I'm looking for a new PC/Laptop to run Qubes OS with mature/good hardware security instead of worrying about things like Intel ME. The PC/Laptop should at least have:

  • New CPU (intel 10th generation or above)
  • TME support (vPro CPUs)
  • Proper BootGuard setup (not Librem or Thinkpad)
  • Intel TXT and TPM (2.0)

Nice to have:

  • Mature open source firmware. (I'm not interested in using open source firmware just for the sake of it.)
    Things like System76 that doesn't support Secure Boot aren't appropriate as well.
  • Secure Core Certification. (In case I decide to use Windows later on.)

In case you have any suggestion that is out of scope of what I've said, I'm happy to hear that.

    https://docs.dasharo.com/variants/overview/
    This list comes to mind.
    example review of such laptop:
    https://dataswamp.org/~solene/2024-01-03-laptop-review-novacustom-nv41.html

    If it can run Heads/Coreboot and you use some Nitro/Yubikey to ensure a real secure boot, you are
    safe from most real-world attacks, the rest is just unrealistic unless you are really targeted at international
    level, at which point you should do many more things than just having a secure laptop.

      JackMurphy A modern Dell Latitude/Precision or a Lenovo Thinkpad. Obviously no support for open source firmware and compatibility with Qubes OS is a gamble. If you are willing to forgo the vPro CPU requirement and the Secure Core Certification in favour of guaranteed Qubes OS support and open source firmware then a NovaCustom NV41. Note that Intel BootGuard is still not supported but it has been confirmed that it will be implemented in the next firmware update in the near future.

        JackMurphy Curious to know the source for Thinkpads not having proper BootGuard setup.

          I have already shut down TPM, Veracrypt doesn't trust TPM at all. Hardware like Yubikey is also difficult to guarantee without backdoors.

          23Sha-ger
          I'd love to have a discussion about "many more things" in another discussion/place and obviously we're not talking about SDR or TSCM. The focus of this discussion is to set the bar high enough, so people from the high-end of chain (being targeted by most capable threat actors) can refer and learn from.

          I'm completely the high-end people should do other things as well.

          duck1
          I'm sorry that I wasn't specific enough. I was referring to Thinkpad X2xx that some people usually suggest.

            JackMurphy ah alright. A modern Thinkpad meets your requirements then. Something to consider however regarding Thinkpads:

            "Lenovo ThinkPad
            In my opinion, vPro Enterprise Thinkpad laptops security are generally acceptable for the product class. However, there is a big gotcha with their firmware: the “prevent BIOS downgrade” toggle does not actually work. This toggle only nicely asks Windows to not downgrade the firmware, but if a tool like fwupd tries to downgrade it, the firmware will allow the downgrade.

            The implication of this is that if you have the UEFI update capsule enabled, a compromised OS can downgrade your firmware to a version vulnerable with something like LogoFail, and the malware can then gain persistent in the firmware. The problem can theoratically be solved if Lenovo blows Boot Guard fuses to prevent downgrade, but in reality they do it even less often than Dell.

            For this reason, I recommend buying Dell Latitude/Precision over Lenovo products. If you have to use a Lenovo laptop anyways, consider disabling the UEFI capsule, and use a different, trusted computer to create a USB stick for firmware updates."

            This is something I pulled from a preview article by PrivSec that has still not been posted on their main website (therefore is subject to change) but has important information nonetheless.

            The article: https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/

              duck1
              Thanks!
              My (other) problem with Lenovo laptops is not-hard-to-exploit/not-hard-to-find vulnerabilities that have been in their products before, like SMM arbitrary read/write that was found by folks at ESET.
              Honestly, I don't know how much effort they put into fuzzing, source code audit, etc.

              https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops

                JackMurphy In that case I'd honestly go for NovaCustom for the peace of mind as their firmware is open source. Obviously does not mean it is secure but it is more transparent.

                  duck1
                  Yeah, it seems that the choice should be Dell or NovaCustom products.

                  Honestly I'm interested to hear from GrapheneOS developers as well.

                  In my personal opinion the best options with your current requirements would be

                  1. The FrameWork model 13 with i7-1370P, it includes bootguard, memory encryption, has TPM 2.0 and hits an HSI-4 rating from LVFS. The only downside is the firmware is fully proprietary.

                  2. If some openness to the firmware is an absolute must for you then my second recommendation would the the V54 from novacustom, once the bootguard support update is released it will be a corebooted laptop that will have an HSI-3 rating, the downside here is that it lacks memory encryption. One other thing to note about this laptop is the Openness score from dasharo, when you view the benefits of coreboot by percentage of open source code to binary blobs the benefit of having an open source bios shrinks, as only around 30% of the bios is actually open source code.

                  Side note, Dell is also a great option as discussed earlier in this thread.

                    Answering9893
                    I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.

                    Do you have a more secure recommendation that I'm missing? given that you said "your current requirements", I thought there are (more) things that I'm missing.

                      xxx Okay? I'm not sure what Linux (or its distributions) has to do with anything seeing as OP wants to run Qubes OS on a new desktop or laptop that has mature/good hardware security, is looking for recommendations based on their (OP) requirements and prefers not to use a ThinkPad (at least that's the impression I got based on their post).