Hardware brands which you trust to run Qubes

I would like to ask the Qubes OS community which hardware companies you trust enough to run Qubes OS with sensitive data/actions, and of course why.

See also: https://qubes-os.discourse.group/t/how-can-we-ever-trust-our-hardware-supply-chain-attack/2846.

Relevant earlier posts:

@fiftyfourthparallel I did not imply any particular definition of “verify”, I am open to your own definition. Any verification is better than none (though reading the source is of course even better). Since you confirmed your interest in discussing this, would you name the brands you trust here?

Discussion of boot security can be found in another topic, too.

1 Like

Personally, I run my Qubes OS on Purism Librem 15 laptop and trust this company despite some problems in their communication with customers and frequent delivery delays. I am not aware of any proven security-related issues. They are the most transparent and free-software-supporting company producing modern hardware that I know of.

We have a separate thread to discuss Purism though. See also the corresponding thread on Purism forums and the reply by Purism CSO concerning supply-chain attacks.

2 Likes

I use older Lenovo hardware. Lenovo have certainly done some untrustworthy things – here’s a list – but they seem merely misguided or profit motivated, typical corporate stuff. And running linux / flashing coreboot resolves the items on that list. I’m not aware of a specific hardware backdoor they have built into their systems.

2 Likes

My position should be clear from our previous exchanges, so all I’ll say is that people’s threat models differ from one another and trusted brands differ accordingly (e.g. a Pixelbook is a bad choice for someone who has Google in their threat model, but a good choice for a dissenter in Myanmar).

2 Likes

I use older Lenovo hardware. Lenovo have certainly done some untrustworthy things – here’s a list – but they seem merely misguided or profit motivated, typical corporate stuff. And running linux / flashing coreboot resolves the items on that list. I’m not aware of a specific hardware backdoor they have built into their systems.

The same here. I also prefer AMD processors to Intel.

Would you mind explaining why? AMD processors have PSP, which - unlike Intel ME - cannot be disabled and neutralized.

@deeplow I would like to suggest that this thread does not belong to All around Qubes category, just like these two threads don’t: Purchasing a new (or second hand) laptop and Discussion on Purism. Qubes users will be always asking for suitable laptops to run Qubes and it’s very much on topic of these forums AFAIK. What do you think?

I use an older processor that does not have PSP but works quite well with Qubes. It is not as fast as most systems tested here (this boot-up Debian-minimal test takes around 11 to 12 seconds most of the time, including a few anomalies - both faster and slower)

I also think that lately AMD has been producing processors that, overall, offer better value for money than a lot of Intel processors.

In general, I don’t trust devices that are connected to the internet, meaning that I try to avoid using all of these “Internet of Things” gadgets. I don’t need Alexa telling me what time it is and I don’t need Cortana telling jokes and so on. I also don’t like operating systems like Windows10. When using it I don’t feel like I am in control, it seems to have a life of its own.

That’s why I like Qubes and Coreboot and all those (little) projects that are trying to be an alternative to the big (tech) companies without making a fool of their customers.

3 Likes

If you have the time, would you kindly add an entry with your results to the table? I’d appreciate it

Fair enough. Moved

2 Likes

Yes, of course. I planned on doing that anyway. The numbers above were the result of a few preliminary runs. I will run that script and the manual testing soon.

1 Like

well i mean idk bout that… at the end of the day we’re speaking of a Chinese company beholden to the ccp
a company without the best of histories and one that spesifically targets hardware to companies!
i mean forget about the spyware and bloatware you’re getting with lenovo
even if you clean everything up there’s still the risk of hardware backdoors

and a massive risk

MASSIVE risk…

let me just ping you… commented about this

Any company is beholden to their government (or governments where their hardware components are assembled) - what matters is whether their hardware was actually tampered with. AFAIK Lenovo only modified some of their software for their company profit interest, not for their government’s interest, and it’s wiped in the coreboot flashing process.

Anyway, thinkpads are very popular, and older thinkpads have attracted the interest of modders and firmware developers. There are many eyes on the hardware. Schematics are available for the older thinkpads (google “wistron x230 schematic”). So it is nearly open hardware that has been subject to a lot of scrutiny.

2 Likes

At the moment I don’t know of any “massive risk” with Lenovo laptops, especially the older ones.
I’ve read about “superfish” and the so called “service engine” and of course especially the former has been a huge mistake but efforts to gather information are hardly exclusive to Lenovo.

I also agree with what @airelemental has written.

