Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-08-05 05:04:15 -04:00
Code Issues Projects Releases Packages Wiki Activity

Convert to RST

Browse source 
This is done using tools at
https://github.com/maiska/qubes-translation-utilz, commit
4c8e2a7f559fd37e29b51769ed1ab1c6cf92e00d.
This commit is contained in:
Marek Marczykowski-Górecki 2025-07-04 14:23:09 +02:00
parent e3db139fe3
commit 7e464d0f40
No known key found for this signature in database
GPG key ID: F32894BE9684938A
428 changed files with 32833 additions and 29703 deletions
Download patch file Download diff file Expand all files Collapse all files

83
user/hardware/certified-hardware/certified-hardware.md
View file

@ -1,83 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/
redirect_from:
- /doc/hardware/
- /doc/certified-laptops/
- /hardware-certification/
ref: 144
title: Certified hardware
---
The Qubes OS Project aims to partner with a select few computer vendors to ensure that Qubes users have reliable hardware purchasing options. We aim for these vendors to be as diverse as possible in terms of geography, cost, and availability.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The Qubes OS Project certifies only that a particular hardware <em>configuration</em> is <em>supported</em> by Qubes OS and is available to purchase with Qubes OS preinstalled. We take no responsibility for any vendor's manufacturing, shipping, payment, or other practices; nor can we control whether physical hardware is modified (whether maliciously or otherwise) <i>en route</i> to the user.
</div>
You may also be interested in the [community-recommended hardware](https://forum.qubes-os.org/t/5560) list and the [hardware compatibility list (HCL)](/hcl/).
## Qubes-certified computers
Qubes-certified computers are certified for a [major release](/doc/version-scheme/) and regularly tested by the Qubes developers to ensure compatibility with all of Qubes' features within that major release. The developers test all new updates within that major release to ensure that no regressions are introduced.
The current Qubes-certified models are listed below in reverse chronological order of certification.
| Brand | Model | Certification details |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
| [NovaCustom](https://novacustom.com/) | [V54 Series](https://novacustom.com/product/v54-series/) | [Certification details](/doc/certified-hardware/novacustom-v54-series/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) | [Certification details](/doc/certified-hardware/nitropad-v56/) |
| [NovaCustom](https://novacustom.com/) | [V56 Series](https://novacustom.com/product/v56-series/) | [Certification details](/doc/certified-hardware/novacustom-v56-series/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) | [Certification details](/doc/certified-hardware/nitropc-pro-2/) |
| [Star Labs](https://starlabs.systems/) | [StarBook](https://starlabs.systems/pages/starbook) | [Certification details](/doc/certified-hardware/starlabs-starbook/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPC Pro](https://web.archive.org/web/20231027112856/https://shop.nitrokey.com/shop/product/nitropc-pro-523) | [Certification details](/doc/certified-hardware/nitropc-pro/) |
| [NovaCustom](https://novacustom.com/) | [NV41 Series](https://novacustom.com/product/nv41-series/) | [Certification details](/doc/certified-hardware/novacustom-nv41-series/) |
| [3mdeb](https://3mdeb.com/) | [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) | [Certification details](/doc/certified-hardware/dasharo-fidelisguard-z690/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) | [Certification details](/doc/certified-hardware/nitropad-t430/) |
| [Nitrokey](https://www.nitrokey.com/) | <a id="nitropad-x230"></a>[NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) | [Certification details](/doc/certified-hardware/nitropad-x230/) |
| [Insurgo](https://insurgo.ca/) | [PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) | [Certification details](/doc/certified-hardware/insurgo-privacybeast-x230/) |
## Become hardware certified
If you are a hardware vendor, you can have your hardware certified as compatible with Qubes OS. The benefits of hardware certification include:
- Your customers can purchase with confidence, knowing that they can take full advantage of Qubes OS on your hardware for a specific major version.
- We will continue testing your hardware to ensure compatibility with the supported major version. In the course of this testing, we will also test your hardware against upcoming versions, which can help with future planning.
- Your hardware will continue to be compatible with Qubes OS as it further develops within that major version, and we will work with you toward preserving compatibility and certification in future releases.
- You can support the development of Qubes OS.
## Hardware certification requirements
**Note:** This section describes the requirements for hardware *certification*, *not* the requirements for *running* Qubes OS. For the latter, please see the [system requirements](/doc/system-requirements/). A brief list of the requirements described in this section is available [here](/doc/system-requirements/#qubes-certified-hardware).
A basic requirement is that all Qubes-certified devices must be available for purchase with Qubes OS preinstalled. Customers may be offered the option to select from a list of various operating systems (or no operating system at all) to be preinstalled, but Qubes OS must be on that list in order to maintain Qubes hardware certification.
One of the most important security improvements introduced with the release of Qubes 4.0 was to replace paravirtualization (PV) technology with **hardware-enforced memory virtualization**, which recent processors have made possible thanks to so-called Second Level Address Translation ([SLAT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)), also known as [EPT](https://ark.intel.com/Search/FeatureFilter?productType=processors&ExtendedPageTables=true&MarketSegment=Mobile) in Intel parlance. SLAT (EPT) is an extension to Intel VT-x virtualization, which originally was capable of only CPU virtualization but not memory virtualization and hence required a complex Shadow Page Tables approach. We hope that embracing SLAT-based memory virtualization will allow us to prevent disastrous security bugs, such as the infamous [XSA-148](https://xenbits.xen.org/xsa/advisory-148.html), which --- unlike many other major Xen bugs --- regrettably did [affect](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt) Qubes OS. Consequently, we require SLAT support of all certified hardware beginning with Qubes OS 4.0.
Another important requirement is that Qubes-certified hardware should run only **open-source boot firmware** (aka "the BIOS"), such as [coreboot](https://www.coreboot.org/). The only exception is the use of (properly authenticated) CPU-vendor-provided blobs for silicon and memory initialization (see [Intel FSP](https://firmware.intel.com/learn/fsp/about-intel-fsp)) as well as other internal operations (see [Intel ME](https://www.apress.com/9781430265719)). However, we specifically require all code used for and dealing with the System Management Mode (SMM) to be open-source.
While we [recognize](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf) the potential problems that proprietary CPU-vendor code can cause, we are also pragmatic enough to realize that we need to take smaller steps first, before we can implement even stronger countermeasures such as a [stateless laptop](https://blog.invisiblethings.org/papers/2015/state_harmful.pdf). A switch to open source boot firmware is one such important step. To be compatible with Qubes OS, the BIOS must properly expose all the VT-x, VT-d, and SLAT functionality that the underlying hardware offers (and which we require). Among other things, this implies **proper DMAR ACPI table** construction.
Most laptops use PS/2 connections internally for their input devices (i.e., keyboard and touchpad). On most desktops, however, USB-connected keyboards and mice have become standard. This presents a dilemma when the computer has only one USB controller. If that single USB controller is dedicated solely to the input devices, then no untrusted USB devices can be used. Conversely, if the sole USB controller is completely untrusted, then there is no way for the user to physically control the system in a secure way. In practice, Qubes users on such hardware systems are generally forced to use a single USB controller for both trusted and untrusted purposes --- [an unfortunate security trade-off](/doc/device-handling-security/#security-warning-on-usb-input-devices). For this reason, we require that every Qubes-certified non-laptop device **either** (1) supports non-USB input devices (e.g., via PS/2) **or** (2) has a separate USB controller that is only for input devices.
Finally, we require that Qubes-certified hardware does not have any built-in _USB-connected_ microphones (e.g. as part of a USB-connected built-in camera) that cannot be easily physically disabled by the user, e.g. via a convenient mechanical switch. Thankfully, the majority of laptops on the market that we have seen already satisfy this condition out-of-the-box, because their built-in microphones are typically connected to the internal audio device, which itself is a type of PCIe device. This is important, because such PCIe audio devices are --- by default --- assigned to Qubes' (trusted) dom0 and exposed through our carefully designed protocol only to select app qubes when the user explicitly chooses to do so. The rest of the time, they should be outside the reach of malware.
While we also recommend a physical kill switch on the built-in camera (or, if possible, not to have a built-in camera), we also recognize this isn't a critical requirement, because users who are concerned about it can easily cover it a piece of tape (something that, regrettably, is far less effective on a microphone).
Similarly, we don't consider physical kill switches on Wi-Fi and Bluetooth devices to be mandatory. Users who plan on using Qubes in an air-gap scenario would do best if they manually remove all such devices persistently (as well as the builtin [speakers](https://github.com/romanz/amodem/)!), rather than rely on easy-to-flip-by-mistake switches, while others should benefit from the Qubes default sandboxing of all networking devices in dedicated VMs.
We hope these hardware requirements will encourage the development of more secure and trustworthy devices.
## Hardware certification process
To have hardware certified, the vendor must:
1. Send the Qubes team two (2) units for testing (non-returnable) for each configuration the vendor wishes to be offering.
2. Offer to customers the very same configuration (same motherboard, same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.
3. Pay the Qubes team a flat monthly rate, to be agreed upon between the hardware vendor and the Qubes team.
It is the vendor's responsibility to ensure the hardware they wish to have certified can run Qubes OS, at the very least the latest stable version. This could be done by consulting the [Hardware Compatibility List](/hcl/) or trying to install it themselves before shipping any units to us. While we are willing to troubleshoot simple issues, we will need to charge a consulting fee for more in-depth work.
If you are interested in having your hardware certified, please [contact us](mailto:business@qubes-os.org).

