Qubes-Community-Content/docs/hardware/hardware-selection.md

6.4 KiB

Hardware Selection Tree

Selecting the appropriate hardware for Qubes R4.0 can be a complex choice. This document aims to simplify that. Click on the links, read the supporting information if desired, reach a conclusion.

You may also want to check these links if you plan to use GPU passthrough (more suitable to desktop computers: laptop users will likely have a hard time finding a hardware combination that fits their needs since most of the supported graphics adapters are secondary adapters).

Note Qubes OS does not endorse any of the manufacturers or methods listed.

Start here

Are you concerned about potential manufacturer hardware backdoors?

Yes
No

Concerned

Are you concerned about blobs being used to initialize hardware?

Yes
No
No, but I want AMD

Init

Nearly all R4.0 capable systems require at least a CPU microcode blob, and often one for video BIOS. However, there are still some options when it comes to running the proprietary, unaudited code for hardware initialization. Do you want:

AMD
Intel

AMD

If you don't mind older/used hardware, there are some options if you do not want PSP initialization. All new AMD hardware comes with PSP. In theory there is an option to partially disable it, but no motherboard/BIOS manufacturers have made it available yet. Please update this if you are aware of any manufacturers that have.

Form factor?

Laptop
Desktop

AMD Laptop

DIY corebooted used Lenovo G505s with microcode patch.

AMD Desktop

DIY or commercially available corebooted (or librebooted?) KCMA-D8/KGPE-D16. Vikings is one vendor that appears to sell these. If used with Opteron Series 2 processors, no microcode blob is required. However, it is still recommended to include current microcode due to vulnerabilities.

Intel

Unfortunately, all R4.0 capable Intel hardware requires use of at least the BUP portion of Intel ME. Weaknesses have been found in this proprietary, non-owner-controlled code. There are some ways to restrict Intel ME after the initial BUP.

Commercial
DIY

Intel Commercial

These vendors have systems available that partially disable Intel ME after the initial hardware initialization: Insurgo (Qubes Certified), System76, Purism, Dell. Implementations vary, so research the vendors. Prefer ones that use Heads or Coreboot instead of closed-source, proprietary UEFI firmware. Search the HCL for a compatible system. Search the mailing list for additional reports.

Intel DIY

Closed-source, proprietary UEFI firmware has its own set of vulnerabilities. Do these concern you?

Yes
No

Coreboot

Cross reference Coreboot capable systems with the HCL. See also the board freedom index. Search the mailing list for additional reports. Flash your system with Coreboot, including ME_Cleaner.

Heads also offers some interesting capabilities beyond Coreboot, but has a smaller list of supported boards.

MECleaner

You can partially disable Intel ME while still running vendor UEFI firmware. Search the HCL for a compatible system. Search the mailing list for additional reports. Follow the instructions here.

Unconcerned

Search the HCL for an R4.0 compatible system. Search the mailing list for additional reports.

Additional Notes

If selecting a desktop, you may also want to include and use a third party NIC in an expansion slot instead of the onboard Ethernet. This is often not an option in laptops with manufacturer firmware due to the use of NIC whitelists, but you can use a USB based ethernet or wifi adapter instead with either desktop or laptop. Optionally, disable DHCP on the subnet(s) your Qubes device connects to. This will help avoid overt network communications from onboard management.