1 Like

While I do not dispute what you say, I would caution against thinking this has anything special to do with China or its ruling party. The same logic applies to Intel, AMD, Google, Microsoft, and many others, all of whom are U.S. or U.S.-based companies with long histories of collaborating with the United States government, sometimes willingly. They also all reside within the NSA’s backyard, for whom we do not really have a threat model because “they are somewhere between a usual state level attacker and Cthulhu”. Perhaps China’s 3PLA/4PLA is at a similar adversarial level, but the NSA likely remains chief among them in the pantheon.

I agree that Lenovo has a problematic history and its relationship with China is worrisome, though this should not be any different from a U.S. company unless your threat model for some reason includes the Chinese government and its APTs but not the U.S. or its—in which case, you are probably the U.S. government.

Currently, it is primarily the U.S. government that has prohibited Lenovo from use among its operatives for nationalistic reasons. If you agree with that assessment and include Chinese companies in your threat model, despite the lack of evidence that Lenovo has been used as a hardware attack vector outside of U.S. agencies (assuming even that is true), then you probably should view U.S. companies with similar concern. And when it comes to an eldritch abomination like the NSA, not even the anti-tampering and anti-interdiction services of NitroPad and Purism may be enough.

Regards,
John

P. S. To clarify, I am not saying to trust Lenovo; I am only saying to distrust it as much as you distrust any hardware tied to the U.S. and feasibly within its government’s reach. The current state of hardware trust and security is deeply depressing and unlikely to improve in any large amount (unless you count Google’s open hardware ventures to be an improvement), and this is only compounded by the adversarial nature of nearly all corporations and nation-states.

2 Likes

well no let me put it this way… first of all a (at least in theory) reasonably transparent democratic government with rule of law and limitation of power is very very very different then a dictatorship that could force any company to do whatever and send anyone to prison/have killed with a symbolic judge who’s aligned with the party arbitrary enforcment of the law no jury transparency etc

very very different… in the us sure the government can force companies to do a lot (but then often that won’t hold in court might be useful in a few situations like stopping of terrorism but you get the point)

also whistelblowers journalists and so on get some protection under the law unlike in well china where the authorities will kill you’re family to control you even if you’re for ample overseas and i can go on and on about the difference

china’s also very corrupt lacks supervision and so on

while getting anything from any goverment isn’t ideal china has been known before to compromise hardware and u know it’s horrible that so much of our manufactoring is there (taiwan is great don’t get me wrong that’s where i’d suggest you get you’re computer parts but it’s not without it’s issues)

the real issue is that you can never know… now ok with older parts for sure
they don’t after all at the end of the day compromise everything the issue is that there’s allways that risk

unless you’re willing to inspect everything to the teeth

1 Like

oh and i clarified my argument against china

but let me also add on top of that, that yes indeed you should always worry about all governments and…
but personally while i’m not happy with the idea that the nsa would hae my data i can live with it (it’s not ideal and the goverment should not have that right/power!) many would not want this but still it is much better to have you’re data in the hands of a goverment with the rule of law
not one where if you’re “lawyer” does too good of a job he gets charged and prosecuted arbitrarily

a nation so corrupt where people w’d happely sell you’re data for a couple of bucks (and i don’t just mean credit card information i mean if you care about privacy you can have some blackmail able material on you’re system)
and yes i know this is all farfetched and unluckily anyway

but again a low or a high level bureaucrat accessing my information from the us is much less concerning then a high level “trustworthy” official from china

We may need to agree to disagree here, @rjo74618, because I honestly struggled to tell whether you were describing China or the United States in your replies above due to their mutual culpability in such behavior; and I consider neither to be transparent, democratic, governed by the rule of law, or limiting toward their own power. We apparently have radically different assessments of the U.S. government, it activities, its threat level, and the credibility of its claimed rationale for them. Here is not the place to discuss that however, since that strays too far from the topic.

We can both agree that the Chinese government is one of the most dangerous threat actors globally and any electronics produced under its auspices may pose a general threat to everyone, especially those purchased by companies and decommissioned for resale (such as is the usual stock of used Thinkpads). We can also both agree that Lenovo does not have an encouraging record, especially if the U.S. government’s allegations of it being a vector for supply-chain attacks are true, and that Lenovo’s products should not be apportioned any additional trust just because they make (or made, years ago) products with certain desirable qualities. Lastly, we can agree that any hardware produced in countries with powerful nation-state threat actors and governments with a record of mass surveillance and gross violations of basic human rights should be immediately suspect, especially for anything critical, and preferably avoided or at least assessed with a much stronger degree of scrutiny.

Regards,
John

1 Like

This discussion is entertaining, but it probably belongs to its own thread (just like Discussion on Purism). @deeplow do you agree?

You are of course entitled to your opinion, but consider some official democracy rankings and the like designed by scientists, which clearly show the difference between China and USA and explain it.

Yes, I would say it may belong in the #all-around-qubes category (announced here).