122
user/hardware/certified-hardware/certified-hardware.rst Normal file
View file

@ -0,0 +1,122 @@
==================
Certified hardware
==================
The Qubes OS Project aims to partner with a select few computer vendors to ensure that Qubes users have reliable hardware purchasing options. We aim for these vendors to be as diverse as possible in terms of geography, cost, and availability.
.. DANGER::
**Warning:** The Qubes OS Project certifies only that a particular hardware *configuration* is *supported* by Qubes OS and is available to purchase with Qubes OS preinstalled. We take no responsibility for any vendors manufacturing, shipping, payment, or other practices; nor can we control whether physical hardware is modified (whether maliciously or otherwise) *en route* to the user.
You may also be interested in the `community-recommended hardware <https://forum.qubes-os.org/t/5560>`__ list and the `hardware compatibility list (HCL) <https://www.qubes-os.org/hcl/>`__.
Qubes-certified computers
-------------------------
Qubes-certified computers are certified for a :doc:`major release </developer/releases/version-scheme>` and regularly tested by the Qubes developers to ensure compatibility with all of Qubes features within that major release. The developers test all new updates within that major release to ensure that no regressions are introduced.
The current Qubes-certified models are listed below in reverse chronological order of certification.
.. list-table::
:widths: 43 43 43
:align: center
:header-rows: 1
* - Brand
- Model
- Certification details
* - `NovaCustom <https://novacustom.com/>`__
- `V54 Series <https://novacustom.com/product/v54-series/>`__
- :doc:`Certification details </user/hardware/certified-hardware/novacustom-v54-series/>`
* - `Nitrokey <https://www.nitrokey.com/>`__
- `NitroPad V56 <https://shop.nitrokey.com/shop/nitropad-v56-684>`__
- :doc:`Certification details </user/hardware/certified-hardware/nitropad-v56/>`
* - `NovaCustom <https://novacustom.com/>`__
- `V56 Series <https://novacustom.com/product/v56-series/>`__
- :doc:`Certification details </user/hardware/certified-hardware/novacustom-v54-series/>`
* - `Nitrokey <https://www.nitrokey.com/>`__
- `NitroPC Pro 2 <https://shop.nitrokey.com/shop/nitropc-pro-2-523>`__
- :doc:`Certification details </user/hardware/certified-hardware/nitropc-pro-2/>`
* - `Star Labs <https://starlabs.systems/>`__
- `StarBook <https://starlabs.systems/pages/starbook>`__
- :doc:`Certification details </user/hardware/certified-hardware/starlabs-starbook/>`
* - `Nitrokey <https://www.nitrokey.com/>`__
- `NitroPC Pro <https://web.archive.org/web/20231027112856/https://shop.nitrokey.com/shop/product/nitropc-pro-523>`__
- :doc:`Certification details </user/hardware/certified-hardware/nitropc-pro/>`
* - `NovaCustom <https://novacustom.com/>`__
- `NV41 Series <https://novacustom.com/product/nv41-series/>`__
- :doc:`Certification details </user/hardware/certified-hardware/novacustom-nv41-series/>`
* - `3mdeb <https://3mdeb.com/>`__
- `Dasharo FidelisGuard Z690 <https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/>`__
- :doc:`Certification details </user/hardware/certified-hardware/dasharo-fidelisguard-z690/>`
* - `Nitrokey <https://www.nitrokey.com/>`__
- `NitroPad T430 <https://shop.nitrokey.com/shop/nitropad-t430-119>`__
- :doc:`Certification details </user/hardware/certified-hardware/nitropad-t430/>`
* - `Nitrokey <https://www.nitrokey.com/>`__
- `NitroPad X230 <https://shop.nitrokey.com/shop/product/nitropad-t430-119>`__
- :doc:`Certification details </user/hardware/certified-hardware/nitropad-x230/>`
* - `Insurgo <https://insurgo.ca/>`__
- `PrivacyBeast X230 <https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/>`__
- :doc:`Certification details </user/hardware/certified-hardware/insurgo-privacybeast-x230/>`
Become hardware certified
-------------------------
If you are a hardware vendor, you can have your hardware certified as compatible with Qubes OS. The benefits of hardware certification include:
- Your customers can purchase with confidence, knowing that they can take full advantage of Qubes OS on your hardware for a specific major version.
- We will continue testing your hardware to ensure compatibility with the supported major version. In the course of this testing, we will also test your hardware against upcoming versions, which can help with future planning.
- Your hardware will continue to be compatible with Qubes OS as it further develops within that major version, and we will work with you toward preserving compatibility and certification in future releases.
- You can support the development of Qubes OS.
Hardware certification requirements
-----------------------------------
**Note:** This section describes the requirements for hardware *certification*, *not* the requirements for *running* Qubes OS. For the latter, please see the :doc:`system requirements </user/hardware/system-requirements>`. A brief list of the requirements described in this section is available :ref:`here <user/hardware/system-requirements:qubes-certified hardware>`.
A basic requirement is that all Qubes-certified devices must be available for purchase with Qubes OS preinstalled. Customers may be offered the option to select from a list of various operating systems (or no operating system at all) to be preinstalled, but Qubes OS must be on that list in order to maintain Qubes hardware certification.
One of the most important security improvements introduced with the release of Qubes 4.0 was to replace paravirtualization (PV) technology with **hardware-enforced memory virtualization**, which recent processors have made possible thanks to so-called Second Level Address Translation (`SLAT <https://en.wikipedia.org/wiki/Second_Level_Address_Translation>`__), also known as `EPT <https://ark.intel.com/Search/FeatureFilter?productType=processors&ExtendedPageTables=true&MarketSegment=Mobile>`__ in Intel parlance. SLAT (EPT) is an extension to Intel VT-x virtualization, which originally was capable of only CPU virtualization but not memory virtualization and hence required a complex Shadow Page Tables approach. We hope that embracing SLAT-based memory virtualization will allow us to prevent disastrous security bugs, such as the infamous `XSA-148 <https://xenbits.xen.org/xsa/advisory-148.html>`__, which — unlike many other major Xen bugs — regrettably did `affect <https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt>`__ Qubes OS. Consequently, we require SLAT support of all certified hardware beginning with Qubes OS 4.0.
Another important requirement is that Qubes-certified hardware should run only **open-source boot firmware** (aka “the BIOS”), such as `coreboot <https://www.coreboot.org/>`__. The only exception is the use of (properly authenticated) CPU-vendor-provided blobs for silicon and memory initialization (see `Intel FSP <https://firmware.intel.com/learn/fsp/about-intel-fsp>`__) as well as other internal operations (see `Intel ME <https://www.apress.com/9781430265719>`__). However, we specifically require all code used for and dealing with the System Management Mode (SMM) to be open-source.
While we `recognize <https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf>`__ the potential problems that proprietary CPU-vendor code can cause, we are also pragmatic enough to realize that we need to take smaller steps first, before we can implement even stronger countermeasures such as a `stateless laptop <https://blog.invisiblethings.org/papers/2015/state_harmful.pdf>`__. A switch to open source boot firmware is one such important step. To be compatible with Qubes OS, the BIOS must properly expose all the VT-x, VT-d, and SLAT functionality that the underlying hardware offers (and which we require). Among other things, this implies **proper DMAR ACPI table** construction.
Most laptops use PS/2 connections internally for their input devices (i.e., keyboard and touchpad). On most desktops, however, USB-connected keyboards and mice have become standard. This presents a dilemma when the computer has only one USB controller. If that single USB controller is dedicated solely to the input devices, then no untrusted USB devices can be used. Conversely, if the sole USB controller is completely untrusted, then there is no way for the user to physically control the system in a secure way. In practice, Qubes users on such hardware systems are generally forced to use a single USB controller for both trusted and untrusted purposes — :ref:`an unfortunate security trade-off <user/security-in-qubes/device-handling-security:security warning on usb input devices>`. For this reason, we require that every Qubes-certified non-laptop device **either** (1) supports non-USB input devices (e.g., via PS/2) **or** (2) has a separate USB controller that is only for input devices.
Finally, we require that Qubes-certified hardware does not have any built-in *USB-connected* microphones (e.g. as part of a USB-connected built-in camera) that cannot be easily physically disabled by the user, e.g. via a convenient mechanical switch. Thankfully, the majority of laptops on the market that we have seen already satisfy this condition out-of-the-box, because their built-in microphones are typically connected to the internal audio device, which itself is a type of PCIe device. This is important, because such PCIe audio devices are — by default — assigned to Qubes (trusted) dom0 and exposed through our carefully designed protocol only to select app qubes when the user explicitly chooses to do so. The rest of the time, they should be outside the reach of malware.
While we also recommend a physical kill switch on the built-in camera (or, if possible, not to have a built-in camera), we also recognize this isnt a critical requirement, because users who are concerned about it can easily cover it a piece of tape (something that, regrettably, is far less effective on a microphone).
Similarly, we dont consider physical kill switches on Wi-Fi and Bluetooth devices to be mandatory. Users who plan on using Qubes in an air-gap scenario would do best if they manually remove all such devices persistently (as well as the builtin `speakers <https://github.com/romanz/amodem/>`__!), rather than rely on easy-to-flip-by-mistake switches, while others should benefit from the Qubes default sandboxing of all networking devices in dedicated VMs.
We hope these hardware requirements will encourage the development of more secure and trustworthy devices.
Hardware certification process
------------------------------
To have hardware certified, the vendor must:
1. Send the Qubes team two (2) units for testing (non-returnable) for each configuration the vendor wishes to be offering.
2. Offer to customers the very same configuration (same motherboard, same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.
3. Pay the Qubes team a flat monthly rate, to be agreed upon between the hardware vendor and the Qubes team.
It is the vendors responsibility to ensure the hardware they wish to have certified can run Qubes OS, at the very least the latest stable version. This could be done by consulting the `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`__ or trying to install it themselves before shipping any units to us. While we are willing to troubleshoot simple issues, we will need to charge a consulting fee for more in-depth work.
If you are interested in having your hardware certified, please `contact us <mailto:business@qubes-os.org>`__.

