S
skalavagr

  • Joined Oct 26, 2024
  • In GrapheneOS for the new Pixel Laptop?
  • In Question about /e/OS and LineageOS
  • In Secure Hardware for Qubes

    ErnestThornhill skalavagr wait until Qubes is available for the V54 series from NovaCustoms.

    It already is...

    https://www.qubes-os.org/doc/certified-hardware/

    My fault, I meant coreboot+Heads.

    missing-root So Nitropad NV41 is also an option.

    The NV41 has no Boot Guard. The V54/V56 will have Boot Guard + Heads support which would make it better regarding boot security.

    DeletedUser42 NitroPC / Novacustom NV56 is good for you.

    for NitroPC same as above

    ryrona As much as I like NovaCustom, they are freedom first, not security first. All their hardware lack TME and NovaCustom BIOS does not implement BootGuard yet, even if it is a planned feature likely coming in half a year or so. They are aiming to reach the highest security levels, but with a purely open source BIOS, but they are still behind well-maintained professional proprietary BIOSes by quite a bit. So I am not certain that is what OP wants.

    NovaCustoms is far from perfect but in my opinion it is the best option for running QubesOS since all other Hardware has no boot security or is outdated like the X230. Trenchboot could solve this issue in future but for the near future a V54 or V56 will be the best option.

            • In Secure Hardware for Qubes

              If you want to have reasonably secure hardware for Qubes, wait until Qubes is available for the V54 series from NovaCustoms. This would give you at least reasonably secure boot (heads without boot guard is a security theater as Tommy likes to call it https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/#heads).

              The problem with modern Dell Latitudes or Thinkpads is that you will no longer have boot security (QubesOS does not support UFEI Secure Boot and Heads is not available for modern Latitudes/Thinkpads).
              You could try to solve this with Trenchboot, but iirc Tommy gave up on it at some point.

              JackMurphy opinions on Qubes OS vs Windows (WDAC + WDAG + VMs)

              Under the right conditions (e.g. 7th generation Surface Business laptops and a well configured Windows 11 Enterprise) HyperV VM spamming would be more “secure” than Qubes (e.g. you could use the hard and firmware security features of the MS Surface devices, have better boot security with Windows Trusted Boot, have secure guest VMs if you use Windows 11 VMs, ...).
              This is not just my opinion, wj25czxj47bu6q from Privsec once posted this in a similar way in the Privsec Matrix Room.

              If anything I have written is wrong, please feel free to correct me