From 88384e0dc5d5e39e1fadfcd23a761e50ad09c2e4 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 2 Sep 2024 08:59:33 -0700 Subject: [PATCH 1/8] Update recommendations and notes regarding microcode and AMD --- user/hardware/system-requirements.md | 57 +++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md index a31c582a..018f7cab 100644 --- a/user/hardware/system-requirements.md +++ b/user/hardware/system-requirements.md @@ -33,9 +33,13 @@ title: System requirements ## Recommended -- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`) - - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing) - - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29) +- **CPU:** 64-bit Intel processor (also known as `x86_64`, `x64`, and `Intel 64`) + - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) + - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) + - For security, we recommend processors that are recent enough to still be + receiving microcode updates (see [below](#important-updates) for details). + - AMD processors are not recommended due to inconsistent security support on + client platforms (see [below](#important-updates) for details). - **Memory:** 16 GB RAM @@ -44,9 +48,9 @@ title: System requirements - **Graphics:** Intel integrated graphics processor (IGP) strongly recommended - Nvidia GPUs may require significant - [troubleshooting](/doc/install-nvidia-driver/) + [troubleshooting](/doc/install-nvidia-driver/). - AMD GPUs have not been formally tested, but Radeons (especially RX580 and - earlier) generally work well + earlier) generally work well. - **Peripherals:** A non-USB keyboard or multiple USB controllers @@ -84,6 +88,49 @@ We recommend consulting these resources when selecting hardware for Qubes OS: - **Installing Qubes in a virtual machine is not recommended, as it uses its own bare-metal hypervisor (Xen).** +- There is a class of security vulnerabilities that can be fixed only by + microcode updates. If your computer or the CPU in it no longer receives + microcode updates (e.g., because it is too old), it may not be possible for + some of these vulnerabilities to be mitigated on your system, leaving you + vulnerable. For this reason, we recommend using Qubes OS on systems that are + still receiving microcode updates. Nonetheless, Qubes OS **can** run on + systems that no longer receive microcode updates, and such systems will still + offer significant security advantages over conventional operating systems on + the same hardware. + +- Intel and AMD handle microcode updates differently, which has significant + security implications. On Intel platforms, microcode updates can typically be + loaded from the operating system. This allows the Qubes security team to + respond rapidly to new vulnerabilities by shipping microcode updates alongside + other security updates directly to users. By contrast, on AMD client (as + opposed to server) platforms, microcode updates are typically shipped only as + part of system firmware and generally cannot be loaded from the operating + system. This means that AMD users typically must wait for: + + 1. AMD to distribute microcode updates to original equipment manufacturers + (OEMs), original design manufacturers (ODMs), and motherboard manufacturers + (MB); and + 2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for + the user's system. + + Historically, AMD has often been slow to complete step (1), at least for its + client (as opposed to server) platforms. In some cases, AMD has made fixes + available for its server platforms very shortly after a security embargo was + lifted, but it did not make fixes available for client platforms facing the + same vulnerability until weeks or months later. (A "security embargo" is the + practice of avoiding public disclosure of a security vulnerability prior to a + designated date.) By contrast, Intel has consistently made fixes available for + new CPU vulnerabilities across its supported platforms very shortly after + security embargoes have been lifted. + + Step (2) varies by vendor. Many vendors fail to complete step (2) at all, + while some others take a very long time to complete it. + + The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and + Xen security teams do their best to provide security support for AMD systems. + However, without the ability to ship microcode updates, there is only so much + they can do. + - Qubes **can** be installed on many systems that do not meet the recommended requirements. Such systems will still offer significant security improvements over traditional operating systems, since things like GUI isolation and From 1bc8ddb4728107aba532fef306b0ae09c68d7bc0 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 3 Sep 2024 01:41:18 -0700 Subject: [PATCH 2/8] Include link to Intel's list of end-of-support dates --- user/hardware/system-requirements.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md index 018f7cab..ffe39f7c 100644 --- a/user/hardware/system-requirements.md +++ b/user/hardware/system-requirements.md @@ -98,6 +98,15 @@ We recommend consulting these resources when selecting hardware for Qubes OS: offer significant security advantages over conventional operating systems on the same hardware. + Intel maintains a + [list](https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html) + of end-of-support dates for its processors. However, this list seems to + include only processors that are no longer supported or will soon no longer + be supported. Many newer Intel processors are missing from this list. To our + knowledge, Intel does not announce end-of-support dates for its newer + processors in advance, nor does it have a public policy governing how long + support will last. + - Intel and AMD handle microcode updates differently, which has significant security implications. On Intel platforms, microcode updates can typically be loaded from the operating system. This allows the Qubes security team to @@ -116,7 +125,7 @@ We recommend consulting these resources when selecting hardware for Qubes OS: Historically, AMD has often been slow to complete step (1), at least for its client (as opposed to server) platforms. In some cases, AMD has made fixes available for its server platforms very shortly after a security embargo was - lifted, but it did not make fixes available for client platforms facing the + lifted, but it did not make fixes available for client platforms facing the same vulnerability until weeks or months later. (A "security embargo" is the practice of avoiding public disclosure of a security vulnerability prior to a designated date.) By contrast, Intel has consistently made fixes available for From 54ce8c2f4ae86f434a0f1036eddad3924ce26166 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 5 Sep 2024 06:18:08 -0700 Subject: [PATCH 3/8] Add NovaCustom V56 Series to certified computer list --- user/hardware/certified-hardware.