mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
Update recommendations and notes regarding microcode and AMD
This commit is contained in:
parent
af2d3c0856
commit
88384e0dc5
@ -33,9 +33,13 @@ title: System requirements
|
|||||||
|
|
||||||
## Recommended
|
## Recommended
|
||||||
|
|
||||||
- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`)
|
- **CPU:** 64-bit Intel processor (also known as `x86_64`, `x64`, and `Intel 64`)
|
||||||
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing)
|
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables)
|
||||||
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29)
|
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d)
|
||||||
|
- For security, we recommend processors that are recent enough to still be
|
||||||
|
receiving microcode updates (see [below](#important-updates) for details).
|
||||||
|
- AMD processors are not recommended due to inconsistent security support on
|
||||||
|
client platforms (see [below](#important-updates) for details).
|
||||||
|
|
||||||
- **Memory:** 16 GB RAM
|
- **Memory:** 16 GB RAM
|
||||||
|
|
||||||
@ -44,9 +48,9 @@ title: System requirements
|
|||||||
|
|
||||||
- **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
|
- **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
|
||||||
- Nvidia GPUs may require significant
|
- Nvidia GPUs may require significant
|
||||||
[troubleshooting](/doc/install-nvidia-driver/)
|
[troubleshooting](/doc/install-nvidia-driver/).
|
||||||
- AMD GPUs have not been formally tested, but Radeons (especially RX580 and
|
- AMD GPUs have not been formally tested, but Radeons (especially RX580 and
|
||||||
earlier) generally work well
|
earlier) generally work well.
|
||||||
|
|
||||||
- **Peripherals:** A non-USB keyboard or multiple USB controllers
|
- **Peripherals:** A non-USB keyboard or multiple USB controllers
|
||||||
|
|
||||||
@ -84,6 +88,49 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
|
|||||||
- **Installing Qubes in a virtual machine is not recommended, as it uses its
|
- **Installing Qubes in a virtual machine is not recommended, as it uses its
|
||||||
own bare-metal hypervisor (Xen).**
|
own bare-metal hypervisor (Xen).**
|
||||||
|
|
||||||
|
- There is a class of security vulnerabilities that can be fixed only by
|
||||||
|
microcode updates. If your computer or the CPU in it no longer receives
|
||||||
|
microcode updates (e.g., because it is too old), it may not be possible for
|
||||||
|
some of these vulnerabilities to be mitigated on your system, leaving you
|
||||||
|
vulnerable. For this reason, we recommend using Qubes OS on systems that are
|
||||||
|
still receiving microcode updates. Nonetheless, Qubes OS **can** run on
|
||||||
|
systems that no longer receive microcode updates, and such systems will still
|
||||||
|
offer significant security advantages over conventional operating systems on
|
||||||
|
the same hardware.
|
||||||
|
|
||||||
|
- Intel and AMD handle microcode updates differently, which has significant
|
||||||
|
security implications. On Intel platforms, microcode updates can typically be
|
||||||
|
loaded from the operating system. This allows the Qubes security team to
|
||||||
|
respond rapidly to new vulnerabilities by shipping microcode updates alongside
|
||||||
|
other security updates directly to users. By contrast, on AMD client (as
|
||||||
|
opposed to server) platforms, microcode updates are typically shipped only as
|
||||||
|
part of system firmware and generally cannot be loaded from the operating
|
||||||
|
system. This means that AMD users typically must wait for:
|
||||||
|
|
||||||
|
1. AMD to distribute microcode updates to original equipment manufacturers
|
||||||
|
(OEMs), original design manufacturers (ODMs), and motherboard manufacturers
|
||||||
|
(MB); and
|
||||||
|
2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for
|
||||||
|
the user's system.
|
||||||
|
|
||||||
|
Historically, AMD has often been slow to complete step (1), at least for its
|
||||||
|
client (as opposed to server) platforms. In some cases, AMD has made fixes
|
||||||
|
available for its server platforms very shortly after a security embargo was
|
||||||
|
lifted, but it did not make fixes available for client platforms facing the
|
||||||
|
same vulnerability until weeks or months later. (A "security embargo" is the
|
||||||
|
practice of avoiding public disclosure of a security vulnerability prior to a
|
||||||
|
designated date.) By contrast, Intel has consistently made fixes available for
|
||||||
|
new CPU vulnerabilities across its supported platforms very shortly after
|
||||||
|
security embargoes have been lifted.
|
||||||
|
|
||||||
|
Step (2) varies by vendor. Many vendors fail to complete step (2) at all,
|
||||||
|
while some others take a very long time to complete it.
|
||||||
|
|
||||||
|
The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and
|
||||||
|
Xen security teams do their best to provide security support for AMD systems.
|
||||||
|
However, without the ability to ship microcode updates, there is only so much
|
||||||
|
they can do.
|
||||||
|
|
||||||
- Qubes **can** be installed on many systems that do not meet the recommended
|
- Qubes **can** be installed on many systems that do not meet the recommended
|
||||||
requirements. Such systems will still offer significant security improvements
|
requirements. Such systems will still offer significant security improvements
|
||||||
over traditional operating systems, since things like GUI isolation and
|
over traditional operating systems, since things like GUI isolation and
|
||||||
|
Loading…
Reference in New Issue
Block a user