JackMurphy I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.

Framework has a proper BootGuard setup and this is one of the reasons why the laptop can meet high HSI security levels like level 3 and level 4. You seem unfamiliar with the HSI specification so I will link it for you here. If you read you will find the lowest level is HSI:0 and the highest currently is HSI:4. All the laptops that have been recommended to you reach HSI:3 or will reach it in the near future (like NovaCustom's NV41). The only requirement for HSI:4 is TME and so having a vPro CPU is a must to reach HSI:4.

As of any other requirements that you may have not listed or forgetting about, I'd say consistent firmware updates. NovaCustom provides firmware updates for 5 years from your purchase, Dell provides up to 6 years I believe and Thinkpad consistently provides updates too but I do not know for how long. Probably a bit less than Dell. Framework is the only one that has had issues regarding shipping consistent firmware updates for its devices. Although they are improving slowly, it is not a good look for them from a security perspective and so, I would probably avoid Framework for now.

    • Edited

    xxx Although I would rather not engage in this discussion because it provides no technical benefit and is off topic to the original question. I would like to point you to this question in the official FAQ on the Qubes website. You'll find that my previous reply to you makes the most sense and is most in line with the official Qubes OS documentation.

    • xxx replied to this.
      • Edited

      duck1

      To sum it up qubes is not a standart Linuxdistribution. ;-) Nevermint: it dosn't help the OP (and us both).

      Thinkpads get 5 Years of Hard- and Softwaresupport (or longer). Linux/Linuxfirmwaresupport is excellent nowadays.

        xxx Linux/Linuxfirmwaresupport is excellent nowadays

        Do you know if this is the case for Dell as well?

        • xxx replied to this.

          duck1
          I've heard of HSI specification but honestly didn't dig into it. Thanks for bringing it to my attention.

          JackMurphy Hello! You seem to not know that TPM 2.0 is currently not supported on Qubes. The current Windows support is not very good as well, but QWT (Qubes Windows Tools) seems to be going into beta soon. They have been unsupported for the recent 2 years due to a security issue with the Xen Windows drivers.

          Qubes still has much better security, than a lot of the modern OSs (I am a proud Qubes user!) but it is a young system missing a lot of things due to the heavy workload on developers.

            stupidcreature
            While I don't know if here is the appropriate place for having a discussion about this, but I would like to know you, @duck1 and @Answering9893's opinions on Qubes OS vs Windows (WDAC + WDAG + VMs).

            Also, taking into consideration the ease of use for normal (non-technical) but under targeted attack people like journalists.

              2 months later

              If you want to have reasonably secure hardware for Qubes, wait until Qubes is available for the V54 series from NovaCustoms. This would give you at least reasonably secure boot (heads without boot guard is a security theater as Tommy likes to call it https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/#heads).

              The problem with modern Dell Latitudes or Thinkpads is that you will no longer have boot security (QubesOS does not support UFEI Secure Boot and Heads is not available for modern Latitudes/Thinkpads).
              You could try to solve this with Trenchboot, but iirc Tommy gave up on it at some point.

              JackMurphy opinions on Qubes OS vs Windows (WDAC + WDAG + VMs)

              Under the right conditions (e.g. 7th generation Surface Business laptops and a well configured Windows 11 Enterprise) HyperV VM spamming would be more “secure” than Qubes (e.g. you could use the hard and firmware security features of the MS Surface devices, have better boot security with Windows Trusted Boot, have secure guest VMs if you use Windows 11 VMs, ...).
              This is not just my opinion, wj25czxj47bu6q from Privsec once posted this in a similar way in the Privsec Matrix Room.

              If anything I have written is wrong, please feel free to correct me

                skalavagr You could try to solve this with Trenchboot, but iirc Tommy gave up on it at some point.

                Really? I remember him fairly recently asking about Trenchboot compatibility with UEFI. Also there is a draft PR on the Privsec GitHub about hardware security that mentions Trenchboot.

                skalavagr Thanks for posting that article.

                I have a Clevo NV41MZ (11th Gen) with Novacustom Dasharo coreboot on it. It has no TPM which causes issues.

                Nitrokey Heads should work too, Dasharo has Heads only for the 12th Gen NV41 if you pay a bit, which is reasonable.

                So Nitropad NV41 is also an option.

                  When using secureblue, my Thinkpad T495 didnt boot anymore when enabling one of the now "unstable" kargs. No issues at all on any other laptops.

                  privacysecurephone NitroPC / Novacustom NV56 is good for you.

                  As much as I like NovaCustom, they are freedom first, not security first. All their hardware lack TME and NovaCustom BIOS does not implement BootGuard yet, even if it is a planned feature likely coming in half a year or so. They are aiming to reach the highest security levels, but with a purely open source BIOS, but they are still behind well-maintained professional proprietary BIOSes by quite a bit. So I am not certain that is what OP wants.

                    ErnestThornhill skalavagr wait until Qubes is available for the V54 series from NovaCustoms.

                    It already is...

                    https://www.qubes-os.org/doc/certified-hardware/

                    My fault, I meant coreboot+Heads.

                    missing-root So Nitropad NV41 is also an option.

                    The NV41 has no Boot Guard. The V54/V56 will have Boot Guard + Heads support which would make it better regarding boot security.

                    privacysecurephone NitroPC / Novacustom NV56 is good for you.

                    for NitroPC same as above

                    ryrona As much as I like NovaCustom, they are freedom first, not security first. All their hardware lack TME and NovaCustom BIOS does not implement BootGuard yet, even if it is a planned feature likely coming in half a year or so. They are aiming to reach the highest security levels, but with a purely open source BIOS, but they are still behind well-maintained professional proprietary BIOSes by quite a bit. So I am not certain that is what OP wants.

                    NovaCustoms is far from perfect but in my opinion it is the best option for running QubesOS since all other Hardware has no boot security or is outdated like the X230. Trenchboot could solve this issue in future but for the near future a V54 or V56 will be the best option.

                      skalavagr The NV41 has no Boot Guard. The V54/V56 will have Boot Guard + Heads support which would make it better regarding boot security.

                      The NV41 will have Boot Guard as well. It is unrelated to the hardware, it has everything to do with the Dasharo firmware.