Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upproposal: second qubes-certified laptop is Lenovo Thinkpad x220/x230 #1771
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Feb 26, 2016
Member
Cheapness and ubiquity are big pros, but I have two concerns:
- Recommending that users buy used hardware for Qubes runs contrary to some of the security advice we give (compromised hardware = permanent game over = throw out your laptop and get a new one).
- Does it have a TPM? The HCL cell is blue (unknown).
|
Cheapness and ubiquity are big pros, but I have two concerns:
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mfc
Feb 26, 2016
Member
Yes it seems to have TPM 1.2 according to this official spec sheet: https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf
Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.
|
Yes it seems to have TPM 1.2 according to this official spec sheet: https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Feb 26, 2016
Member
Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.
New hardware and used hardware are not equivalent in this respect. To compromise new hardware, you have limited opportunities:
- Compel the manufacturer to cooperate
- Stage an interdiction operation
- Subvert the manufacturing process
All of these are risky and/or costly. Stakes are high. Being discovered would be a disaster.
To compromise used hardware, all you have to do is:
- Buy new hardware, compromise it, then resell it as used
The seller can pose as a random online merchant and can plausibly deny having compromised the hardware. ("It must have been like that when I bought it. I'm just a reseller.")
New hardware and used hardware are not equivalent in this respect. To compromise new hardware, you have limited opportunities:
All of these are risky and/or costly. Stakes are high. Being discovered would be a disaster. To compromise used hardware, all you have to do is:
The seller can pose as a random online merchant and can plausibly deny having compromised the hardware. ("It must have been like that when I bought it. I'm just a reseller.") |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mfc
Feb 27, 2016
Member
I agree with you (from a malicious individual reseller perpective), however used hardware can also be purchased anonymously/pseudonymously much more easily (Craigslist) if you are worried about state-level targeting.
These are issues for the individual to consider during the "buying things" process, it is ultimately the user's choice to buy things, how they go about it, what trust they have with the seller, etc. We are not compelling anyone to purchase anything, nor what method to do so.
I strongly believe that we should be listing/certifying a computer that fills all of those attributes I listed.
|
I agree with you (from a malicious individual reseller perpective), however used hardware can also be purchased anonymously/pseudonymously much more easily (Craigslist) if you are worried about state-level targeting. These are issues for the individual to consider during the "buying things" process, it is ultimately the user's choice to buy things, how they go about it, what trust they have with the seller, etc. We are not compelling anyone to purchase anything, nor what method to do so. I strongly believe that we should be listing/certifying a computer that fills all of those attributes I listed. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Feb 28, 2016
Member
Ok, sounds like a reasonable idea to me. It's true that we're not compelling anyone, but an official endorsement is significant. As long as we duly inform users of the security risks, I agree we should leave the decision up to them.
|
Ok, sounds like a reasonable idea to me. It's true that we're not compelling anyone, but an official endorsement is significant. As long as we duly inform users of the security risks, I agree we should leave the decision up to them. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tasket
Feb 28, 2016
IIRC the x220 is very close to its T-series counterparts, the T420 and T420s (and probably the T520 too, although it has no HCL entry). Also Qubes was supposedly developed on the T420 and T420s. So I think those T models from that generation should be among the first to be added to the certified list.
tasket
commented
Feb 28, 2016
|
IIRC the x220 is very close to its T-series counterparts, the T420 and T420s (and probably the T520 too, although it has no HCL entry). Also Qubes was supposedly developed on the T420 and T420s. So I think those T models from that generation should be among the first to be added to the certified list. |
andrewdavidwong
added
the
business
label
Apr 6, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mfc
Aug 13, 2016
Member
just to update this, this may merge into #1594 and https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ efforts and instead be a x230 (so positioning this for Qubes 4.0 certification).
on the surface only difference between x220 and x230 seems to be ~price and USB 3.0 ports (which may be worthwhile).
also would be nice to confirm if the laptop with coreboot could boot from sdcard for AEM (see related qubes-users thread).