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md index a5ef3789..10aee505 100644 --- a/user/hardware/certified-hardware.md +++ b/user/hardware/certified-hardware.md @@ -25,53 +25,59 @@ Qubes-certified computers are certified for a [major release](/doc/version-schem The current Qubes-certified models are listed below in reverse chronological order of certification. +### NovaCustom V56 Series 16.0 inch coreboot laptop + +[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/nv41-series/) + +The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4. + ### NitroPC Pro 2 [![Photo of the NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523) -The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS 4. +The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS Release 4. ### Star Labs StarBook [![Photo of the Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook) -The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS 4. +The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS Release 4. ### NitroPC Pro [![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523) -The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS 4. +The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS Release 4. ### NovaCustom NV41 Series [![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/) -The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS 4. +The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS Release 4. ### Dasharo FidelisGuard Z690 [![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) -The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS 4. +The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS Release 4. ### NitroPad T430 [![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119) -The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS 4. +The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS Release 4. ### NitroPad X230 [![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67) -The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4. +The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4. ### Insurgo PrivacyBeast X230 [![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) -The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4. +The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4. ## Become hardware certified From a086123e56d2993762dc5484492fd2092f611deb Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 17 Sep 2024 19:14:37 -0700 Subject: [PATCH 4/8] Fix link --- user/hardware/certified-hardware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md index 10aee505..be7ff693 100644 --- a/user/hardware/certified-hardware.md +++ b/user/hardware/certified-hardware.md @@ -27,7 +27,7 @@ The current Qubes-certified models are listed below in reverse chronological ord ### NovaCustom V56 Series 16.0 inch coreboot laptop -[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/nv41-series/) +[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/nv56-series/) The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4. From fa335c4ed5d7f1406f7474d42cb76d11f4a55c40 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 17 Sep 2024 19:20:36 -0700 Subject: [PATCH 5/8] Fix link --- user/hardware/certified-hardware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md index be7ff693..f6c6fd43 100644 --- a/user/hardware/certified-hardware.md +++ b/user/hardware/certified-hardware.md @@ -27,7 +27,7 @@ The current Qubes-certified models are listed below in reverse chronological ord ### NovaCustom V56 Series 16.0 inch coreboot laptop -[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/nv56-series/) +[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/) The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4. From ececab9a45884c85c2475589619649962a00f883 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 24 Sep 2024 17:51:35 -0700 Subject: [PATCH 6/8] Add NitroPad V56 --- user/hardware/certified-hardware.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md index f6c6fd43..41b825fe 100644 --- a/user/hardware/certified-hardware.md +++ b/user/hardware/certified-hardware.md @@ -25,6 +25,12 @@ Qubes-certified computers are certified for a [major release](/doc/version-schem The current Qubes-certified models are listed below in reverse chronological order of certification. +### NitroPad V56 + +[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684) + +The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is certified for Qubes OS Release 4. + ### NovaCustom V56 Series 16.0 inch coreboot laptop [![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/) From 78b074236271586a3522caa2a793cc951cfe812d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Sun, 6 Oct 2024 04:06:46 -0700 Subject: [PATCH 7/8] Replace RSK attributes in examples with variables Users keep getting confused because their output doesn't match the examples, even though the text already says, "This is just an example, so the output you receive may not look exactly the same." Recent examples of this: - https://www.reddit.com/r/Qubes/comments/1f2b221/ - https://forum.qubes-os.org/t/29384 Specifically, users seem to get confused because their RSK has a different date and key ID than the one in the example (which makes sense, because RSKs change with each release), so replacing these specific values with variables may avert some confusion. --- project-security/verifying-signatures.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md index 5a474674..54e230e8 100644 --- a/project-security/verifying-signatures.md +++ b/project-security/verifying-signatures.md @@ -375,11 +375,11 @@ by the QMSK: ```shell_session $ gpg2 --check-signatures "Qubes OS Release X Signing Key" -pub rsa4096 2017-03-06 [SC] - 5817A43B283DE5A9181A522E1848792F9E2795E9 +pub rsa4096 YYYY-MM-DD [SC] + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX uid [ full ] Qubes OS Release X Signing Key -sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release X Signing Key -sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key +sig!3 XXXXXXXXXXXXXXXX YYYY-MM-DD Qubes OS Release X Signing Key +sig! DDFA1A3E36879494 YYYY-MM-DD Qubes Master Signing Key gpg: 2 good signatures ``` @@ -397,9 +397,9 @@ As a final sanity check, make sure the RSK is in your keyring with the correct trust level: ```shell_session -$ gpg2 -k "Qubes OS Release" -pub rsa4096 2017-03-06 [SC] - 5817A43B283DE5A9181A522E1848792F9E2795E9 +$ gpg2 -k "Qubes OS Release X Signing Key" +pub rsa4096 YYYY-MM-DD [SC] + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX uid [ full ] Qubes OS Release X Signing Key ``` @@ -533,7 +533,7 @@ $ gpg2 -v --verify Qubes-RX-x86_64.iso.DIGESTS gpg: armor header: Hash: SHA256 gpg: armor header: Version: GnuPG v2 gpg: original file name='' -gpg: Signature made Tue 20 Sep 2016 10:37:03 AM PDT using RSA key ID 03FA5082 +gpg: Signature made