ErnestThornhill
Yeah. The problem with them is discussed in https://forum.qubes-os.org/t/qubes-os-should-not-certify-insecure-and-ancient-hardware/27857
Secure Hardware for Qubes
- Edited
https://docs.dasharo.com/variants/overview/
This list comes to mind.
example review of such laptop:
https://dataswamp.org/~solene/2024-01-03-laptop-review-novacustom-nv41.html
If it can run Heads/Coreboot and you use some Nitro/Yubikey to ensure a real secure boot, you are
safe from most real-world attacks, the rest is just unrealistic unless you are really targeted at international
level, at which point you should do many more things than just having a secure laptop.
JackMurphy A modern Dell Latitude/Precision or a Lenovo Thinkpad. Obviously no support for open source firmware and compatibility with Qubes OS is a gamble. If you are willing to forgo the vPro CPU requirement and the Secure Core Certification in favour of guaranteed Qubes OS support and open source firmware then a NovaCustom NV41. Note that Intel BootGuard is still not supported but it has been confirmed that it will be implemented in the next firmware update in the near future.
duck1 or a Lenovo Thinkpad.
OP said no ThinkPad.
- Edited
JackMurphy Curious to know the source for Thinkpads not having proper BootGuard setup.
I have already shut down TPM, Veracrypt doesn't trust TPM at all. Hardware like Yubikey is also difficult to guarantee without backdoors.
23Sha-ger
I'd love to have a discussion about "many more things" in another discussion/place and obviously we're not talking about SDR or TSCM. The focus of this discussion is to set the bar high enough, so people from the high-end of chain (being targeted by most capable threat actors) can refer and learn from.
I'm completely the high-end people should do other things as well.
duck1
I'm sorry that I wasn't specific enough. I was referring to Thinkpad X2xx that some people usually suggest.
- Edited
JackMurphy ah alright. A modern Thinkpad meets your requirements then. Something to consider however regarding Thinkpads:
"Lenovo ThinkPad
In my opinion, vPro Enterprise Thinkpad laptops security are generally acceptable for the product class. However, there is a big gotcha with their firmware: the “prevent BIOS downgrade” toggle does not actually work. This toggle only nicely asks Windows to not downgrade the firmware, but if a tool like fwupd tries to downgrade it, the firmware will allow the downgrade.
The implication of this is that if you have the UEFI update capsule enabled, a compromised OS can downgrade your firmware to a version vulnerable with something like LogoFail, and the malware can then gain persistent in the firmware. The problem can theoratically be solved if Lenovo blows Boot Guard fuses to prevent downgrade, but in reality they do it even less often than Dell.
For this reason, I recommend buying Dell Latitude/Precision over Lenovo products. If you have to use a Lenovo laptop anyways, consider disabling the UEFI capsule, and use a different, trusted computer to create a USB stick for firmware updates."
This is something I pulled from a preview article by PrivSec that has still not been posted on their main website (therefore is subject to change) but has important information nonetheless.
The article: https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/
duck1
Thanks for the tip about NovaCustom's future support of Intel BootGuard. I didn't know that.
As for Dell, just in case anyone is interested, here is 2023 presentation about what they're doing:
https://www.delltechnologies.com/asset/en-us/products/security/industry-market/achieving-pervasive-security-above-and-below-the-os-whitepaper.pdf
- Edited
duck1
Thanks!
My (other) problem with Lenovo laptops is not-hard-to-exploit/not-hard-to-find vulnerabilities that have been in their products before, like SMM arbitrary read/write that was found by folks at ESET.
Honestly, I don't know how much effort they put into fuzzing, source code audit, etc.
JackMurphy In that case I'd honestly go for NovaCustom for the peace of mind as their firmware is open source. Obviously does not mean it is secure but it is more transparent.
duck1
Yeah, it seems that the choice should be Dell or NovaCustom products.
Honestly I'm interested to hear from GrapheneOS developers as well.
- Edited
In my personal opinion the best options with your current requirements would be
The FrameWork model 13 with i7-1370P, it includes bootguard, memory encryption, has TPM 2.0 and hits an HSI-4 rating from LVFS. The only downside is the firmware is fully proprietary.
If some openness to the firmware is an absolute must for you then my second recommendation would the the V54 from novacustom, once the bootguard support update is released it will be a corebooted laptop that will have an HSI-3 rating, the downside here is that it lacks memory encryption. One other thing to note about this laptop is the Openness score from dasharo, when you view the benefits of coreboot by percentage of open source code to binary blobs the benefit of having an open source bios shrinks, as only around 30% of the bios is actually open source code.
Side note, Dell is also a great option as discussed earlier in this thread.
ErnestThornhill OP said no ThinkPad.
Thinkpads are your best bet for Linux.
Answering9893
I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Do you have a more secure recommendation that I'm missing? given that you said "your current requirements", I thought there are (more) things that I'm missing.
xxx Okay? I'm not sure what Linux (or its distributions) has to do with anything seeing as OP wants to run Qubes OS on a new desktop or laptop that has mature/good hardware security, is looking for recommendations based on their (OP) requirements and prefers not to use a ThinkPad (at least that's the impression I got based on their post).
Qubes is Linux.
Answering9893 V54 from novacustom
Important to note that the V54 series has still not received Qubes OS certification while the NV41 laptop has.