In my personal opinion the best options with your current requirements would be

  1. The FrameWork model 13 with i7-1370P, it includes bootguard, memory encryption, has TPM 2.0 and hits an HSI-4 rating from LVFS. The only downside is the firmware is fully proprietary.

  2. If some openness to the firmware is an absolute must for you then my second recommendation would the the V54 from novacustom, once the bootguard support update is released it will be a corebooted laptop that will have an HSI-3 rating, the downside here is that it lacks memory encryption. One other thing to note about this laptop is the Openness score from dasharo, when you view the benefits of coreboot by percentage of open source code to binary blobs the benefit of having an open source bios shrinks, as only around 30% of the bios is actually open source code.

Side note, Dell is also a great option as discussed earlier in this thread.

    Answering9893
    I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.

    Do you have a more secure recommendation that I'm missing? given that you said "your current requirements", I thought there are (more) things that I'm missing.

        xxx Okay? I'm not sure what Linux (or its distributions) has to do with anything seeing as OP wants to run Qubes OS on a new desktop or laptop that has mature/good hardware security, is looking for recommendations based on their (OP) requirements and prefers not to use a ThinkPad (at least that's the impression I got based on their post).

            Answering9893 V54 from novacustom

            Important to note that the V54 series has still not received Qubes OS certification while the NV41 laptop has.

              ErnestThornhill prefers not to use a ThinkPad

              OP has later clarified that he meant ancient ThinkPads that are routinely recommended in the privacy community like the ThinkPad X230. A modern ThinkPad meets most of OPs requirements just fine and is a properly secured laptop. This is unlike those ancient ThinkPads which lack CPU microcode and firmware updates and are therefore still (and always will be) vulnerable to already discovered CVEs in the firmware.

                xxx Although Qubes is technically a Xen-based distribution. Qubes is also a meta operating system which is composed of many other OSs in the form of templates (most of the templates are Linux-based). Despite this, a laptop that can properly run Fedora on bare metal is not guaranteed to properly run Qubes OS.

                • xxx replied to this.

                    JackMurphy I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.

                    Framework has a proper BootGuard setup and this is one of the reasons why the laptop can meet high HSI security levels like level 3 and level 4. You seem unfamiliar with the HSI specification so I will link it for you here. If you read you will find the lowest level is HSI:0 and the highest currently is HSI:4. All the laptops that have been recommended to you reach HSI:3 or will reach it in the near future (like NovaCustom's NV41). The only requirement for HSI:4 is TME and so having a vPro CPU is a must to reach HSI:4.

                    As of any other requirements that you may have not listed or forgetting about, I'd say consistent firmware updates. NovaCustom provides firmware updates for 5 years from your purchase, Dell provides up to 6 years I believe and Thinkpad consistently provides updates too but I do not know for how long. Probably a bit less than Dell. Framework is the only one that has had issues regarding shipping consistent firmware updates for its devices. Although they are improving slowly, it is not a good look for them from a security perspective and so, I would probably avoid Framework for now.

                        xxx Although I would rather not engage in this discussion because it provides no technical benefit and is off topic to the original question. I would like to point you to this question in the official FAQ on the Qubes website. You'll find that my previous reply to you makes the most sense and is most in line with the official Qubes OS documentation.

                        • xxx replied to this.

                            DeletedUser88

                            To sum it up qubes is not a standart Linuxdistribution. ;-) Nevermint: it dosn't help the OP (and us both).

                            Thinkpads get 5 Years of Hard- and Softwaresupport (or longer). Linux/Linuxfirmwaresupport is excellent nowadays.

                                xxx Linux/Linuxfirmwaresupport is excellent nowadays

                                Do you know if this is the case for Dell as well?

                                • xxx replied to this.

                                    DeletedUser88
                                    I've heard of HSI specification but honestly didn't dig into it. Thanks for bringing it to my attention.

                                      JackMurphy Hello! You seem to not know that TPM 2.0 is currently not supported on Qubes. The current Windows support is not very good as well, but QWT (Qubes Windows Tools) seems to be going into beta soon. They have been unsupported for the recent 2 years due to a security issue with the Xen Windows drivers.

                                      Qubes still has much better security, than a lot of the modern OSs (I am a proud Qubes user!) but it is a young system missing a lot of things due to the heavy workload on developers.

                                          stupidcreature
                                          While I don't know if here is the appropriate place for having a discussion about this, but I would like to know you, @DeletedUser88 and @Answering9893's opinions on Qubes OS vs Windows (WDAC + WDAG + VMs).

                                          Also, taking into consideration the ease of use for normal (non-technical) but under targeted attack people like journalists.

                                              2 months later

                                              If you want to have reasonably secure hardware for Qubes, wait until Qubes is available for the V54 series from NovaCustoms. This would give you at least reasonably secure boot (heads without boot guard is a security theater as Tommy likes to call it https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/#heads).

                                              The problem with modern Dell Latitudes or Thinkpads is that you will no longer have boot security (QubesOS does not support UFEI Secure Boot and Heads is not available for modern Latitudes/Thinkpads).
                                              You could try to solve this with Trenchboot, but iirc Tommy gave up on it at some point.

                                              JackMurphy opinions on Qubes OS vs Windows (WDAC + WDAG + VMs)

                                              Under the right conditions (e.g. 7th generation Surface Business laptops and a well configured Windows 11 Enterprise) HyperV VM spamming would be more “secure” than Qubes (e.g. you could use the hard and firmware security features of the MS Surface devices, have better boot security with Windows Trusted Boot, have secure guest VMs if you use Windows 11 VMs, ...).
                                              This is not just my opinion, wj25czxj47bu6q from Privsec once posted this in a similar way in the Privsec Matrix Room.

                                              If anything I have written is wrong, please feel free to correct me