DeletedUser88
Yeah, it seems that the choice should be Dell or NovaCustom products.
Secure Hardware for Qubes
Honestly I'm interested to hear from GrapheneOS developers as well.
- Edited
In my personal opinion the best options with your current requirements would be
The FrameWork model 13 with i7-1370P, it includes bootguard, memory encryption, has TPM 2.0 and hits an HSI-4 rating from LVFS. The only downside is the firmware is fully proprietary.
If some openness to the firmware is an absolute must for you then my second recommendation would the the V54 from novacustom, once the bootguard support update is released it will be a corebooted laptop that will have an HSI-3 rating, the downside here is that it lacks memory encryption. One other thing to note about this laptop is the Openness score from dasharo, when you view the benefits of coreboot by percentage of open source code to binary blobs the benefit of having an open source bios shrinks, as only around 30% of the bios is actually open source code.
Side note, Dell is also a great option as discussed earlier in this thread.
ErnestThornhill OP said no ThinkPad.
Thinkpads are your best bet for Linux.
Answering9893
I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Do you have a more secure recommendation that I'm missing? given that you said "your current requirements", I thought there are (more) things that I'm missing.
xxx Okay? I'm not sure what Linux (or its distributions) has to do with anything seeing as OP wants to run Qubes OS on a new desktop or laptop that has mature/good hardware security, is looking for recommendations based on their (OP) requirements and prefers not to use a ThinkPad (at least that's the impression I got based on their post).
Qubes is Linux.
Answering9893 V54 from novacustom
Important to note that the V54 series has still not received Qubes OS certification while the NV41 laptop has.
ErnestThornhill prefers not to use a ThinkPad
OP has later clarified that he meant ancient ThinkPads that are routinely recommended in the privacy community like the ThinkPad X230. A modern ThinkPad meets most of OPs requirements just fine and is a properly secured laptop. This is unlike those ancient ThinkPads which lack CPU microcode and firmware updates and are therefore still (and always will be) vulnerable to already discovered CVEs in the firmware.
- Edited
xxx Although Qubes is technically a Xen-based distribution. Qubes is also a meta operating system which is composed of many other OSs in the form of templates (most of the templates are Linux-based). Despite this, a laptop that can properly run Fedora on bare metal is not guaranteed to properly run Qubes OS.
Take alook here: https://distrowatch.com/table.php?distribution=qubes
JackMurphy I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Framework has a proper BootGuard setup and this is one of the reasons why the laptop can meet high HSI security levels like level 3 and level 4. You seem unfamiliar with the HSI specification so I will link it for you here. If you read you will find the lowest level is HSI:0 and the highest currently is HSI:4. All the laptops that have been recommended to you reach HSI:3 or will reach it in the near future (like NovaCustom's NV41). The only requirement for HSI:4 is TME and so having a vPro CPU is a must to reach HSI:4.
As of any other requirements that you may have not listed or forgetting about, I'd say consistent firmware updates. NovaCustom provides firmware updates for 5 years from your purchase, Dell provides up to 6 years I believe and Thinkpad consistently provides updates too but I do not know for how long. Probably a bit less than Dell. Framework is the only one that has had issues regarding shipping consistent firmware updates for its devices. Although they are improving slowly, it is not a good look for them from a security perspective and so, I would probably avoid Framework for now.
- Edited
xxx Although I would rather not engage in this discussion because it provides no technical benefit and is off topic to the original question. I would like to point you to this question in the official FAQ on the Qubes website. You'll find that my previous reply to you makes the most sense and is most in line with the official Qubes OS documentation.
- Edited
To sum it up qubes is not a standart Linuxdistribution. ;-) Nevermint: it dosn't help the OP (and us both).
Thinkpads get 5 Years of Hard- and Softwaresupport (or longer). Linux/Linuxfirmwaresupport is excellent nowadays.
xxx Linux/Linuxfirmwaresupport is excellent nowadays
Do you know if this is the case for Dell as well?
- Edited
I heard the Dell Linuxsupport is not really good. But I only can say for sure that Lenovo has really good support for the TPs they sell with Linux. They work upstream on the drivers.
Take a look here:
https://forums.lenovo.com/t5/Other-Linux-Discussions/bd-p/Special_Interest_Linux
MarkRHPearson can help with most Thinkpads :-)
DeletedUser88
I've heard of HSI specification but honestly didn't dig into it. Thanks for bringing it to my attention.
JackMurphy Hello! You seem to not know that TPM 2.0 is currently not supported on Qubes. The current Windows support is not very good as well, but QWT (Qubes Windows Tools) seems to be going into beta soon. They have been unsupported for the recent 2 years due to a security issue with the Xen Windows drivers.
Qubes still has much better security, than a lot of the modern OSs (I am a proud Qubes user!) but it is a young system missing a lot of things due to the heavy workload on developers.
- Edited
stupidcreature
While I don't know if here is the appropriate place for having a discussion about this, but I would like to know you, @DeletedUser88 and @Answering9893's opinions on Qubes OS vs Windows (WDAC + WDAG + VMs).
Also, taking into consideration the ease of use for normal (non-technical) but under targeted attack people like journalists.