39
user/hardware/certified-hardware/dasharo-fidelisguard-z690.md
View file

@ -1,39 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/dasharo-fidelisguard-z690/
title: Dasharo FidelisGuard Z690
image: /attachment/posts/dasharo-fidelisguard-z690_2.jpg
ref: 350
---
The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of MSI PRO Z690-A DDR4 motherboard](/attachment/posts/dasharo-fidelisguard-z690_1.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a full desktop PC build that brings the [Dasharo](https://dasharo.com/) open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with Qubes OS preinstalled. The full configuration includes:
| Part | Model Name |
|------------- | -------------------------------------------------------------- |
| CPU | Intel Core i5-12600K, 3.7GHz |
| Cooling | Noctua CPU NH-U12S Redux |
| RAM | Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17 |
| Power Supply | Seasonic Focus PX 750W 80 Plus Platinum |
| Storage | SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe |
| Enclosure | SilentiumPC Armis AR1 |
[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_2.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
This computer comes with a "Dasharo Supporters Entrance Subscription," which includes the following:
- Full access to [Dasharo Tools Suite (DTS)](https://docs.dasharo.com/dasharo-tools-suite/overview/)
- The latest Dasharo releases issued by the Dasharo Team
- Special Dasharo updates for supporters
- Dasharo Premier Support through an invite-only Matrix channel
- Influence on the Dasharo feature roadmap
[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_3.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
For further details, please see the [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) product page.
[![Photo of the outside of the Dasharo FidelisGuard Z690](/attachment/posts/dasharo-fidelisguard-z690_4.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

66
user/hardware/certified-hardware/dasharo-fidelisguard-z690.rst Normal file
View file

@ -0,0 +1,66 @@
=========================
Dasharo FidelisGuard Z690
=========================
The `Dasharo FidelisGuard Z690 <https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of MSI PRO Z690-A DDR4 motherboard|
The `Dasharo FidelisGuard Z690 <https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/>`__ is a full desktop PC build that brings the `Dasharo <https://dasharo.com/>`__ open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with Qubes OS preinstalled. The full configuration includes:
.. list-table::
:widths: 14 14
:align: center
:header-rows: 1
* - Part
- Model Name
* - CPU
- Intel Core i5-12600K, 3.7GHz
* - Cooling
- Noctua CPU NH-U12S Redux
* - RAM
- Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17
* - Power Supply
- Seasonic Focus PX 750W 80 Plus Platinum
* - Storage
- SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe
* - Enclosure
- SilentiumPC Armis AR1
|Photo of Dasharo FidelisGuard Z690 with open case|
This computer comes with a “Dasharo Supporters Entrance Subscription,” which includes the following:
- Full access to `Dasharo Tools Suite (DTS) <https://docs.dasharo.com/dasharo-tools-suite/overview/>`__
- The latest Dasharo releases issued by the Dasharo Team
- Special Dasharo updates for supporters
- Dasharo Premier Support through an invite-only Matrix channel
- Influence on the Dasharo feature roadmap
|image1|
For further details, please see the `Dasharo FidelisGuard Z690 <https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/>`__ product page.
|Photo of the outside of the Dasharo FidelisGuard Z690|
.. |Photo of MSI PRO Z690-A DDR4 motherboard| image:: /attachment/posts/dasharo-fidelisguard-z690_1.jpg
:target: https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/
.. |Photo of Dasharo FidelisGuard Z690 with open case| image:: /attachment/posts/dasharo-fidelisguard-z690_2.jpg
:target: https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/
.. |image1| image:: /attachment/posts/dasharo-fidelisguard-z690_3.jpg
:target: https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/
.. |Photo of the outside of the Dasharo FidelisGuard Z690| image:: /attachment/posts/dasharo-fidelisguard-z690_4.jpg
:target: https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/

27
user/hardware/certified-hardware/insurgo-privacybeast-x230.md
View file

@ -1,27 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/insurgo-privacybeast-x230/
title: Insurgo PrivacyBeast X230
image: /attachment/site/insurgo-privacybeast-x230.png
ref: 351
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a custom refurbished [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230) that includes the following features:
- [coreboot](https://www.coreboot.org/) initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the [Heads](https://github.com/osresearch/heads/) payload, it delivers an [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)-like solution built into the firmware. (Even though our [requirements](/doc/certified-hardware/#hardware-certification-requirements) provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)
- [Intel ME](https://libreboot.org/faq.html#intelme) is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been [deleted](https://github.com/linuxboot/heads-wiki/blob/master/Installing-and-Configuring/Flashing-Guides/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it).
- A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesn't know it.
- [Heads](https://github.com/osresearch/heads/) provisioned pre-delivery to protect against malicious [interdiction](https://en.wikipedia.org/wiki/Interdiction).

27
user/hardware/certified-hardware/insurgo-privacybeast-x230.rst Normal file
View file

@ -0,0 +1,27 @@
=========================
Insurgo PrivacyBeast X230
=========================
.. DANGER::
**Warning:** The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
The `Insurgo PrivacyBeast X230 <https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the Insurgo PrivacyBeast X230|
The `Insurgo PrivacyBeast X230 <https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/>`__ is a custom refurbished `ThinkPad X230 <https://www.thinkwiki.org/wiki/Category:X230>`__ that includes the following features:
- `coreboot <https://www.coreboot.org/>`__ initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the `Heads <https://github.com/osresearch/heads/>`__ payload, it delivers an :doc:`Anti Evil Maid (AEM) </user/security-in-qubes/anti-evil-maid>`-like solution built into the firmware. (Even though our :ref:`requirements <user/hardware/certified-hardware/certified-hardware:hardware certification requirements>` provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)
- `Intel ME <https://libreboot.org/faq.html#intelme>`__ is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been `deleted <https://github.com/linuxboot/heads-wiki/blob/master/Installing-and-Configuring/Flashing-Guides/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it>`__.
- A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesnt know it.
- `Heads <https://github.com/osresearch/heads/>`__ provisioned pre-delivery to protect against malicious `interdiction <https://en.wikipedia.org/wiki/Interdiction>`__.
.. |Photo of the Insurgo PrivacyBeast X230| image:: /attachment/site/insurgo-privacybeast-x230.png
:target: https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/

31
user/hardware/certified-hardware/nitropad-t430.md
View file

@ -1,31 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-t430/
title: NitroPad T430
image: /attachment/site/nitropad-t430.jpg
ref: 352
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Please be advised that the i7-3632QM option is <b>not</b> compatible with Qubes OS, as it does not support VT-d. The option specifically tested by the Qubes team is the i5-3320M.
</div>
The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
Key features of the [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) include:
- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the [ThinkPad T430](https://www.thinkwiki.org/wiki/Category:T430)
- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

35
user/hardware/certified-hardware/nitropad-t430.rst Normal file
View file

@ -0,0 +1,35 @@
=============
NitroPad T430
=============
.. DANGER::
**Warning:** The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
.. warning::
**Note:** Please be advised that the i7-3632QM option is not compatible with Qubes OS, as it does not support VT-d. The option specifically tested by the Qubes team is the i5-3320M.
The `NitroPad T430 <https://shop.nitrokey.com/shop/product/nitropad-t430-119>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NitroPad T430|
Key features of the `NitroPad T430 <https://shop.nitrokey.com/shop/product/nitropad-t430-119>`__ include:
- Tamper detection through measured boot with `coreboot <https://www.coreboot.org/>`__, `Heads <https://github.com/osresearch/heads/>`__, and Nitrokey USB hardware, including support for :doc:`Anti Evil Maid (AEM) </user/security-in-qubes/anti-evil-maid>`
- Deactivated `Intel Management Engine <https://libreboot.org/faq.html#intelme>`__
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the `ThinkPad T430 <https://www.thinkwiki.org/wiki/Category:T430>`__
- Security-conscious shipping to mitigate against third-party `interdiction <https://en.wikipedia.org/wiki/Interdiction>`__
.. |Photo of the NitroPad T430| image:: /attachment/site/nitropad-t430.jpg
:target: https://shop.nitrokey.com/shop/product/nitropad-t430-119

