Update "Certified hardware"

- Add requirement that certified devices must be available for purchase with Qubes OS preinstalled. See: https://forum.qubes-os.org/t/5795/ - Improve wording - Add link to HCL in intro - Wrap text
2024-12-17 19:54:39 -05:00 · 2021-09-06 14:07:20 -07:00 · 2021-09-06 14:07:20 -07:00 · 0257a3f44a
commit 0257a3f44a
parent 9437476c77
1 changed files with 126 additions and 47 deletions
--- a/user/hardware/certified-hardware.md
+++ b/user/hardware/certified-hardware.md
@ -10,96 +10,175 @@ ref: 144
 title: Certified hardware
 ---
-The Qubes OS Project aims to partner with a select few computer vendors to ensure that Qubes users have reliable hardware purchasing options.
+The Qubes OS Project aims to partner with a select few computer vendors to
-We aim for these vendors to be as diverse as possible in terms of geography, cost, and availability.
+ensure that Qubes users have reliable hardware purchasing options. We aim for
 these vendors to be as diverse as possible in terms of geography, cost, and
 availability.
 <div class="alert alert-danger" role="alert">
  <i class="fa fa-exclamation-triangle"></i>
-  <b>Warning:</b> The Qubes OS Project certifies only that a particular hardware <em>configuration</em> is <em>supported</em> by Qubes OS.
+  <b>Warning:</b> The Qubes OS Project certifies only that a particular
-  We take no responsibility for any vendor's manufacturing, shipping, payment, or other practices; nor can we control whether physical hardware is modified (whether maliciously or otherwise) <i>en route</i> to the user.
+  hardware <em>configuration</em> is <em>supported</em> by Qubes OS and is
  available to purchase with Qubes OS preinstalled. We take no responsibility
  for any vendor's manufacturing, shipping, payment, or other practices; nor
  can we control whether physical hardware is modified (whether maliciously or
  otherwise) <i>en route</i> to the user.
 </div>
-You may also be interested in the [community-recommended hardware](https://forum.qubes-os.org/t/5560) list.
+You may also be interested in the [community-recommended
 hardware](https://forum.qubes-os.org/t/5560) list and the [hardware
 compatibility list (HCL)](/hcl/).
 ## Qubes-certified Laptops
-Qubes-certified laptops are certified for a [major version](/doc/version-scheme/) and regularly tested by the Qubes developers to ensure compatibility with all of Qubes' features within that major version.
+Qubes-certified laptops are certified for a [major
-The developers test all new updates within that major version to ensure that no regressions are introduced.
+release](/doc/version-scheme/) and regularly tested by the Qubes developers to
 ensure compatibility with all of Qubes' features within that major release. The
 developers test all new updates within that major release to ensure that no
 regressions are introduced.
 ### Insurgo PrivacyBeast X230
 [![insurgo-privacybeast-x230.png](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
-The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) meets and exceeds our hardware certification requirements for Qubes 4.
+The [Insurgo PrivacyBeast
-Read our [announcement](/news/2019/07/18/insurgo-privacybeast-qubes-certification/) of the certification for further details!
+X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
 meets and exceeds our hardware certification requirements for Qubes 4. Read our
 [announcement](/news/2019/07/18/insurgo-privacybeast-qubes-certification/) of
 the certification for further details!
 ### NitroPad X230
 [![nitropad-x230.jpg](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
-The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) satisfies all hardware certification requirements for Qubes 4, offering users extensive hardware security options.
+The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
-Read our [announcement](/news/2020/03/04/nitropad-x230-qubes-certification/) of the certification for further details!
+satisfies all hardware certification requirements for Qubes 4, offering users
 extensive hardware security options. Read our
 [announcement](/news/2020/03/04/nitropad-x230-qubes-certification/) of the
 certification for further details!
 ### NitroPad T430
 [![nitropad-t-430.jpg](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
-The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) satisfies all hardware certification requirements for Qubes 4, offering users extensive hardware security options.
+The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
-Read our [announcement](/news/2021/06/01/nitropad-t430-qubes-certification/) of the certification for further details!
+satisfies all hardware certification requirements for Qubes 4, offering users
 extensive hardware security options. Read our
 [announcement](/news/2021/06/01/nitropad-t430-qubes-certification/) of the
 certification for further details!
 ## Become Hardware Certified
-If you are a hardware vendor, you can have your hardware certified as compatible with Qubes OS.
+If you are a hardware vendor, you can have your hardware certified as
-The benefits of hardware certification include:
+compatible with Qubes OS. The benefits of hardware certification include:
-* Your customers can purchase with confidence, knowing that they can take full advantage of Qubes OS on your hardware for a specific major version.
+- Your customers can purchase with confidence, knowing that they can take full
-* We will continue testing your hardware to ensure compatibility with the supported major version.
+  advantage of Qubes OS on your hardware for a specific major version.
