mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
Merge branch 'cert-hw-req'
This commit is contained in:
Andrew David Wong
commit
9d14f58ca9
@ -85,9 +85,9 @@ compatible with Qubes OS. The benefits of hardware certification include:
|
||||
|
||||
## Hardware Certification Requirements
|
||||
|
||||
(Please note that these are the requirements for hardware *certification*,
|
||||
**Note:** This section describes the requirements for hardware *certification*,
|
||||
*not* the requirements for *running* Qubes OS. For the latter, please see the
|
||||
[system requirements](/doc/system-requirements/).)
|
||||
[system requirements](/doc/system-requirements/).
|
||||
|
||||
A basic requirement is that all Qubes-certified devices must be be available
|
||||
for purchase with Qubes OS preinstalled. Customers may be offered the option to
|
||||
@ -134,6 +134,20 @@ compatible with Qubes OS, the BIOS must properly expose all the VT-x, VT-d, and
|
||||
SLAT functionality that the underlying hardware offers (and which we require).
|
||||
Among other things, this implies **proper DMAR ACPI table** construction.
|
||||
|
||||
Most laptops use PS/2 connections internally for their input devices (i.e.,
|
||||
keyboard and touchpad). On most desktops, however, USB-connected keyboards
|
||||
and mice have become standard. This presents a dilemma when the computer has
|
||||
only one USB controller. If that single USB controller is dedicated solely to
|
||||
the input devices, then no untrusted USB devices can be used. Conversely, if
|
||||
the sole USB controller is completely untrusted, then there is no way for the
|
||||
user to physically control the system in a secure way. In practice, Qubes users
|
||||
on such hardware systems are generally forced to use a single USB controller
|
||||
for both trusted and untrusted purposes --- [an unfortunate security
|
||||
trade-off](/doc/device-handling-security/#security-warning-on-usb-input-devices).
|
||||
For this reason, we require that every Qubes-certified non-laptop device
|
||||
**either** (1) supports non-USB input devices (e.g., via PS/2) **or** (2) has a
|
||||
separate USB controller that is only for input devices.
|
||||
|
||||
Finally, we require that Qubes-certified hardware does not have any built-in
|
||||
_USB-connected_ microphones (e.g. as part of a USB-connected built-in camera)
|
||||
that cannot be easily physically disabled by the user, e.g. via a convenient
|
||||
|
||||
@ -26,7 +26,9 @@ title: System requirements
|
||||
- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`)
|
||||
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing)
|
||||
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29)
|
||||
|
||||
- **Memory:** 6 GB RAM
|
||||
|
||||
- **Storage:** 32 GB free space
|
||||
|
||||
## Recommended
|
||||
@ -34,19 +36,35 @@ title: System requirements
|
||||
- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`)
|
||||
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing)
|
||||
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29)
|
||||
|
||||
- **Memory:** 16 GB RAM
|
||||
|
||||
- **Storage:** 128 GB free space
|
||||
- High-speed solid-state drive strongly recommended
|
||||
|
||||
- **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
|
||||
- Nvidia GPUs may require significant
|
||||
[troubleshooting](/doc/install-nvidia-driver/)
|
||||
- AMD GPUs have not been formally tested, but Radeons (especially RX580 and
|
||||
earlier) generally work well
|
||||
|
||||
- **Peripherals:** A non-USB keyboard or multiple USB controllers
|
||||
|
||||
- **TPM:** Trusted Platform Module (TPM) with proper BIOS support (required for
|
||||
[Anti Evil Maid](/doc/anti-evil-maid/))
|
||||
- **Other:** Satisfaction of all [hardware certification requirements for Qubes
|
||||
4.x](/news/2016/07/21/new-hw-certification-for-q4/)
|
||||
|
||||
The following are *required* for [Qubes-certified hardware
|
||||
devices](/doc/certified-hardware/) but *merely recommended* for *non-certified*
|
||||
hardware (see the [hardware certification
|
||||
requirements](/doc/certified-hardware/#hardware-certification-requirements) for
|
||||
details).
|
||||
|
||||
- Open-source boot firmware (e.g., [coreboot](https://www.coreboot.org/))
|
||||
|
||||
- Hardware switches for all built-in USB-connected microphones (if any)
|
||||
|
||||
- Either support for non-USB input devices (e.g., via PS/2, which most laptops
|
||||
already use internally) or a separate USB controller only for input devices
|
||||
|
||||
## Choosing Hardware
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user