83
user/hardware/certified-hardware/nitropad-v56.md
View file

@ -1,83 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-v56/
title: NitroPad V56
image: /attachment/site/nitropad-v56.png
ref: 353
---
The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Processor and graphics card
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia GPU options are not currently certified.
### Memory (RAM) DDR5, 5600 MHz
- Certified: All options 16 GB (2x8 GB) and higher
### 1st Hard Disk SSD NVMe PCIe 4.0 x4
- Certified: Any of the available options in this section
### 2nd Hard Disk SSD NVMe PCIe 4.0 x4
- Certified: Any of the available options in this section
### Keyboard
- Certified: Any of the available options in this section
### Wireless interfaces
- Certified: Wi-Fi 6E + Bluetooth 5.3, Intel AX-210/211 (non vPro) WLAN module 2.4 Gbps, 802.11ax
- Certified: Wi-Fi 7 + Bluetooth 5.42, Intel BE200 (non vPro) WLAN module 5.8 Gbps, 802.11be
- Certified: No wireless
### Webcam and microphone
- Certified: Any of the available options in this section
### Type
- Certified: Any of the available options in this section
### Firmware
- Certified: Dasharo TianoCore UEFI without Measured boot, without Nitrokey
- The option "Dasharo HEADS with Measured Boot, requires Nitrokey!" is not yet certified.
### Operating system
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have Nitrokey preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Nitrokey
- Certified: None -- for TianoCore only!
- The Nitrokey options are currently not applicable to Qubes hardware certification. (See the Firmware section above.)
### Shipment of Nitrokey
- This section does not affect Qubes hardware certification.
### Tamper-evident packaging
- This section does not affect Qubes hardware certification.
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NitroPad V56 to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

149
user/hardware/certified-hardware/nitropad-v56.rst Normal file
View file

@ -0,0 +1,149 @@
============
NitroPad V56
============
The `NitroPad V56 <https://shop.nitrokey.com/shop/nitropad-v56-684>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NitroPad V56|
Qubes-certified options
-----------------------
The configuration options required for Qubes certification are detailed below.
Processor and graphics card
^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia GPU options are not currently certified.
Memory (RAM) DDR5, 5600 MHz
^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Certified: All options 16 GB (2x8 GB) and higher
1st Hard Disk SSD NVMe PCIe 4.0 x4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Certified: Any of the available options in this section
2nd Hard Disk SSD NVMe PCIe 4.0 x4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Certified: Any of the available options in this section
Keyboard
^^^^^^^^
- Certified: Any of the available options in this section
Wireless interfaces
^^^^^^^^^^^^^^^^^^^
- Certified: Wi-Fi 6E + Bluetooth 5.3, Intel AX-210/211 (non vPro) WLAN module 2.4 Gbps, 802.11ax
- Certified: Wi-Fi 7 + Bluetooth 5.42, Intel BE200 (non vPro) WLAN module 5.8 Gbps, 802.11be
- Certified: No wireless
Webcam and microphone
^^^^^^^^^^^^^^^^^^^^^
- Certified: Any of the available options in this section
Type
^^^^
- Certified: Any of the available options in this section
Firmware
^^^^^^^^
- Certified: Dasharo TianoCore UEFI without Measured boot, without Nitrokey
- The option “Dasharo HEADS with Measured Boot, requires Nitrokey!” is not yet certified.
Operating system
^^^^^^^^^^^^^^^^
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have Nitrokey preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
Nitrokey
^^^^^^^^
- Certified: None for TianoCore only!
- The Nitrokey options are currently not applicable to Qubes hardware certification. (See the Firmware section above.)
Shipment of Nitrokey
^^^^^^^^^^^^^^^^^^^^
- This section does not affect Qubes hardware certification.
Tamper-evident packaging
^^^^^^^^^^^^^^^^^^^^^^^^
- This section does not affect Qubes hardware certification.
Disclaimers
-----------
- In order for Wi-Fi to function properly, ``sys-net`` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires ``kernel-latest``: If you install Qubes OS yourself, you must select the ``Install Qubes OS RX using kernel-latest`` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NitroPad V56 to function properly.
- Due to a `known bug <https://github.com/Dasharo/dasharo-issues/issues/976>`__, the bottom-right USB-C port is currently limited to USB 2.0 speeds.
.. |Photo of the NitroPad V56| image:: /attachment/site/nitropad-v56.png
:target: https://shop.nitrokey.com/shop/nitropad-v56-684

26
user/hardware/certified-hardware/nitropad-x230.md
View file

@ -1,26 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-x230/
title: NitroPad X230
image: /attachment/site/nitropad-x230.jpg
ref: 354
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) offers users unprecedented control over the security of their hardware. Key features include:
- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230)
- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

31
user/hardware/certified-hardware/nitropad-x230.rst Normal file
View file

@ -0,0 +1,31 @@
=============
NitroPad X230
=============
.. DANGER::
**Warning:** The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
The `NitroPad X230 <https://shop.nitrokey.com/shop/product/nitropad-x230-67>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NitroPad X230|
The `NitroPad X230 <https://shop.nitrokey.com/shop/product/nitropad-x230-67>`__ offers users unprecedented control over the security of their hardware. Key features include:
- Tamper detection through measured boot with `coreboot <https://www.coreboot.org/>`__, `Heads <https://github.com/osresearch/heads/>`__, and Nitrokey USB hardware, including support for :doc:`Anti Evil Maid (AEM) </user/security-in-qubes/anti-evil-maid>`
- Deactivated `Intel Management Engine <https://libreboot.org/faq.html#intelme>`__
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the `ThinkPad X230 <https://www.thinkwiki.org/wiki/Category:X230>`__
- Security-conscious shipping to mitigate against third-party `interdiction <https://en.wikipedia.org/wiki/Interdiction>`__
.. |Photo of the NitroPad X230| image:: /attachment/site/nitropad-x230.jpg
:target: https://shop.nitrokey.com/shop/product/nitropad-x230-67

48
user/hardware/certified-hardware/nitropc-pro-2.md
View file

@ -1,48 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropc-pro-2/
title: NitroPC Pro 2
image: /attachment/posts/nitropc-pro.jpg
ref: 355
---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
</div>
The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
Here's a summary of the main component options available for this mid-tower desktop PC:
| Component | Options |
|----------------------------- | -------------------------------------------------------- |
| Motherboard | MSI PRO Z790-P DDR5 (Wi-Fi optional) |
| Processor | 14th Generation Intel Core i5-14600K or i9-14900K |
| Memory | 16 GB to 128 GB DDR5 |
| NVMe storage (optional) | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each |
| SATA storage (optional) | Up to two SATA SSDs, up to 7.68 TB each |
| Wireless (optional) | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
| Operating system (optional) | Qubes OS 4.2 or Ubuntu 22.04 LTS |
Of special note for Qubes users, the NitroPC Pro 2 features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro 2 will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro 2 also comes with a "Dasharo Entry Subscription," which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/main/dasharo_roadmap.md#dasharo-desktop-roadmap))
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
For further product details, please see the official [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) page.

67
user/hardware/certified-hardware/nitropc-pro-2.rst Normal file
View file

@ -0,0 +1,67 @@
=============
NitroPC Pro 2
=============
.. warning::
**Note:** When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are *not* Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain *only* integrated graphics.
.. warning::
**Note:** Only the “Dasharo TianoCore UEFI without Measured Boot, without Nitrokey” firmware option is certified. The “HEADS with Measured Boot, requires Nitrokey!” firmware option is *not* certified.
The `NitroPC Pro 2 <https://shop.nitrokey.com/shop/nitropc-pro-2-523>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of NitroPC Pro 2|
Heres a summary of the main component options available for this mid-tower desktop PC:
.. list-table::
:widths: 29 29
:align: center
:header-rows: 1
* - Component
- Options
* - Motherboard
- MSI PRO Z790-P DDR5 (Wi-Fi optional)
* - Processor
- 14th Generation Intel Core i5-14600K or i9-14900K
* - Memory
- 16 GB to 128 GB DDR5
* - NVMe storage (optional)
- Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each
* - SATA storage (optional)
- Up to two SATA SSDs, up to 7.68 TB each
* - Wireless (optional)
- Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2
* - Operating system (optional)
- Qubes OS 4.2 or Ubuntu 22.04 LTS
Of special note for Qubes users, the NitroPC Pro 2 features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro 2 will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro 2 also comes with a “Dasharo Entry Subscription,” which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for `newly-supported desktop platforms <https://docs.dasharo.com/variants/overview/#desktop>`__ (please see the `roadmap <https://github.com/Dasharo/presentations/blob/main/dasharo_roadmap.md#dasharo-desktop-roadmap>`__)
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insiders view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- `Dasharo Tools Suite Entry Subscription <https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance>`__ keys
For further product details, please see the official `NitroPC Pro 2 <https://shop.nitrokey.com/shop/nitropc-pro-2-523>`__ page.
.. |Photo of NitroPC Pro 2| image:: /attachment/posts/nitropc-pro.jpg
:target: https://shop.nitrokey.com/shop/nitropc-pro-2-523

48
user/hardware/certified-hardware/nitropc-pro.md
View file

@ -1,48 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropc-pro/
title: NitroPC Pro
image: /attachment/posts/nitropc-pro.jpg
ref: 356
---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
</div>
The [NitroPC Pro](https://web.archive.org/web/20231027112856/https://shop.nitrokey.com/shop/product/nitropc-pro-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
Here's a summary of the main component options available for this mid-tower desktop PC:
| Component | Options |
|----------------------------- | -------------------------------------------------------- |
| Motherboard | MSI PRO Z690-A DDR5 (Wi-Fi optional) |
| Processor | 12th Generation Intel Core i5-12600K or i9-12900K |
| Memory | 16 GB to 128 GB DDR5 |
| NVMe storage (optional) | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each |
| SATA storage (optional) | Up to two SATA SSDs, up to 7.68 TB each |
| Wireless (optional) | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
| Operating system (optional) | Qubes OS 4.1 or Ubuntu 22.04 LTS |
Of special note for Qubes users, the NitroPC Pro features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro also comes with a "Dasharo Entry Subscription," which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special firmware updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/8f360b3e82108d1e85585c1c324a28a08dd276a5/dug2_dasharo_roadmap.md))
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
For further product details, please see the official [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) page.

