diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md index a5ef3789..f6c6fd43 100644 --- a/user/hardware/certified-hardware.md +++ b/user/hardware/certified-hardware.md @@ -25,53 +25,59 @@ Qubes-certified computers are certified for a [major release](/doc/version-schem The current Qubes-certified models are listed below in reverse chronological order of certification. +### NovaCustom V56 Series 16.0 inch coreboot laptop + +[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/) + +The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4. + ### NitroPC Pro 2 [![Photo of the NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523) -The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS 4. +The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS Release 4. ### Star Labs StarBook [![Photo of the Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook) -The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS 4. +The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS Release 4. ### NitroPC Pro [![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523) -The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS 4. +The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS Release 4. ### NovaCustom NV41 Series [![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/) -The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS 4. +The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS Release 4. ### Dasharo FidelisGuard Z690 [![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) -The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS 4. +The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS Release 4. ### NitroPad T430 [![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119) -The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS 4. +The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS Release 4. ### NitroPad X230 [![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67) -The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4. +The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4. ### Insurgo PrivacyBeast X230 [![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) -The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4. +The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4. ## Become hardware certified diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md index a31c582a..ffe39f7c 100644 --- a/user/hardware/system-requirements.md +++ b/user/hardware/system-requirements.md @@ -33,9 +33,13 @@ title: System requirements ## Recommended -- **CPU:** 64-bit Intel or AMD processor (also known as `x86_64`, `x64`, and `AMD64`) - - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) or [AMD-V](https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_.28AMD-V.29) with [RVI](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Rapid_Virtualization_Indexing) - - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) or [AMD-Vi (also known as AMD IOMMU)](https://en.wikipedia.org/wiki/X86_virtualization#I.2FO_MMU_virtualization_.28AMD-Vi_and_Intel_VT-d.29) +- **CPU:** 64-bit Intel processor (also known as `x86_64`, `x64`, and `Intel 64`) + - [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables) + - [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d) + - For security, we recommend processors that are recent enough to still be + receiving microcode updates (see [below](#important-updates) for details). + - AMD processors are not recommended due to inconsistent security support on + client platforms (see [below](#important-updates) for details). - **Memory:** 16 GB RAM @@ -44,9 +48,9 @@ title: System requirements - **Graphics:** Intel integrated graphics processor (IGP) strongly recommended - Nvidia GPUs may require significant - [troubleshooting](/doc/install-nvidia-driver/) + [troubleshooting](/doc/install-nvidia-driver/). - AMD GPUs have not been formally tested, but Radeons (especially RX580 and - earlier) generally work well + earlier) generally work well. - **Peripherals:** A non-USB keyboard or multiple USB controllers @@ -84,6 +88,58 @@ We recommend consulting these resources when selecting hardware for Qubes OS: - **Installing Qubes in a virtual machine is not recommended, as it uses its own bare-metal hypervisor (Xen).** +- There is a class of security vulnerabilities that can be fixed only by + microcode updates. If your computer or the CPU in it no longer receives + microcode updates (e.g., because it is too old), it may not be possible for + some of these vulnerabilities to be mitigated on your system, leaving you + vulnerable. For this reason, we recommend using Qubes OS on systems that are + still receiving microcode updates. Nonetheless, Qubes OS **can** run on + systems that no longer receive microcode updates, and such systems will still + offer significant security advantages over conventional operating systems on + the same hardware. + + Intel maintains a + [list](https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html) + of end-of-support dates for its processors. However, this list seems to + include only processors that are no longer supported or will soon no longer + be supported. Many newer Intel processors are missing from this list. To our + knowledge, Intel does not announce end-of-support dates for its newer + processors in advance, nor does it have a public policy governing how long + support will last. + +- Intel and AMD handle microcode updates differently, which has significant + security implications. On Intel platforms, microcode updates can typically be + loaded from the operating system. This allows the Qubes security team to + respond rapidly to new vulnerabilities by shipping microcode updates alongside + other security updates directly to users. By contrast, on AMD client (as + opposed to server) platforms, microcode updates are typically shipped only as + part of system firmware and generally cannot be loaded from the operating + system. This means that AMD users typically must wait for: + + 1. AMD to distribute microcode updates to original equipment manufacturers + (OEMs), original design manufacturers (ODMs), and motherboard manufacturers + (MB); and + 2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for + the user's system. + + Historically, AMD has often been slow to complete step (1), at least for its + client (as opposed to server) platforms. In some cases, AMD has made fixes + available for its server platforms very shortly after a security embargo was + lifted, but it did not make fixes available for client platforms facing the + same vulnerability until weeks or months later. (A "security embargo" is the + practice of avoiding public disclosure of a security vulnerability prior to a + designated date.) By contrast, Intel has consistently made fixes available for + new CPU vulnerabilities across its supported platforms very shortly after + security embargoes have been lifted. + + Step (2) varies by vendor. Many vendors fail to complete step (2) at all, + while some others take a very long time to complete it. + + The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and + Xen security teams do their best to provide security support for AMD systems. + However, without the ability to ship microcode updates, there is only so much + they can do. + - Qubes **can** be installed on many systems that do not meet the recommended requirements. Such systems will still offer significant security improvements over traditional operating systems, since things like GUI isolation and