvious downside of this is that the disposable in reserve is always using up some memory. Nonetheless, it’s a potential way to trade memory for (perceived, effective) performance.

I want to have super secure system that can run full screen Netflix smoothly. Maybe in few years we see such CPUs?

You can be a tortoise and still have Netflix run smoothly, IMO. It just takes longer to start up, I think. Did you have some other obstacles in mind?

Like some sort of dispVM buffer? I like it. Maybe there are some security implications from having a dispVM sit idling while you go about your digital life, but as an option it symbolizes the tortoise vs hare divide.

Yes, like not being smooth once running .

My i5-9400T doesn’t seem to have enough processing power.

Qubes is still being very resource hungry system, so I think in many respects we just need to wait for Moore’s law take care of it.

Oh I see your issue now. My i7-1065G7 can definitely handle Netflix streaming, despite my longer network chain, but I use minimal VMs exclusively and Mirage firewalls, so the overhead isn’t that heavy. In other words, what you need is out there, inexpensive (this laptop cost less than USD $1,000) and already last gen.

Related Issue. Another related issue.

I don’t know about ‘super secure’, but my machine boots with
Heads/Coreboot and uses a Nitrokey for attestation. I watch very smooth
fullscreen HD Netflix through three proxy qubes:

sys-net <-> sys-clearnet <-> sys-njalla <-> sys-vpn <-> streaming

• ThinkPad T430
• i7-3840QM
• 16 GB RAM
• 2 TB SSD
• Intel Wireless 7260
• 1080p display

You can do that for less than $1,000 yourself. Sorry if this is
annoying, but I love that machine.

my machine boots with Heads/Coreboot

did you flash the coreboot firmware yourself ?
if not mistaken, T430 doesn’t come with the coreboot BIOS.

sys-net ↔ sys-clearnet ↔ sys-njalla ↔ sys-vpn ↔ streaming

wow, 3 proxy qubes, if we use disposable whonix + tor for streaming,
can it serve the same purpose ?

I don’t understand. Just checked from various CPU benchmarks that my 6-core i5-9400T should be actually more powerful. Still I’m not happy with fullscreen HD. I can see little glitches on fast movements. I’ve tried 2 and 4 cores, no change. If I plug in my old laptop running Linux on bare iron, it is totally smooth. I’m the kinda guy who doesn’t tolerate glitches at all, it ruins my Netflix experience

Well, I always thought Qubes is a special tool, it’s not my multimedia machine, so I have the old laptop for that purpose. Still it’s so strange, it’s year 2021. I feel like playing mp3’s in the 90’s 486 machine. It barely works. But it didn’t take too many years that audio became non-issue. I think this will happen very soon also for video. The resource requirements doesn’t increase, but machines get more powerful every year.

And I don’t think this has much to do with the amount of proxy qubes, it’s about raw CPU processing power. Qubes security X11-magic takes its toll.

@newbie asked:

did you flash the coreboot firmware yourself?

Yes, following a guide that is still being worked on by @Plexus.

The first time requires to disassemble the T430 down to the motherboard,
locate the flash chips and physically connect to them with clamps while
using another computer to flash them.

This sounds a lot more scary than it is. I hope soon this guide will be
published with photos and step-by-step instructions.

After that (once you have a Heads version running), you can reflash
using Heads itself.

sys-net ↔ sys-clearnet ↔ sys-njalla ↔ sys-vpn ↔ streaming
wow, 3 proxy qubes,

lol … at least not [seven]
(Good Luck, I'm Behind 7 Proxies | Know Your Meme)

The idea here is this:

• sys-clearnet is where qubes connect for direct interet access, it’s
  what in most installs is simply called “sys-firewall”. Normally none of
  my qubes use sys-clearnet but every now an then I have to temporarily
  allow a disposable qube to go through clearnet for a specific task.

• sys-njalla is one of my VPN providers and that qube uses the Qubes OS
  firewall to make sure sys-njalla can only connect to the respective VPN
  servers and nothing else.

• sys-vpn is a second firewall qube that all my online qubes connect to.
  The main reason they don’t connect to e.g. sys-njalla is that this
  indirection allows me to change VPN providers simply be changing the
  netvm property of sys-vpn.

… sometimes the VPN is not fast enough for HD Netflix. That’s one
scenario where I might temporarily connect directly to sys-clearnet.

if we use disposable whonix + tor for streaming, can it serve the
same purpose ?

Streaming Netflix over Tor? Good luck!

I have watched some YouTube over Tor before, that was OK but depends on
the circuit you get. It’s not 100% technically correct, but you can
think of Tor as a kind of special purpose VPN with extra features.

Maybe your other hardware isn’t up to spec? Are you using an SSD or HDD, and does it run via SATA? Do you have enough RAM?

I have enough memory (32GB) and the disk is SATA SSD.

Just tried to analyze the full screen output. It’s not like choppy for real, but something is not right. It’s like 95% smooth. I don’t know how to explain it. Was just thinking that maybe the GPU does some sort of smoothing on normal OS running on iron. The appvm is not even running crazy, the chrome process is using like 50% of one core. But still I don’t like the video, there’s something wrong with it. If I look at it very far, I don’t probably see much difference, but when I see even a smallest glitch or weirdness, that’s it for me. Can’t stand it

GPU

I’m not great at troubleshooting, but a discrete GPU might be the cause of your display issues. Things that might help:

• The Nvidia Troubleshooting page

• Updating your dom0 kernel

• Editing /boot/efi/EFI/qubes/xen.cfg so the kernel variable includes or excludes i915.alpha_support=1 and/or iommu=no-igfx might help if its an iGPU, I think. (Edit: Path only works for R4.0. I have no idea where xen.cfg is on R4.1)

• Could be a mismatch between your refresh rate and your screen’s capabilities, so check to see if the two are compatible

@turkja I understand your frustration. My suspicion is that it is
somewhat related to the graphics chip and the driver implementation.

With a i7-7820HQ (HD 630 graphics) I had actually more “glitches” in
fast movements than now with i7-3840QM (HD 4000 graphics). By all means
the first should outperform the second but in this particular case, the
second performs better.

To top that off, all the respective service qubes and the streaming qube
run with 1 vcpu.

I do have a glitch every now and then in fast moving scenes or ones with
a lot of movement all over the frame. But you kind of have to look for
them. I am generally dazzled by the detail of a full HD frame on a 14"
monitor … very happy with it.

Very good catch!

This is something I’ll look into one day. Never have done that on Qubes, always just used what is available via normal updates.

For one thing, it wouldn’t have Intel ME or AMD PSP!

So one could probably choose one of those devices: Intel Management Engine - Wikipedia

Honest question: Is there an x86 vendor that’s not Intel or AMD, but has virtualization and passable performance?