67
user/hardware/certified-hardware/nitropc-pro.rst Normal file
View file

@ -0,0 +1,67 @@
===========
NitroPC Pro
===========
.. warning::
**Note:** When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are *not* Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain *only* integrated graphics.
.. warning::
**Note:** Only the “Dasharo TianoCore UEFI without Measured Boot, without Nitrokey” firmware option is certified. The “HEADS with Measured Boot, requires Nitrokey!” firmware option is *not* certified.
The `NitroPC Pro <https://web.archive.org/web/20231027112856/https://shop.nitrokey.com/shop/product/nitropc-pro-523>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of NitroPC Pro|
Heres a summary of the main component options available for this mid-tower desktop PC:
.. list-table::
:widths: 29 29
:align: center
:header-rows: 1
* - Component
- Options
* - Motherboard
- MSI PRO Z690-A DDR5 (Wi-Fi optional)
* - Processor
- 12th Generation Intel Core i5-12600K or i9-12900K
* - Memory
- 16 GB to 128 GB DDR5
* - NVMe storage (optional)
- Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each
* - SATA storage (optional)
- Up to two SATA SSDs, up to 7.68 TB each
* - Wireless (optional)
- Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2
* - Operating system (optional)
- Qubes OS 4.1 or Ubuntu 22.04 LTS
Of special note for Qubes users, the NitroPC Pro features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro also comes with a “Dasharo Entry Subscription,” which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special firmware updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for `newly-supported desktop platforms <https://docs.dasharo.com/variants/overview/#desktop>`__ (please see the `roadmap <https://github.com/Dasharo/presentations/blob/8f360b3e82108d1e85585c1c324a28a08dd276a5/dug2_dasharo_roadmap.md>`__)
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insiders view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- `Dasharo Tools Suite Entry Subscription <https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance>`__ keys
For further product details, please see the official `NitroPC Pro <https://shop.nitrokey.com/shop/product/nitropc-pro-523>`__ page.
.. |Photo of NitroPC Pro| image:: /attachment/posts/nitropc-pro.jpg
:target: https://shop.nitrokey.com/shop/product/nitropc-pro-523

47
user/hardware/certified-hardware/novacustom-nv41-series.md
View file

@ -1,47 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-nv41-series/
title: NovaCustom NV41 Series
image: /attachment/site/novacustom-nv41-series.png
ref: 357
---
The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
## Qubes-certified configurations
The following configuration options are certified for Qubes OS Release 4:
Processor:
- Intel Core i5-1240P processor
- Intel Core i7-1260P processor
Memory:
- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)
M.2 storage chip:
- Samsung 980 SSD (all capacities)
- Samsung 980 Pro SSD (all capacities)
Wi-Fi and Bluetooth:
- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3
- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
- No Wi-Fi/Bluetooth chip
### Notes on Wi-Fi and Bluetooth options
- When viewed in a Linux environment with `lspci`, the "Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3" device displays the model number "AX210." However, according to its [Intel Ark entry](https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html) (in the "Product Brief" file), they are actually the same Wi-Fi module.
- Similarly, when viewed in a Linux environment with `lspci`, the "Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0" device displays the model number "AR9462," which seems to be just the Wi-Fi chip model number, whereas "QCNFA222" seems to be the model number of the whole device (which include Bluetooth). Meanwhile, the Bluetooth device presents itself as "IMC Networks Device 3487."
- The term "blob-free" is used in different ways. In practice, being "blob-free" generally does *not* mean that the device does not use any closed-source firmware "blobs." Rather, it means that the device comes with firmware *preinstalled* so that it does not have to be loaded from the operating system. In theory, the preinstalled firmware could be open-source, but as far as we know, that is not the case with this particular Atheros Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the past, but only for other device models, as far as we are aware.) Meanwhile, the Free Software Foundation (FSF) [considers](https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary) unmodifiable preinstalled firmware to be part of the hardware, hence they regard such hardware as "blob-free" from a software perspective. While common usage of the term "blob-free" often follows the FSF's interpretation, it is worthwhile for Qubes users who are concerned about closed-source firmware to understand the nuance.

67
user/hardware/certified-hardware/novacustom-nv41-series.rst Normal file
View file

@ -0,0 +1,67 @@
======================
NovaCustom NV41 Series
======================
The `NovaCustom NV41 Series <https://novacustom.com/product/nv41-series/>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NovaCustom NV41 Series|
Qubes-certified configurations
------------------------------
The following configuration options are certified for Qubes OS Release 4:
Processor:
- Intel Core i5-1240P processor
- Intel Core i7-1260P processor
Memory:
- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)
M.2 storage chip:
- Samsung 980 SSD (all capacities)
- Samsung 980 Pro SSD (all capacities)
Wi-Fi and Bluetooth:
- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3
- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
- No Wi-Fi/Bluetooth chip
Notes on Wi-Fi and Bluetooth options
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- When viewed in a Linux environment with ``lspci``, the “Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3” device displays the model number “AX210.” However, according to its `Intel Ark entry <https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html>`__ (in the “Product Brief” file), they are actually the same Wi-Fi module.
- Similarly, when viewed in a Linux environment with ``lspci``, the “Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0” device displays the model number “AR9462,” which seems to be just the Wi-Fi chip model number, whereas “QCNFA222” seems to be the model number of the whole device (which include Bluetooth). Meanwhile, the Bluetooth device presents itself as “IMC Networks Device 3487.”
- The term “blob-free” is used in different ways. In practice, being “blob-free” generally does *not* mean that the device does not use any closed-source firmware “blobs.” Rather, it means that the device comes with firmware *preinstalled* so that it does not have to be loaded from the operating system. In theory, the preinstalled firmware could be open-source, but as far as we know, that is not the case with this particular Atheros Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the past, but only for other device models, as far as we are aware.) Meanwhile, the Free Software Foundation (FSF) `considers <https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary>`__ unmodifiable preinstalled firmware to be part of the hardware, hence they regard such hardware as “blob-free” from a software perspective. While common usage of the term “blob-free” often follows the FSFs interpretation, it is worthwhile for Qubes users who are concerned about closed-source firmware to understand the nuance.
.. |Photo of the NovaCustom NV41 Series| image:: /attachment/site/novacustom-nv41-series.png
:target: https://novacustom.com/product/nv41-series/

71
user/hardware/certified-hardware/novacustom-v54-series.md
View file

@ -1,71 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-v54-series/
title: NovaCustom V54 Series
image: /attachment/site/novacustom-v54-series.png
ref: 358
---
The [NovaCustom V54 Series 14.0 inch coreboot laptop](https://novacustom.com/product/v54-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop](/attachment/site/novacustom-v54-series.png)](https://novacustom.com/product/v54-series/)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Screen size
- Certified: 14 inch
**Note:** The 14-inch model (V540TU) and the 16-inch model (V560TU) are two separate products. [The 16-inch model is also certified.](/doc/certified-hardware/novacustom-v56-series/)
### Screen resolution
- Certified: Full HD+ (1920 x 1200)
- Certified: 2.8K (2880 x 1800)
### Processor and graphics
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
### Memory
- Certified: Any configuration with at least 16 GB of memory
### Storage
- Certified: All of the available options in these sections
### Personalization
- This section is merely cosmetic and therefore does not affect certification.
### Firmware options
- Qubes OS does not currently support UEFI secure boot.
- The option to be kept up to date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
### Operating system
- Certified: Qubes OS 4.2.4 or newer (within Release 4).
- Releases older than 4.2.4 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Wi-Fi and Bluetooth
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip -- no Bluetooth and Wi-Fi connection possible (only with USB adapter)
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V54 Series to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

125
user/hardware/certified-hardware/novacustom-v54-series.rst Normal file
View file

