Why is all the recommended hardware so outdated?

I know this is very much a beginner, possibly dumb, question, and I apologize in advance.

Both of the recommended laptops by the Qubes OS team run off of the Thinkpad x230 platform - which was released back in 2012. Why is such an outdated platform still the center of focus for this distribution? Why not pick a modern, top of the line laptop, and build in Intel ME neutering along with all the other security and privacy features? Why not optimize modern hardware to its fullest extent, instead of focusing on old hardware?

I’m genuinely curious, and not asking in bad faith. It seems a bit perplexing to me, but I know that there must be a good reason for it.

1 Like

Hi monigat,

what do you mean with outdated ?

Of course there is more powerful and more modern hardware suitable for Qubes OS, but for recommendation a Thinkpad x230 is i would say perfect. You can get them on ebay for a good price and it supports coreboot. Some people can’t afford a laptop from Purism or System76 due to the high price.

The X230 is still updated by the coreboot project and intel me is neutralized.

1 Like

I have Qubes on a Lenovo L380, which is only a couple of years old. Intel i7 8th Gen, 512Gb SSD, and I’m maxed out at 32Gb RAM. Absolutely no complaints, and installed and runs perfectly. OK, so Coreboot is not available for the L380, but I can live with that.

I know this is very much a beginner, possibly dumb, question, and I
apologize in advance.

Both of the recommended laptops by the Qubes OS team run off of the
Thinkpad x230 platform - which was released back in 2012. Why is such
an outdated platform still the center of focus for this distribution?
Why not pick a modern, top of the line laptop, and build in Intel ME
neutering along with all the other security and privacy features? Why
not optimize modern hardware to its fullest extent, instead of
focusing on old hardware?

I’m genuinely curious, and not asking in bad faith. It seems a bit
perplexing to me, but I know that there must be a good reason for it.

The main reason is probably that Qubes OS 4.0.3 is build on Xen 4.8,
which is old (current version is 4.14). Beside that Xen is mainly build
for servers/desktops not so much for laptops.

On top of that is the fact that there is no boot menu in UEFI, hence no
easy way to experiment with boot parameters. There is a way but it’s
complicated.

The Qubes OS documentation should state the real requirements. The best
or better said safest way is to go for a 2-3 year old laptop with at
least 4 cores and 16GB RAM (I would recommend 32GB), integrated
graphics, no USB keyboard/mouse.

Maybe Qubes OS 4.1 will run on new laptops (especially those with AMD
Ryzen CPUs with integrated graphics). But in 2-3 years the current
problem will back.

1 Like

That makes sense, I kind of forgot Xen was mainly focused towards server hardware. I’m guessing the integrated graphics is necessary because of the abysmal support for graphics drivers, especially open source ones?

I think there’s a slight misunderstanding here. We generally avoid recommending any hardware. However, we do have a hardware certification program, and we do test hardware. On top of that, users contribute their own HCL reports.

So, when you ask, “Why is all the recommended hardware so outdated?” it sounds like you might be thinking that we only want you to use X230s, which is not true at all. We want you to use whichever hardware is best for your situation, whether it’s new or old. The fact that two certified laptops happen to be based on the X230 right now is because those vendors sought certification, and their laptops passed all the certification requirements. In other words, vendors are typically the ones who submit certification requests. The Qubes OS Project generally does not initiate things by trying to get vendors to certify particular models.

Many people are happily using Qubes on newer hardware. Now, as with many Linux distros, hardware that’s at least a few years old often has better compatibility, but sometimes even that isn’t necessary.

TL;DR: I think you might be reading too much into the certified laptops.

Now, let me try to provide brief, direct answers to your specific questions:

Why is such an outdated platform still the center of focus for this distribution?

It’s not. Those just happens to be the ones that were submitted for (and passed) certification.

Why not pick a modern, top of the line laptop, and build in Intel ME neutering along with all the other security and privacy features?

That would be awesome. We hope someone does that and submits it for certification!

Why not optimize modern hardware to its fullest extent, instead of focusing on old hardware?

This is a complex topic. Some people have very specific reasons for wanting an Intel CPU from before a certain “feature” was introduced, for example. Some are more price sensitive. Some are less performance sensitive. It’s conceivable that optimizing modern hardware to its full extent turns out to require the participation of a multi-billion dollar vendor who has no interest in meeting our rigorous certification criteria, since mass market consumers don’t know and don’t care about the security rationale behind those requirements. (But hopefully not.)

4 Likes

Anti evil maid only works with Intel ME enabled, with only legacy mode.
Supporting Secure boot would significantly increase the security of QubesOS, rather than just disabling Intel ME and/or using open source firmware, which doesn’t serve a specefic threat model.