Will the t430 machine work perfectly with Qubes

ioio4dio · May 11, 2022, 12:24am

Good morning, I hope you are doing well perhaps you might know more about me Hardware compatibility list (HCL) | Qubes OS I came across a machine called thinkpad x1 carbon gen 8

Looking to see if the function’s work I saw that it says TPM is unknown but all other features are YES
does this mean the TPM with proper BIOS support (required for [Anti Evil Maid] actually is not working meaning if lets say I got the machine that would mean only 6/7 features would work only? Is this laptop one that can disable the ME for no backdoor? maybe you know about this more then I do. or should I just get the laptop that we talked about previously t430with the upgrade CPU would it work smoothly if I want to do work a lot. Would this mean the machine ThinkPad X1 Carbon Gen 8 Is not Neutralized/Disabled Intel ME. This laptop actually the gen 5 was recommended by the qubes team from [Joanna Rutkowska

Suspicious_Actions · May 11, 2022, 5:32am

This means nobody has tested it.

AEM is for TPM 1 (or was it 1.3?) but not 2.0 which is the recent version so it is likely to not work.

On almost all Laptops you can disable it in the UEFI. But nobody can tell if this disables the backdoor. If i would plant one in it, i would make sure this does not of course.

This really depends on your budget and need. Doing much work can mean pretty much anything from video encode to web browsing.

My personal opinion is, that i will not buy a X1 Carbon ever as they solder in the RAM, so you cannot update or are at least very restricted with updating.

ioio4dio · May 11, 2022, 6:18am

Would you say AEM/TPM is a must i heard it works perfectly for the t430 I should not get the x1 but the machine t430 is suitable for security from what I read thanks for helping!

Suspicious_Actions · May 11, 2022, 6:18am

I have not deployed AEM as i only have TPM 2.0 machines, so i think i am not the right one to ask. sorry

enmus · May 11, 2022, 6:13pm

I’m not sure if this is true. This value is automatically generated when running

qubes-hcl-report -s

Here’s the piece of code for the script

if [[ $PCRS ]]
  then
    # try tu run tcsd and: grep the logs, try get version info.
    TPM="Device present"
  else
    TPM="Device not found"
    TPM_s="unknown"
fi

Szewcu · May 11, 2022, 6:37pm

Disabling ME is not such simple task. If You are interested in it here is the tool for that and some info about how to use it. GitHub - corna/me_cleaner: Tool for partial deblobbing of Intel ME/TXE firmware images but If You not have any experience with flashing custom BIOS and any knowledge about ME, BIOS etc. I will not recommend that since You can easily brick your machine. If for Your threat model disabling ME is a must, think about buying some Insurgo Laptop.

Szewcu · May 11, 2022, 6:52pm

If in BIOS column you have: heads, coreboot or pureboot there is big chance that this machine have ME disabled. But if this is note some special machine from Purism or Insurgo it probably means that the owner flash the BIOS himself, which as I wrote before can be not so simple task. But for ThinkPads it should be easier then for other machines. Check on this sites for compatibility with different open BIOSes:
https://coreboot.org/status/board-status.html