@ -0,0 +1,125 @@
=====================
NovaCustom V54 Series
=====================
The `NovaCustom V54 Series 14.0 inch coreboot laptop <https://novacustom.com/product/v54-series/>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop|
Qubes-certified options
-----------------------
The configuration options required for Qubes certification are detailed below.
Screen size
^^^^^^^^^^^
- Certified: 14 inch
**Note:** The 14-inch model (V540TU) and the 16-inch model (V560TU) are two separate products. :doc:`The 16-inch model is also certified. </user/hardware/certified-hardware/novacustom-v56-series>`
Screen resolution
^^^^^^^^^^^^^^^^^
- Certified: Full HD+ (1920 x 1200)
- Certified: 2.8K (2880 x 1800)
Processor and graphics
^^^^^^^^^^^^^^^^^^^^^^
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
Memory
^^^^^^
- Certified: Any configuration with at least 16 GB of memory
Storage
^^^^^^^
- Certified: All of the available options in these sections
Personalization
^^^^^^^^^^^^^^^
- This section is merely cosmetic and therefore does not affect certification.
Firmware options
^^^^^^^^^^^^^^^^
- Qubes OS does not currently support UEFI secure boot.
- The option to be kept up to date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
Operating system
^^^^^^^^^^^^^^^^
- Certified: Qubes OS 4.2.4 or newer (within Release 4).
- Releases older than 4.2.4 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
Wi-Fi and Bluetooth
^^^^^^^^^^^^^^^^^^^
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip no Bluetooth and Wi-Fi connection possible (only with USB adapter)
Disclaimers
-----------
- In order for Wi-Fi to function properly, ``sys-net`` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires ``kernel-latest``: If you install Qubes OS yourself, you must select the ``Install Qubes OS RX using kernel-latest`` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V54 Series to function properly.
- Due to a `known bug <https://github.com/Dasharo/dasharo-issues/issues/976>`__, the bottom-right USB-C port is currently limited to USB 2.0 speeds.
.. |Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop| image:: /attachment/site/novacustom-v54-series.png
:target: https://novacustom.com/product/v54-series/

71
user/hardware/certified-hardware/novacustom-v56-series.md
View file

@ -1,71 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-v56-series/
title: NovaCustom V56 Series
image: /attachment/site/novacustom-v56-series.png
ref: 359
---
The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Screen size
- Certified: 16 inch
**Note:** The 16-inch model (V560TU) and the 14-inch model (V540TU) are two separate products. [The 14-inch model is also certified.](/doc/certified-hardware/novacustom-v54-series/)
### Screen resolution
- Certified: Full HD+ (1920 x 1200)
- Certified: Q-HD+ (2560 x 1600)
### Processor and graphics
- Certified: Intel Core Ultra 5 Processor 125H + Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H + Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
### Memory
- Certified: Any configuration with at least 16 GB of memory
### Storage
- Certified: Any of the available options in this section
### Personalization
- This section is merely cosmetic and therefore does not affect certification.
### Firmware options
- Qubes OS does not currently support UEFI secure boot.
- Keeping up-to-date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
### Operating system
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Wi-Fi and Bluetooth
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip - no Bluetooth and Wi-Fi connection possible (only with USB adapter)
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V56 Series to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

125
user/hardware/certified-hardware/novacustom-v56-series.rst Normal file
View file

@ -0,0 +1,125 @@
=====================
NovaCustom V56 Series
=====================
The `NovaCustom V56 Series 16.0 inch coreboot laptop <https://novacustom.com/product/v56-series/>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
|Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop|
Qubes-certified options
-----------------------
The configuration options required for Qubes certification are detailed below.
Screen size
^^^^^^^^^^^
- Certified: 16 inch
**Note:** The 16-inch model (V560TU) and the 14-inch model (V540TU) are two separate products. :doc:`The 14-inch model is also certified. </user/hardware/certified-hardware/novacustom-v54-series>`
Screen resolution
^^^^^^^^^^^^^^^^^
- Certified: Full HD+ (1920 x 1200)
- Certified: Q-HD+ (2560 x 1600)
Processor and graphics
^^^^^^^^^^^^^^^^^^^^^^
- Certified: Intel Core Ultra 5 Processor 125H + Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H + Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
Memory
^^^^^^
- Certified: Any configuration with at least 16 GB of memory
Storage
^^^^^^^
- Certified: Any of the available options in this section
Personalization
^^^^^^^^^^^^^^^
- This section is merely cosmetic and therefore does not affect certification.
Firmware options
^^^^^^^^^^^^^^^^
- Qubes OS does not currently support UEFI secure boot.
- Keeping up-to-date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
Operating system
^^^^^^^^^^^^^^^^
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
Wi-Fi and Bluetooth
^^^^^^^^^^^^^^^^^^^
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip - no Bluetooth and Wi-Fi connection possible (only with USB adapter)
Disclaimers
-----------
- In order for Wi-Fi to function properly, ``sys-net`` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires ``kernel-latest``: If you install Qubes OS yourself, you must select the ``Install Qubes OS RX using kernel-latest`` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V56 Series to function properly.
- Due to a `known bug <https://github.com/Dasharo/dasharo-issues/issues/976>`__, the bottom-right USB-C port is currently limited to USB 2.0 speeds.
.. |Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop| image:: /attachment/site/novacustom-v56-series.png
:target: https://novacustom.com/product/v56-series/

36
user/hardware/certified-hardware/starlabs-starbook.md
View file

@ -1,36 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/starlabs-starbook/
title: Star Labs StarBook
image: /attachment/site/starlabs-starbook.png
ref: 360
---
The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop featuring open-source coreboot and EDK II firmware.
[![Photo of Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
The Qubes developers have tested and certified the following StarBook configuration options for Qubes OS Release 4:
| Component | Qubes-certified options |
| ---------------- | ------------------------------------------------ |
| Processor | 13th Generation Intel Core i3-1315U or i7-1360P |
| Memory | 8 GB, 16 GB, 32 GB, or 64 GB RAM |
| Storage | 512 GB, 1 TB, or 2 TB SSD |
| Graphics | Intel (integrated graphics) |
| Networking | Intel Wi-Fi 6 AX210 (no built-in wired Ethernet) |
| Firmware | coreboot 8.97 (2023-10-03) |
| Operating system | Qubes OS (pre-installation optional) |
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_top.png)](https://starlabs.systems/pages/starbook)
The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. The backlit keyboard is available in US English, UK English, French, German, Nordic, and Spanish layouts.
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_side.png)](https://starlabs.systems/pages/starbook)
The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo jack, and a DC jack for charging. For more information, see the official [Star Labs StarBook](https://starlabs.systems/pages/starbook) page.
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_back.png)](https://starlabs.systems/pages/starbook)

58
user/hardware/certified-hardware/starlabs-starbook.rst Normal file
View file

@ -0,0 +1,58 @@
==================
Star Labs StarBook
==================
The `Star Labs StarBook <https://starlabs.systems/pages/starbook>`__ is :doc:`officially certified </user/hardware/certified-hardware/certified-hardware>` for Qubes OS Release 4.
The `Star Labs StarBook <https://starlabs.systems/pages/starbook>`__ is a 14-inch laptop featuring open-source coreboot and EDK II firmware.
|Photo of Star Labs StarBook|
The Qubes developers have tested and certified the following StarBook configuration options for Qubes OS Release 4:
.. list-table::
:widths: 16 16
:align: center
:header-rows: 1
* - Component
- Qubes-certified options
* - Processor
- 13th Generation Intel Core i3-1315U or i7-1360P
* - Memory
- 8 GB, 16 GB, 32 GB, or 64 GB RAM
* - Storage
- 512 GB, 1 TB, or 2 TB SSD
* - Graphics
- Intel (integrated graphics)
* - Networking
- Intel Wi-Fi 6 AX210 (no built-in wired Ethernet)
* - Firmware
- coreboot 8.97 (2023-10-03)
* - Operating system
- Qubes OS (pre-installation optional)
|image1|
The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. The backlit keyboard is available in US English, UK English, French, German, Nordic, and Spanish layouts.
|image2|
The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo jack, and a DC jack for charging. For more information, see the official `Star Labs StarBook <https://starlabs.systems/pages/starbook>`__ page.
|image3|
.. |Photo of Star Labs StarBook| image:: /attachment/site/starlabs-starbook.png
:target: https://starlabs.systems/pages/starbook
.. |image1| image:: /attachment/posts/starlabs-starbook_top.png
:target: https://starlabs.systems/pages/starbook
.. |image2| image:: /attachment/posts/starlabs-starbook_side.png
:target: https://starlabs.systems/pages/starbook
.. |image3| image:: /attachment/posts/starlabs-starbook_back.png
:target: https://starlabs.systems/pages/starbook

9
user/hardware/community-recommended-hardware.md
View file

@ -1,9 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/community-recommended-hardware/
ref: 145
title: Community-recommended hardware
redirect_from: /doc/hardware-testing/
redirect_to: https://forum.qubes-os.org/t/5560
---

16
user/hardware/hcl.md
View file

@ -1,16 +0,0 @@
---
lang: en
layout: hcl
model: all
permalink: /hcl/
redirect_from:
- /doc/hcl/
- /compatible-hardware/
- /en/doc/hcl/
- /doc/HCL/
- /wiki/HCL/
- /wiki/HCLR1/
- /wiki/HCL-R2B2/
ref: 143
title: Hardware compatibility list (HCL)
---