-  In the course of this testing, we will also test your hardware against upcoming versions, which can help with future planning.
+- We will continue testing your hardware to ensure compatibility with the
-* Your hardware will continue to be compatible with Qubes OS as it further develops within that major version, and we will work with you toward preserving compatibility and certification in future releases.
+  supported major version. In the course of this testing, we will also test
-* You can support the development of Qubes OS.
+  your hardware against upcoming versions, which can help with future planning.
 - Your hardware will continue to be compatible with Qubes OS as it further
  develops within that major version, and we will work with you toward
  preserving compatibility and certification in future releases.
 - You can support the development of Qubes OS.
 ## Hardware Certification Requirements
-(Please note that these are the requirements for hardware *certification*, *not* the requirements for *running* Qubes.
+(Please note that these are the requirements for hardware *certification*,
-For the latter, please see the [system requirements](/doc/system-requirements/).)
+*not* the requirements for *running* Qubes OS. For the latter, please see the
 [system requirements](/doc/system-requirements/).)
-One of the most important security improvements introduced with the release of Qubes 4.0 was to replace paravirtualization (PV) technology with **hardware-enforced memory virtualization**, which recent processors have made possible thanks to so-called Second Level Address Translation ([SLAT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)), also known as [EPT](https://ark.intel.com/Search/FeatureFilter?productType=processors&ExtendedPageTables=true&MarketSegment=Mobile) in Intel parlance.
+A basic requirement is that all Qubes-certified devices must be be available
-SLAT (EPT) is an extension to Intel VT-x virtualization, which originally was capable of only CPU virtualization but not memory virtualization and hence required a complex Shadow Page Tables approach.
+for purchase with Qubes OS preinstalled. Customers may be offered the option to
-We hope that embracing SLAT-based memory virtualization will allow us to prevent disastrous security bugs, such as the infamous [XSA-148](https://xenbits.xen.org/xsa/advisory-148.html), which --- unlike many other major Xen bugs --- regrettably did [affect](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt) Qubes OS.
+select from a list of various operating systems (or no operating system at all)
-Consequently, we require SLAT support of all certified hardware beginning with Qubes OS 4.0.
+to be preinstalled, but Qubes OS must be on that list in order to maintain
 Qubes hardware certification.
-Another important requirement is that Qubes-certified hardware should run only **open-source boot firmware** (aka "the BIOS"), such as [coreboot](https://www.coreboot.org/).
+One of the most important security improvements introduced with the release of
-The only exception is the use of (properly authenticated) CPU-vendor-provided blobs for silicon and memory initialization (see [Intel FSP](https://firmware.intel.com/learn/fsp/about-intel-fsp)) as well as other internal operations (see [Intel ME](https://www.apress.com/9781430265719)).
+Qubes 4.0 was to replace paravirtualization (PV) technology with
-However, we specifically require all code used for and dealing with the System Management Mode (SMM) to be open-source.
+**hardware-enforced memory virtualization**, which recent processors have made
 possible thanks to so-called Second Level Address Translation
 ([SLAT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)), also
 known as
 [EPT](https://ark.intel.com/Search/FeatureFilter?productType=processors&ExtendedPageTables=true&MarketSegment=Mobile)
 in Intel parlance. SLAT (EPT) is an extension to Intel VT-x virtualization,
 which originally was capable of only CPU virtualization but not memory
 virtualization and hence required a complex Shadow Page Tables approach. We
 hope that embracing SLAT-based memory virtualization will allow us to prevent
 disastrous security bugs, such as the infamous
 [XSA-148](https://xenbits.xen.org/xsa/advisory-148.html), which --- unlike many
 other major Xen bugs --- regrettably did
 [affect](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt)
 Qubes OS. Consequently, we require SLAT support of all certified hardware
 beginning with Qubes OS 4.0.
-While we [recognize](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf) the potential problems that proprietary CPU-vendor code can cause, we are also pragmatic enough to realize that we need to take smaller steps first, before we can implement even stronger countermeasures such as a [stateless laptop](https://blog.invisiblethings.org/papers/2015/state_harmful.pdf).
+Another important requirement is that Qubes-certified hardware should run only
-A switch to open source boot firmware is one such important step.
+**open-source boot firmware** (aka "the BIOS"), such as
-To be compatible with Qubes OS, the BIOS must properly expose all the VT-x, VT-d, and SLAT functionality that the underlying hardware offers (and which we require).
+[coreboot](https://www.coreboot.org/). The only exception is the use of
 (properly authenticated) CPU-vendor-provided blobs for silicon and memory
 initialization (see [Intel
 FSP](https://firmware.intel.com/learn/fsp/about-intel-fsp)) as well as other
 internal operations (see [Intel ME](https://www.apress.com/9781430265719)).
 However, we specifically require all code used for and dealing with the System
 Management Mode (SMM) to be open-source.
