Which laptop PC should I get?

NoahRaketic

fuyuka If I had “imposed” and defined such a balance, would I have said that devices requiring significant GPU power must, at the very least, use secure boot? I have never insisted that people “must” use Apple devices simply because they represent a balance between security and performance.

You are pretending to dictate what other users should/shouldn't consider using.

fuyuka the only device that struck a proper balance between security and overall code execution was the macOS-based computer. If you need enough computing power to justify using a Chromebook, it’s better to install GrapheneOS on a Pixel device that supports DP Alt mode and use an external mobile monitor.

fuyuka

NoahRaketic

You are pretending to dictate what other users should/shouldn't consider using.

I see… Well, I won't you with this anymore.

handsome3068

Apple Silicon Macs have very attractive hardware, but I think the Linux device drivers are still immature. While there's a good chance they'll become a major option in the future, it's still too early right now.
On the other hand, Chromebook hardware isn't bad either. However, to comfortably use an OS other than ChromeOS, you need to modify the firmware. On the latest models, modifying the firmware requires building your own debug cable. That's a high hurdle.

By the way, Qubes OS is a GNU/Linux distribution with strict hardware requirements. Whether or not you actually end up using Qubes, I think buying hardware that can run it is a good choice just in case you ever want to.

JollyRancher

A NovaCustom with Coreboot+Heads running QubesOS is about the best you can get from a security and privacy perspective (both hardware & software) with something that can just be purchased at will by the general public.

ryrona

JollyRancher A NovaCustom with Coreboot+Heads running QubesOS is about the best you can get from a security and privacy perspective (both hardware & software) with something that can just be purchased at will by the general public.

I tend to agree.

However, it looks like the Dasharo developers have just introduced their third super serious security vulnerability in the firmware in only two years. And found it before release but decided to release firmware update anyway. I am trying to get in touch with them for clarification, and will attempt to contact NovaCustom soon too. Although NovaCustom already seems rather upset about Dasharo from the previous two incidents.

I guess doing a full security audit of Dasharo coreboot+edk2 as released for NovaCustom laptops will be my next project. I suspect there will be more things there to find. Maybe I will take a look at heads too, I don't know.

But regardless of the security practices and competence of the Dasharo developers, the Dasharo team and NovaCustom by extension are still heroes for releasing a fully open source BIOS firmware, and even EC firmware. Unlike all other BIOS vendors who don't even care about security or privacy in the first place. With open source BIOS firmware, we can seriously audit and get the issues fixed, and even fork the project if necessary.

ryrona

ryrona However, it looks like the Dasharo developers have just introduced their third super serious security vulnerability in the firmware in only two years. And found it before release but decided to release firmware update anyway. I am trying to get in touch with them for clarification, and will attempt to contact NovaCustom soon too. Although NovaCustom already seems rather upset about Dasharo from the previous two incidents.

Okay, this turns out to be far far worse than I thought. Dasharo developers have not only confirmed that there is no effective signature verification when installing firmware updates, they have also said they do not consider it an important issue, "since we [Dasharo] considered gaining root privileges a full compromise".

https://github.com/Dasharo/dasharo-issues/issues/1075

I guess at this point doing a security audit is pointless. They don't offer any effective security against malware at all, and do simply not intend to. At this point, I think they are fairing far worse than proprietary BIOS/UEFI vendors, as proprietary vendors at least tries to get Microsoft certification for their Secure Boot implementation, despite being a very low bar to meet, which requires prevention of attacks by a fully compromised operating system, including an attacker with root privileges.

I have raised the issue with NovaCustom too.

https://novacustom.com/forum/d/960-concerning-the-lack-of-signature-verification-for-capsule-updates

I'll have to await their response. I intend to raise the issue with the QubesOS community too, since they likely cares the most.

But at this point, it looks like forking Dasharo and patching up all security vulnerabilities is the only way, since Dasharo does not care.

Johnnyloans

ryrona

Wow, this is insane

When installing firmware updates, they would download the executable code that performs the upgrade process over unverified HTTP (not HTTPS), and execute it without doing any signature verification, within the highly privileges

I can finally blow the dust off of my decades old squid

ryrona

ryrona I have raised the issue with NovaCustom too.

The vulnerability is now mentioned in “Known issues” on the release download page, below many non-security related issues. But no other action has been taken or communicated. It looks like NovaCustom may not intend to withdraw the vulnerable release or inform its customer about the vulnerability on their blog. A bit disappointing they didn’t take this opportunity to show they take security seriously, and instead leave users uninformed and unprotected.

de0u

ryrona Thanks for keeping us updated.

Winston

ryrona yeah thanks. A promising fork would be great

MrLinux

Last year I moved away from Mac and got me a system76 darter pro w/pop_os it came with 16GB of Ram, 1th ssd.

eduardomelon

MrLinux Why did you switch and how is it going so far?

GrapheneOS

@ryrona Novacustom's laptops do not make things more secure than mainstream devices. It's the opposite compared to a lot of options. Replacing a tiny portion of the overall closed source firmware/hardware with open source components doesn't make a big difference and it comes at the cost of extreme negligence in regards to security. Macbooks remain the serious security option for a laptop.

Novacustom launched an insecure phone with iodéOS because they couldn't meet our requirements with SHIFTphone and then spread a bunch of misinformation about GrapheneOS to justify doing it.

Novacustom should be avoided. No one who supports GrapheneOS should buy any of their products as it funds people who spread misinformation about GrapheneOS to sell phony privacy/security products.

ryrona

GrapheneOS As far as I know, NovaCustom quickly removed the misleading claims about GrapheneOS when it was pointed out, so I would not put them in the same box as those intentionally spreading misinformation about GrapheneOS.

But I agree their absense of reaction or action to this critical security vulnerability does cast a lot of doubt on whether they actually care about security or privacy at all.

I guess it is not possible to run QubesOS on MacBooks? Do you know about any Intel/AMD laptop or desktop computers that actually has good security, including frequent updates, serious approach to security, and supports HAP disabling IntelME? If not, NovaCustom may still be what is the least bad, however unfortunate the whole laptop/desktop scene looks with regard to boot firmware security. At least as long as running an older unaffected firmware release.

MrLinux

eduardomelon "My MacBook needed expensive repairs and I was fed up with how locked-down and service-oriented Apple has become. Switched to Linux for more control, better repairability, and no forced ecosystem. Haven't looked back."

« Previous Page