37
user/hardware/how-to-use-the-hcl.md
View file

@ -1,37 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/how-to-use-the-hcl/
ref: 146
title: How to use the hardware compatibility list (HCL)
---
The [HCL](/hcl) is a compilation of reports generated and submitted by users across various Qubes versions about their hardware's compatibility with Qubes.
**Note:**
Except in the case of developer-reported entries, the Qubes team has not independently verified the accuracy of these reports.
Please first consult the data sheets (CPU, chipset, motherboard) prior to buying new hardware for Qubes.
Make sure it meets the [System Requirements](/doc/system-requirements/) and search in particular for support of:
- HVM ("AMD virtualization (AMD-V)", "Intel virtualization (VT-x)", "VIA virtualization (VIA VT)")
- IOMMU ("AMD I/O Virtualization Technology (AMD-Vi)", "Intel Virtualization Technology for Directed I/O (VT-d)")
- TPM ("Trusted Platform Module (TPM)" connected to a "20-pin TPM header" on motherboards.)
If using the list to make a purchasing decision, we recommend that you choose hardware with:
- the best achievable Qubes security level (green columns in HVM, IOMMU, TPM)
- and general machine compatibility (green columns in Qubes version, dom0 kernel, remarks).
Also see [Certified Hardware](/doc/certified-hardware/).
Generating and Submitting New Reports
-------------------------------------
In order to generate an HCL report in Qubes, simply open a terminal in dom0 (Applications Menu > Terminal Emulator) and run `qubes-hcl-report <qube-name>`, where `<qube-name>` is the name of the qube in which the generated HCL files will be saved.
You are encouraged to submit your HCL report for the benefit of further Qubes development and other users. When submitting reports, test the hardware yourself, if possible. If you would like to submit your HCL report, please copy and paste the contents of the **HCL Info** `.yml` file into an email to the [qubes-users mailing list](/support/#qubes-users) with the subject `HCL - <your machine model name>`, or create a post in the [HCL Reports category](https://forum.qubes-os.org/c/user-support/hcl-reports/23) of the forum. Pasting the contents into the email or post has the advantage that members of the mailing list and the forum can see the report without downloading and opening a file. In addition, new forum members are unable to attach files to posts.
Please include any useful information about any Qubes features you may have tested (see the legend below), as well as general machine compatibility (video, networking, sleep, etc.). Please consider sending the **HCL Support Files** `.cpio.gz` file as well. To generate these add the `-s` or `--support` command line option.
**Please note:**
The **HCL Support Files** may contain numerous hardware details, including serial numbers. If, for privacy or security reasons, you do not wish to make this information public, please **do not** post the `.cpio.gz` file on a public mailing list or forum.

38
user/hardware/how-to-use-the-hcl.rst Normal file
View file

@ -0,0 +1,38 @@
================================================
How to use the hardware compatibility list (HCL)
================================================
The `HCL <https://www.qubes-os.org/hcl/>`__ is a compilation of reports generated and submitted by users across various Qubes versions about their hardwares compatibility with Qubes.
**Note:** Except in the case of developer-reported entries, the Qubes team has not independently verified the accuracy of these reports. Please first consult the data sheets (CPU, chipset, motherboard) prior to buying new hardware for Qubes. Make sure it meets the :doc:`System Requirements </user/hardware/system-requirements>` and search in particular for support of:
- HVM (“AMD virtualization (AMD-V)”, “Intel virtualization (VT-x)”, “VIA virtualization (VIA VT)”)
- IOMMU (“AMD I/O Virtualization Technology (AMD-Vi)”, “Intel Virtualization Technology for Directed I/O (VT-d)”)
- TPM (“Trusted Platform Module (TPM)” connected to a “20-pin TPM header” on motherboards.)
If using the list to make a purchasing decision, we recommend that you choose hardware with:
- the best achievable Qubes security level (green columns in HVM, IOMMU, TPM)
- and general machine compatibility (green columns in Qubes version, dom0 kernel, remarks).
Also see :doc:`Certified Hardware </user/hardware/certified-hardware/certified-hardware>`.
Generating and Submitting New Reports
-------------------------------------
In order to generate an HCL report in Qubes, simply open a terminal in dom0 (Applications Menu > Terminal Emulator) and run ``qubes-hcl-report <qube-name>``, where ``<qube-name>`` is the name of the qube in which the generated HCL files will be saved.
You are encouraged to submit your HCL report for the benefit of further Qubes development and other users. When submitting reports, test the hardware yourself, if possible. If you would like to submit your HCL report, please copy and paste the contents of the **HCL Info** ``.yml`` file into an email to the :ref:`qubes-users mailing list <introduction/support:qubes-users>` with the subject ``HCL - <your machine model name>``, or create a post in the `HCL Reports category <https://forum.qubes-os.org/c/user-support/hcl-reports/23>`__ of the forum. Pasting the contents into the email or post has the advantage that members of the mailing list and the forum can see the report without downloading and opening a file. In addition, new forum members are unable to attach files to posts.
Please include any useful information about any Qubes features you may have tested (see the legend below), as well as general machine compatibility (video, networking, sleep, etc.). Please consider sending the **HCL Support Files** ``.cpio.gz`` file as well. To generate these add the ``-s`` or ``--support`` command line option.
**Please note:** The **HCL Support Files** may contain numerous hardware details, including serial numbers. If, for privacy or security reasons, you do not wish to make this information public, please **do not** post the ``.cpio.gz`` file on a public mailing list or forum.

177
user/hardware/system-requirements.md
View file

@ -1,177 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/system-requirements/
redirect_from:
- /system-requirements/
- /en/doc/system-requirements/
- /doc/SystemRequirements/
- /wiki/SystemRequirements/
ref: 142
title: System requirements
---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Notice:</b> The system requirements on this page are <em>necessary, but
not sufficient,</em> for Qubes compatibility at a minimal or recommended
level. In other words, just because a computer satisfies these requirements
doesn't mean that Qubes will successfully install and run on it. We strongly
recommend consulting the <a href="#choosing-hardware">resources below</a>
when selecting hardware for Qubes.
</div>
## Minimum
- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`)
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing)
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29)
- **Memory:** 6 GB RAM
- **Storage:** 32 GB free space
## Recommended
- **CPU:** 64-bit Intel processor (also known as `x86_64`, `x64`, and `Intel 64`)
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables)
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d)
- For security, we recommend processors that are recent enough to still be
receiving microcode updates (see [below](#important-notes) for details).
- AMD processors are not recommended due to inconsistent security support on
client platforms (see [below](#important-notes) for details).
- **Memory:** 16 GB RAM
- **Storage:** 128 GB free space
- High-speed solid-state drive strongly recommended
- **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
- Nvidia GPUs may require significant
[troubleshooting](/doc/install-nvidia-driver/).
- AMD GPUs have not been formally tested, but Radeons (especially RX580 and
earlier) generally work well.
- **Peripherals:** A non-USB keyboard or multiple USB controllers
- **TPM:** Trusted Platform Module (TPM) with proper BIOS support (required for
[Anti Evil Maid](/doc/anti-evil-maid/))
### Qubes-certified hardware
The following are *required* for [Qubes-certified hardware
devices](/doc/certified-hardware/) but *merely recommended* for *non-certified*
hardware (see the [hardware certification
requirements](/doc/certified-hardware/#hardware-certification-requirements) for
details).
- Open-source boot firmware (e.g., [coreboot](https://www.coreboot.org/))
- Hardware switches for all built-in USB-connected microphones (if any)
- Either support for non-USB input devices (e.g., via PS/2, which most laptops
already use internally) or a separate USB controller only for input devices
## Choosing Hardware
We recommend consulting these resources when selecting hardware for Qubes OS:
- [Certified hardware](/doc/certified-hardware/) --- Qubes developer certified,
officially recommended
- [Community-recommended hardware](https://forum.qubes-os.org/t/5560)
--- list curated and maintained by the community, unofficially recommended
- [Hardware compatibility list (HCL)](/hcl/) --- community test results,
neither recommended nor disrecommended
## Important Notes
- **Installing Qubes in a virtual machine is not recommended, as it uses its
own bare-metal hypervisor (Xen).**
- There is a class of security vulnerabilities that can be fixed only by
microcode updates. If your computer or the CPU in it no longer receives
microcode updates (e.g., because it is too old), it may not be possible for
some of these vulnerabilities to be mitigated on your system, leaving you
vulnerable. For this reason, we recommend using Qubes OS on systems that are
still receiving microcode updates. Nonetheless, Qubes OS **can** run on
systems that no longer receive microcode updates, and such systems will still
offer significant security advantages over conventional operating systems on
the same hardware.
- Intel maintains a
[list](https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html)
of end-of-support dates for its processors. However, this list seems to
include only processors that are no longer supported or will soon no longer
be supported. Many newer Intel processors are missing from this list. To our
knowledge, Intel does not announce end-of-support dates for its newer
processors in advance, nor does it have a public policy governing how long
support will last.
- Intel and AMD handle microcode updates differently, which has significant
security implications. On Intel platforms, microcode updates can typically be
loaded from the operating system. This allows the Qubes security team to
respond rapidly to new vulnerabilities by shipping microcode updates alongside
other security updates directly to users. By contrast, on AMD client (as
opposed to server) platforms, microcode updates are typically shipped only as
part of system firmware and generally cannot be loaded from the operating
system [^1]. This means that AMD users typically must wait for:
1. AMD to distribute microcode updates to original equipment manufacturers
(OEMs), original design manufacturers (ODMs), and motherboard manufacturers
(MB); and
2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for
the user's system.
- Historically, AMD has often been slow to complete step (1), at least for its
client (as opposed to server) platforms [^2]. In some cases, AMD has made fixes
available for its server platforms very shortly after a security embargo was
lifted, but it did not make fixes available for client platforms facing the
same vulnerability until weeks or months later. (A "security embargo" is the
practice of avoiding public disclosure of a security vulnerability prior to a
designated date.) By contrast, Intel has consistently made fixes available for
new CPU vulnerabilities across its supported platforms very shortly after
security embargoes have been lifted.
- Step (2) varies by vendor. Many vendors fail to complete step (2) at all,
while some others take a very long time to complete it.
- The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and
Xen security teams do their best to provide security support for AMD systems.
However, without the ability to ship microcode updates, there is only so much
they can do.
- Qubes **can** be installed on many systems that do not meet the recommended
requirements. Such systems will still offer significant security improvements
over traditional operating systems, since things like GUI isolation and
kernel protection do not require special hardware.
- Qubes **can** be installed on a USB flash drive or external disk, and testing
has shown that this works very well. A fast USB 3.0 flash drive is
recommended for this. (As a reminder, its capacity must be at least 32 GiB.)
Simply plug the flash drive into the computer before booting into the Qubes
installer from a separate installation medium, choose the flash drive as the
target installation disk, and proceed with the installation normally. After
Qubes has been installed on the flash drive, it can then be plugged into
other computers in order to boot into Qubes. In addition to the convenience
of having a portable copy of Qubes, this allows users to test for hardware
compatibility on multiple machines (e.g., at a brick-and-mortar computer
store) before deciding on which computer to purchase. (See [generating and
submitting HCL
reports](/doc/how-to-use-the-hcl/#generating-and-submitting-new-reports) for
advice on hardware compatibility testing.) Remember to change the devices
assigned to your NetVM and USB VM if you move between different machines.
- You can check whether an Intel processor has VT-x and VT-d on
[ark.intel.com](https://ark.intel.com/content/www/us/en/ark.html#@Processors).
[^1]: There is an `amd-ucode-firmware` package, but it only contains
microcode for servers and outdated microcode for Chromebooks. Also,
the [AMD security website](https://www.amd.com/en/resources/product-security.html)
only lists microcode as a mitigation for data center CPUs.
[^2]: As shown on [the AMD page for Speculative Return Stack Overflow](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html),
updated AGESA™ firmware for AMD Ryzen™ Threadripper™ 5000WX Processors
was not available until 2024-01-11, even though the vulnerability became
public on 2023-08-08. AMD did not provide updated firmware for other client
processors until a date between 2023-08-22 to 2023-08-25.
For Zenbleed, firmware was not available until 2024 for most client parts,
even though server parts got microcode on 2023-06-06.

