Will the t430 machine work perfectly with Qubes

Good morning, I hope you are doing well perhaps you might know more about me Hardware compatibility list (HCL) | Qubes OS I came across a machine called thinkpad x1 carbon gen 8

Looking to see if the function’s work I saw that it says TPM is unknown but all other features are YES
does this mean the TPM with proper BIOS support (required for [Anti Evil Maid] actually is not working meaning if lets say I got the machine that would mean only 6/7 features would work only? Is this laptop one that can disable the ME for no backdoor? maybe you know about this more then I do. or should I just get the laptop that we talked about previously t430with the upgrade CPU would it work smoothly if I want to do work a lot. Would this mean the machine ThinkPad X1 Carbon Gen 8 Is not Neutralized/Disabled Intel ME. This laptop actually the gen 5 was recommended by the qubes team from [Joanna Rutkowska

This means nobody has tested it.

AEM is for TPM 1 (or was it 1.3?) but not 2.0 which is the recent version so it is likely to not work.

On almost all Laptops you can disable it in the UEFI. But nobody can tell if this disables the backdoor. If i would plant one in it, i would make sure this does not of course.

This really depends on your budget and need. Doing much work can mean pretty much anything from video encode to web browsing.

My personal opinion is, that i will not buy a X1 Carbon ever as they solder in the RAM, so you cannot update or are at least very restricted with updating.

Would you say AEM/TPM is a must i heard it works perfectly for the t430 I should not get the x1 but the machine t430 is suitable for security from what I read thanks for helping!

I have not deployed AEM as i only have TPM 2.0 machines, so i think i am not the right one to ask. sorry :confused:

I’m not sure if this is true. This value is automatically generated when running

qubes-hcl-report -s

Here’s the piece of code for the script

if [[ $PCRS ]]
    # try tu run tcsd and: grep the logs, try get version info.
    TPM="Device present"
    TPM="Device not found"
1 Like

Disabling ME is not such simple task. If You are interested in it here is the tool for that and some info about how to use it. GitHub - corna/me_cleaner: Tool for partial deblobbing of Intel ME/TXE firmware images but If You not have any experience with flashing custom BIOS and any knowledge about ME, BIOS etc. I will not recommend that since You can easily brick your machine. If for Your threat model disabling ME is a must, think about buying some Insurgo Laptop.

If in BIOS column you have: heads, coreboot or pureboot there is big chance that this machine have ME disabled. But if this is note some special machine from Purism or Insurgo it probably means that the owner flash the BIOS himself, which as I wrote before can be not so simple task. But for ThinkPads it should be easier then for other machines. Check on this sites for compatibility with different open BIOSes:

1 Like