From 88384e0dc5d5e39e1fadfcd23a761e50ad09c2e4 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@qubes-os.org>
Date: Mon, 2 Sep 2024 08:59:33 -0700
Subject: [PATCH 1/2] Update recommendations and notes regarding microcode and
 AMD

---
 user/hardware/system-requirements.md | 57 +++++++++++++++++++++++++---
 1 file changed, 52 insertions(+), 5 deletions(-)

diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md
index a31c582a..018f7cab 100644
--- a/user/hardware/system-requirements.md
+++ b/user/hardware/system-requirements.md
@@ -33,9 +33,13 @@ title: System requirements
 
 ## Recommended
 
-- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`)
-  - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing)
-  - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29)
+- **CPU:** 64-bit Intel processor (also known as `x86_64`, `x64`, and `Intel 64`)
+  - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables)
+  - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d)
+  - For security, we recommend processors that are recent enough to still be
+    receiving microcode updates (see [below](#important-updates) for details).
+  - AMD processors are not recommended due to inconsistent security support on
+    client platforms (see [below](#important-updates) for details).
 
 - **Memory:** 16 GB RAM
 
@@ -44,9 +48,9 @@ title: System requirements
 
 - **Graphics:** Intel integrated graphics processor (IGP) strongly recommended
   - Nvidia GPUs may require significant
-    [troubleshooting](/doc/install-nvidia-driver/)
+    [troubleshooting](/doc/install-nvidia-driver/).
   - AMD GPUs have not been formally tested, but Radeons (especially RX580 and
-    earlier) generally work well
+    earlier) generally work well.
 
 - **Peripherals:** A non-USB keyboard or multiple USB controllers
 
@@ -84,6 +88,49 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
 - **Installing Qubes in a virtual machine is not recommended, as it uses its
   own bare-metal hypervisor (Xen).**
 
+- There is a class of security vulnerabilities that can be fixed only by
+  microcode updates. If your computer or the CPU in it no longer receives
+  microcode updates (e.g., because it is too old), it may not be possible for
+  some of these vulnerabilities to be mitigated on your system, leaving you
+  vulnerable. For this reason, we recommend using Qubes OS on systems that are
+  still receiving microcode updates. Nonetheless, Qubes OS **can** run on
+  systems that no longer receive microcode updates, and such systems will still
+  offer significant security advantages over conventional operating systems on
+  the same hardware.
+
+- Intel and AMD handle microcode updates differently, which has significant
+  security implications. On Intel platforms, microcode updates can typically be
+  loaded from the operating system. This allows the Qubes security team to
+  respond rapidly to new vulnerabilities by shipping microcode updates alongside
+  other security updates directly to users. By contrast, on AMD client (as
+  opposed to server) platforms, microcode updates are typically shipped only as
+  part of system firmware and generally cannot be loaded from the operating
+  system. This means that AMD users typically must wait for:
+  
+  1. AMD to distribute microcode updates to original equipment manufacturers
+  (OEMs), original design manufacturers (ODMs), and motherboard manufacturers
+  (MB); and
+  2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for
+  the user's system.
+  
+  Historically, AMD has often been slow to complete step (1), at least for its
+  client (as opposed to server) platforms. In some cases, AMD has made fixes
+  available for its server platforms very shortly after a security embargo was
+  lifted, but it did not make fixes  available for client platforms facing the
+  same vulnerability until weeks or months later. (A "security embargo" is the
+  practice of avoiding public disclosure of a security vulnerability prior to a
+  designated date.) By contrast, Intel has consistently made fixes available for
+  new CPU vulnerabilities across its supported platforms very shortly after
+  security embargoes have been lifted.
+
+  Step (2) varies by vendor. Many vendors fail to complete step (2) at all,
+  while some others take a very long time to complete it.
+  
+  The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and
+  Xen security teams do their best to provide security support for AMD systems.
+  However, without the ability to ship microcode updates, there is only so much
+  they can do.
+
 - Qubes **can** be installed on many systems that do not meet the recommended
   requirements. Such systems will still offer significant security improvements
   over traditional operating systems, since things like GUI isolation and

From 1bc8ddb4728107aba532fef306b0ae09c68d7bc0 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@qubes-os.org>
Date: Tue, 3 Sep 2024 01:41:18 -0700
Subject: [PATCH 2/2] Include link to Intel's list of end-of-support dates

---
 user/hardware/system-requirements.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md
index 018f7cab..ffe39f7c 100644
--- a/user/hardware/system-requirements.md
+++ b/user/hardware/system-requirements.md
@@ -98,6 +98,15 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
   offer significant security advantages over conventional operating systems on
   the same hardware.
 
+  Intel maintains a
+  [list](https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html)
+  of end-of-support dates for its processors. However, this list seems to
+  include only processors that are no longer supported or will soon no longer
+  be supported. Many newer Intel processors are missing from this list. To our
+  knowledge, Intel does not announce end-of-support dates for its newer
+  processors in advance, nor does it have a public policy governing how long
+  support will last.
+
 - Intel and AMD handle microcode updates differently, which has significant
   security implications. On Intel platforms, microcode updates can typically be
   loaded from the operating system. This allows the Qubes security team to
@@ -116,7 +125,7 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
   Historically, AMD has often been slow to complete step (1), at least for its
   client (as opposed to server) platforms. In some cases, AMD has made fixes
   available for its server platforms very shortly after a security embargo was
-  lifted, but it did not make fixes  available for client platforms facing the
+  lifted, but it did not make fixes available for client platforms facing the
   same vulnerability until weeks or months later. (A "security embargo" is the
   practice of avoiding public disclosure of a security vulnerability prior to a
   designated date.) By contrast, Intel has consistently made fixes available for