134
user/hardware/system-requirements.rst Normal file
View file

@ -0,0 +1,134 @@
===================
System requirements
===================
.. warning::
Notice: The system requirements on this page are *necessary, but not sufficient*, for Qubes compatibility at a minimal or recommended level. In other words, just because a computer satisfies these requirements doesnt mean that Qubes will successfully install and run on it. We strongly recommend consulting the `resources below <#choosing-hardware>`__ when selecting hardware for Qubes.
Minimum
-------
- **CPU:** 64-bit Intel or AMD processor (also known as ``x86_64``, ``x64``, and ``AMD64``)
- `Intel VT-x <https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29>`__ with `EPT <https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables>`__ or `AMD-V <https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29>`__ with `RVI <https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing>`__
- `Intel VT-d <https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d>`__ or `AMD-Vi (also known as AMD IOMMU) <https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29>`__
- **Memory:** 6 GB RAM
- **Storage:** 32 GB free space
Recommended
-----------
- **CPU:** 64-bit Intel processor (also known as ``x86_64``, ``x64``, and ``Intel 64``)
- `Intel VT-x <https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29>`__ with `EPT <https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables>`__
- `Intel VT-d <https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d>`__
- For security, we recommend processors that are recent enough to still be receiving microcode updates (see `below <#important-notes>`__ for details).
- AMD processors are not recommended due to inconsistent security support on client platforms (see `below <#important-notes>`__ for details).
- **Memory:** 16 GB RAM
- **Storage:** 128 GB free space
- High-speed solid-state drive strongly recommended
- **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
- Nvidia GPUs may require significant `troubleshooting <https://forum.qubes-os.org/t/18987>`__.
- AMD GPUs have not been formally tested, but Radeons (especially RX580 and earlier) generally work well.
- **Peripherals:** A non-USB keyboard or multiple USB controllers
- **TPM:** Trusted Platform Module (TPM) with proper BIOS support (required for :doc:`Anti Evil Maid </user/security-in-qubes/anti-evil-maid>`)
Qubes-certified hardware
^^^^^^^^^^^^^^^^^^^^^^^^
The following are *required* for :doc:`Qubes-certified hardware devices </user/hardware/certified-hardware/certified-hardware>` but *merely recommended* for *non-certified* hardware (see the :ref:`hardware certification requirements <user/hardware/certified-hardware/certified-hardware:hardware certification requirements>` for details).
- Open-source boot firmware (e.g., `coreboot <https://www.coreboot.org/>`__)
- Hardware switches for all built-in USB-connected microphones (if any)
- Either support for non-USB input devices (e.g., via PS/2, which most laptops already use internally) or a separate USB controller only for input devices
Choosing Hardware
-----------------
We recommend consulting these resources when selecting hardware for Qubes OS:
- :doc:`Certified hardware </user/hardware/certified-hardware/certified-hardware>` — Qubes developer certified, officially recommended
- `Community-recommended hardware <https://forum.qubes-os.org/t/5560>`__ — list curated and maintained by the community, unofficially recommended
- `Hardware compatibility list (HCL) <https://www.qubes-os.org/hcl/>`__ — community test results, neither recommended nor disrecommended
Important Notes
---------------
- **Installing Qubes in a virtual machine is not recommended, as it uses its own bare-metal hypervisor (Xen).**
- There is a class of security vulnerabilities that can be fixed only by microcode updates. If your computer or the CPU in it no longer receives microcode updates (e.g., because it is too old), it may not be possible for some of these vulnerabilities to be mitigated on your system, leaving you vulnerable. For this reason, we recommend using Qubes OS on systems that are still receiving microcode updates. Nonetheless, Qubes OS **can** run on systems that no longer receive microcode updates, and such systems will still offer significant security advantages over conventional operating systems on the same hardware.
- Intel maintains a `list <https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html>`__ of end-of-support dates for its processors. However, this list seems to include only processors that are no longer supported or will soon no longer be supported. Many newer Intel processors are missing from this list. To our knowledge, Intel does not announce end-of-support dates for its newer processors in advance, nor does it have a public policy governing how long support will last.
- Intel and AMD handle microcode updates differently, which has significant security implications. On Intel platforms, microcode updates can typically be loaded from the operating system. This allows the Qubes security team to respond rapidly to new vulnerabilities by shipping microcode updates alongside other security updates directly to users. By contrast, on AMD client (as opposed to server) platforms, microcode updates are typically shipped only as part of system firmware and generally cannot be loaded from the operating system [1]_. This means that AMD users typically must wait for:
1. AMD to distribute microcode updates to original equipment manufacturers (OEMs), original design manufacturers (ODMs), and motherboard manufacturers (MB); and
2. The users OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for the users system.
- Historically, AMD has often been slow to complete step (1), at least for its client (as opposed to server) platforms [2]_. In some cases, AMD has made fixes available for its server platforms very shortly after a security embargo was lifted, but it did not make fixes available for client platforms facing the same vulnerability until weeks or months later. (A “security embargo” is the practice of avoiding public disclosure of a security vulnerability prior to a designated date.) By contrast, Intel has consistently made fixes available for new CPU vulnerabilities across its supported platforms very shortly after security embargoes have been lifted.
- Step (2) varies by vendor. Many vendors fail to complete step (2) at all, while some others take a very long time to complete it.
- The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and Xen security teams do their best to provide security support for AMD systems. However, without the ability to ship microcode updates, there is only so much they can do.
- Qubes **can** be installed on many systems that do not meet the recommended requirements. Such systems will still offer significant security improvements over traditional operating systems, since things like GUI isolation and kernel protection do not require special hardware.
- Qubes **can** be installed on a USB flash drive or external disk, and testing has shown that this works very well. A fast USB 3.0 flash drive is recommended for this. (As a reminder, its capacity must be at least 32 GiB.) Simply plug the flash drive into the computer before booting into the Qubes installer from a separate installation medium, choose the flash drive as the target installation disk, and proceed with the installation normally. After Qubes has been installed on the flash drive, it can then be plugged into other computers in order to boot into Qubes. In addition to the convenience of having a portable copy of Qubes, this allows users to test for hardware compatibility on multiple machines (e.g., at a brick-and-mortar computer store) before deciding on which computer to purchase. (See :ref:`generating and submitting HCL reports <user/hardware/how-to-use-the-hcl:generating and submitting new reports>` for advice on hardware compatibility testing.) Remember to change the devices assigned to your NetVM and USB VM if you move between different machines.
- You can check whether an Intel processor has VT-x and VT-d on `ark.intel.com <https://ark.intel.com/content/www/us/en/ark.html#@Processors>`__.
.. [1]
There is an ``amd-ucode-firmware`` package, but it only contains microcode for servers and outdated microcode for Chromebooks. Also, the `AMD security website <https://www.amd.com/en/resources/product-security.html>`__ only lists microcode as a mitigation for data center CPUs.
.. [2]
As shown on `the AMD page for Speculative Return Stack Overflow <https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html>`__, updated AGESA™ firmware for AMD Ryzen™ Threadripper™ 5000WX Processors was not available until 2024-01-11, even though the vulnerability became public on 2023-08-08. AMD did not provide updated firmware for other client processors until a date between 2023-08-22 to 2023-08-25.
For Zenbleed, firmware was not available until 2024 for most client parts, even though server parts got microcode on 2023-06-06.