duck1
I'm sorry that I wasn't specific enough. I was referring to Thinkpad X2xx that some people usually suggest.
Secure Hardware for Qubes
- Edited
JackMurphy ah alright. A modern Thinkpad meets your requirements then. Something to consider however regarding Thinkpads:
"Lenovo ThinkPad
In my opinion, vPro Enterprise Thinkpad laptops security are generally acceptable for the product class. However, there is a big gotcha with their firmware: the “prevent BIOS downgrade” toggle does not actually work. This toggle only nicely asks Windows to not downgrade the firmware, but if a tool like fwupd tries to downgrade it, the firmware will allow the downgrade.
The implication of this is that if you have the UEFI update capsule enabled, a compromised OS can downgrade your firmware to a version vulnerable with something like LogoFail, and the malware can then gain persistent in the firmware. The problem can theoratically be solved if Lenovo blows Boot Guard fuses to prevent downgrade, but in reality they do it even less often than Dell.
For this reason, I recommend buying Dell Latitude/Precision over Lenovo products. If you have to use a Lenovo laptop anyways, consider disabling the UEFI capsule, and use a different, trusted computer to create a USB stick for firmware updates."
This is something I pulled from a preview article by PrivSec that has still not been posted on their main website (therefore is subject to change) but has important information nonetheless.
The article: https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/
duck1
Thanks for the tip about NovaCustom's future support of Intel BootGuard. I didn't know that.
As for Dell, just in case anyone is interested, here is 2023 presentation about what they're doing:
https://www.delltechnologies.com/asset/en-us/products/security/industry-market/achieving-pervasive-security-above-and-below-the-os-whitepaper.pdf
- Edited
duck1
Thanks!
My (other) problem with Lenovo laptops is not-hard-to-exploit/not-hard-to-find vulnerabilities that have been in their products before, like SMM arbitrary read/write that was found by folks at ESET.
Honestly, I don't know how much effort they put into fuzzing, source code audit, etc.
JackMurphy In that case I'd honestly go for NovaCustom for the peace of mind as their firmware is open source. Obviously does not mean it is secure but it is more transparent.
duck1
Yeah, it seems that the choice should be Dell or NovaCustom products.
Honestly I'm interested to hear from GrapheneOS developers as well.
- Edited
In my personal opinion the best options with your current requirements would be
The FrameWork model 13 with i7-1370P, it includes bootguard, memory encryption, has TPM 2.0 and hits an HSI-4 rating from LVFS. The only downside is the firmware is fully proprietary.
If some openness to the firmware is an absolute must for you then my second recommendation would the the V54 from novacustom, once the bootguard support update is released it will be a corebooted laptop that will have an HSI-3 rating, the downside here is that it lacks memory encryption. One other thing to note about this laptop is the Openness score from dasharo, when you view the benefits of coreboot by percentage of open source code to binary blobs the benefit of having an open source bios shrinks, as only around 30% of the bios is actually open source code.
Side note, Dell is also a great option as discussed earlier in this thread.
ErnestThornhill OP said no ThinkPad.
Thinkpads are your best bet for Linux.
Answering9893
I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Do you have a more secure recommendation that I'm missing? given that you said "your current requirements", I thought there are (more) things that I'm missing.
xxx Okay? I'm not sure what Linux (or its distributions) has to do with anything seeing as OP wants to run Qubes OS on a new desktop or laptop that has mature/good hardware security, is looking for recommendations based on their (OP) requirements and prefers not to use a ThinkPad (at least that's the impression I got based on their post).
Qubes is Linux.
Answering9893 V54 from novacustom
Important to note that the V54 series has still not received Qubes OS certification while the NV41 laptop has.
ErnestThornhill prefers not to use a ThinkPad
OP has later clarified that he meant ancient ThinkPads that are routinely recommended in the privacy community like the ThinkPad X230. A modern ThinkPad meets most of OPs requirements just fine and is a properly secured laptop. This is unlike those ancient ThinkPads which lack CPU microcode and firmware updates and are therefore still (and always will be) vulnerable to already discovered CVEs in the firmware.
- Edited
xxx Although Qubes is technically a Xen-based distribution. Qubes is also a meta operating system which is composed of many other OSs in the form of templates (most of the templates are Linux-based). Despite this, a laptop that can properly run Fedora on bare metal is not guaranteed to properly run Qubes OS.
Take alook here: https://distrowatch.com/table.php?distribution=qubes
JackMurphy I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Framework has a proper BootGuard setup and this is one of the reasons why the laptop can meet high HSI security levels like level 3 and level 4. You seem unfamiliar with the HSI specification so I will link it for you here. If you read you will find the lowest level is HSI:0 and the highest currently is HSI:4. All the laptops that have been recommended to you reach HSI:3 or will reach it in the near future (like NovaCustom's NV41). The only requirement for HSI:4 is TME and so having a vPro CPU is a must to reach HSI:4.
As of any other requirements that you may have not listed or forgetting about, I'd say consistent firmware updates. NovaCustom provides firmware updates for 5 years from your purchase, Dell provides up to 6 years I believe and Thinkpad consistently provides updates too but I do not know for how long. Probably a bit less than Dell. Framework is the only one that has had issues regarding shipping consistent firmware updates for its devices. Although they are improving slowly, it is not a good look for them from a security perspective and so, I would probably avoid Framework for now.
- Edited
xxx Although I would rather not engage in this discussion because it provides no technical benefit and is off topic to the original question. I would like to point you to this question in the official FAQ on the Qubes website. You'll find that my previous reply to you makes the most sense and is most in line with the official Qubes OS documentation.