 While we
 [recognize](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf) the
 potential problems that proprietary CPU-vendor code can cause, we are also
 pragmatic enough to realize that we need to take smaller steps first, before we
 can implement even stronger countermeasures such as a [stateless
 laptop](https://blog.invisiblethings.org/papers/2015/state_harmful.pdf). A
 switch to open source boot firmware is one such important step. To be
 compatible with Qubes OS, the BIOS must properly expose all the VT-x, VT-d, and
 SLAT functionality that the underlying hardware offers (and which we require).
 Among other things, this implies **proper DMAR ACPI table** construction.
-Finally, we require that Qubes-certified hardware does not have any built-in _USB-connected_ microphones (e.g. as part of a USB-connected built-in camera) that cannot be easily physically disabled by the user, e.g. via a convenient mechanical switch.
+Finally, we require that Qubes-certified hardware does not have any built-in
-Thankfully, the majority of laptops on the market that we have seen already satisfy this condition out-of-the-box, because their built-in microphones are typically connected to the internal audio device, which itself is a type of PCIe device.
+_USB-connected_ microphones (e.g. as part of a USB-connected built-in camera)
-This is important, because such PCIe audio devices are --- by default --- assigned to Qubes' (trusted) dom0 and exposed through our carefully designed protocol only to select app qubes when the user explicitly chooses to do so.
+that cannot be easily physically disabled by the user, e.g. via a convenient
-The rest of the time, they should be outside the reach of malware.
+mechanical switch. Thankfully, the majority of laptops on the market that we
 have seen already satisfy this condition out-of-the-box, because their built-in
 microphones are typically connected to the internal audio device, which itself
 is a type of PCIe device. This is important, because such PCIe audio devices
 are --- by default --- assigned to Qubes' (trusted) dom0 and exposed through
 our carefully designed protocol only to select app qubes when the user
 explicitly chooses to do so. The rest of the time, they should be outside the
 reach of malware.
-While we also recommend a physical kill switch on the built-in camera (or, if possible, not to have a built-in camera), we also recognize this isn't a critical requirement, because users who are concerned about it can easily cover it a piece of tape (something that, regrettably, is far less effective on a microphone).
+While we also recommend a physical kill switch on the built-in camera (or, if
 possible, not to have a built-in camera), we also recognize this isn't a
 critical requirement, because users who are concerned about it can easily cover
 it a piece of tape (something that, regrettably, is far less effective on a
 microphone).
-Similarly, we don't consider physical kill switches on Wi-Fi and Bluetooth devices to be mandatory.
+Similarly, we don't consider physical kill switches on Wi-Fi and Bluetooth
-Users who plan on using Qubes in an air-gap scenario would do best if they manually remove all such devices persistently (as well as the builtin [speakers](https://github.com/romanz/amodem/)!), rather than rely on easy-to-flip-by-mistake switches, while others should benefit from the Qubes default sandboxing of all networking devices in dedicated VMs.
+devices to be mandatory. Users who plan on using Qubes in an air-gap scenario
 would do best if they manually remove all such devices persistently (as well as
 the builtin [speakers](https://github.com/romanz/amodem/)!), rather than rely
 on easy-to-flip-by-mistake switches, while others should benefit from the Qubes
 default sandboxing of all networking devices in dedicated VMs.
-We hope these hardware requirements will encourage the development of more secure and trustworthy devices.
+We hope these hardware requirements will encourage the development of more
 secure and trustworthy devices.
 ## Hardware Certification Process
 To have hardware certified, the vendor must:
-1. Send the Qubes team two (2) units for testing (non-returnable) for each configuration the vendor wishes to be offering.
+1. Send the Qubes team two (2) units for testing (non-returnable) for each
-2. Offer to customers the very same configuration (same motherboard, same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.
+   configuration the vendor wishes to be offering.
-3. Pay the Qubes team a flat monthly rate, to be agreed upon between the hardware vendor and the Qubes team.
+2. Offer to customers the very same configuration (same motherboard, same
   screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.
 3. Pay the Qubes team a flat monthly rate, to be agreed upon between the
   hardware vendor and the Qubes team.
-It is the vendor's responsibility to ensure the hardware they wish to have certified can run Qubes OS, at the very least the latest stable version.
+It is the vendor's responsibility to ensure the hardware they wish to have
-This could be done by consulting the [Hardware Compatibility List](/hcl/) or trying to install it themselves before shipping any units to us.
+certified can run Qubes OS, at the very least the latest stable version. This
-While we are willing to troubleshoot simple issues, we will need to charge a consulting fee for more in-depth work.
+could be done by consulting the [Hardware Compatibility List](/hcl/) or trying
 to install it themselves before shipping any units to us. While we are willing
 to troubleshoot simple issues, we will need to charge a consulting fee for more
 in-depth work.
-If you are interested in having your hardware certified, please [contact us](mailto:business@qubes-os.org).
+If you are interested in having your hardware certified, please [contact
 us](mailto:business@qubes-os.org).