|
just to update this, this may merge into #1594 and https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ efforts and instead be a x230 (so positioning this for Qubes 4.0 certification). on the surface only difference between x220 and x230 seems to be ~price and USB 3.0 ports (which may be worthwhile). also would be nice to confirm if the laptop with coreboot could boot from sdcard for AEM (see related qubes-users thread). |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mfc
Oct 5, 2016
Member
hardware compatibility
To permanently enable middle button scrolling for x220/x230, create the following script in your dom0 home directory:
sudo vi start_trackpoint.sh
#!/bin/sh
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation” 1
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Button” 2
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Timeout” 200
Make it executable:
sudo chmod +x start_trackpoint.sh
And a file to execute it on boot:
sudo vi /etc/xdg/autostart/ibm-trackpoint.desktop
[Desktop Entry]
Type=Application
Exec=/home/[USER]/start_trackpoint.sh
Terminal=false
Name=IBM Trackpoint
GenericName=IBM Trackpoint
StartupNotify=false
Categories=System;X-Xfce-Toplevel;
modified from https://www.peerlyst.com/posts/evaluating-qubes-os-as-a-penetration-testing-platform-andrew-douma
hardware compatibilityTo permanently enable middle button scrolling for x220/x230, create the following script in your
Make it executable:
And a file to execute it on boot:
modified from https://www.peerlyst.com/posts/evaluating-qubes-os-as-a-penetration-testing-platform-andrew-douma |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tasket
Oct 5, 2016
AEM seems to be a compat tripping point right now. How compatible are these models with the latest AEM w/ tboot 1.9.4?
See issue #2155
tasket
commented
Oct 5, 2016
|
AEM seems to be a compat tripping point right now. How compatible are these models with the latest AEM w/ tboot 1.9.4? See issue #2155 |
mfc
changed the title from
proposal: second qubes-certified laptop is Lenovo Thinkpad x220
to
proposal: second qubes-certified laptop is Lenovo Thinkpad x220/x230
Nov 25, 2016
andrewdavidwong
added
the
C: website
label
Dec 23, 2016
andrewdavidwong
added this to the
Documentation/website milestone
Dec 23, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Jarwolf
Mar 19, 2017
I read this whole page and found it very interesting. I am wanting to have a Laptop that works with Qubes. I have an Windows MSI ib shuxh u play games and such on, which is out of the equation. I have an HP notebook of some sort and has Windows. I am currently installing it on here abd had to boot the USB from UFI i think it was. It was the only way to actually to get it to install. Now' previously, It asked for the 'disc password' on the boot up og Qubes. As soon as I woukd hit enter after inserting my password no moe then 5 seconds later, the laptop shuts down. I can't afford 1500 on a laptop...Honestly, just spent the last 600 i had on bills and a ham radio, so yep...im keeping my fingers crossed that this will work this time around.
Jarwolf
commented
Mar 19, 2017
|
I read this whole page and found it very interesting. I am wanting to have a Laptop that works with Qubes. I have an Windows MSI ib shuxh u play games and such on, which is out of the equation. I have an HP notebook of some sort and has Windows. I am currently installing it on here abd had to boot the USB from UFI i think it was. It was the only way to actually to get it to install. Now' previously, It asked for the 'disc password' on the boot up og Qubes. As soon as I woukd hit enter after inserting my password no moe then 5 seconds later, the laptop shuts down. I can't afford 1500 on a laptop...Honestly, just spent the last 600 i had on bills and a ham radio, so yep...im keeping my fingers crossed that this will work this time around. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mfc
Nov 1, 2017
Member
just to add a potential argument against the x230, in order for the USB qube to work one has to set pci strict reset to false, which is a security risk. Setting USB controller to USB2.0 only in BIOS is insufficient. When I have some more free time I will do a reinstall on a Heads/coreboot machine and see if I have to set this to false on that machine as well.
|
just to add a potential argument against the x230, in order for the USB qube to work one has to set pci strict reset to false, which is a security risk. Setting USB controller to USB2.0 only in BIOS is insufficient. When I have some more free time I will do a reinstall on a Heads/coreboot machine and see if I have to set this to false on that machine as well. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reconmaster
Dec 13, 2017
With a refurbed x230, 4.0 installed reasonably well. Only issue with default lenovo firmware was sys-net. Subsequent research suggests coreboot can resolve this, and I'll be trying libreboot over xmas. I suspect this may be related to @mfc point about pci reset flag.
I'd say if providing support for these older comps, it would probably be pragmatic to focus on those supported by open firmware. Given the risks incurred with the ME, securing the hardware stack should align with Qubes' mission statement. Probably a disclaimer about dangers of low-level threats should at least accompany them where ever they end up in the docs.
reconmaster
commented
Dec 13, 2017
|
With a refurbed x230, 4.0 installed reasonably well. Only issue with default lenovo firmware was sys-net. Subsequent research suggests coreboot can resolve this, and I'll be trying libreboot over xmas. I suspect this may be related to @mfc point about pci reset flag. I'd say if providing support for these older comps, it would probably be pragmatic to focus on those supported by open firmware. Given the risks incurred with the ME, securing the hardware stack should align with Qubes' mission statement. Probably a disclaimer about dangers of low-level threats should at least accompany them where ever they end up in the docs. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Assigning to @rootkovska and @marmarek to decide. |
mfc commentedFeb 23, 2016
the second qubes-certified hardware should fulfill the following needs:
I propose we choose the Thinkpad x220: it is the oldest Thinkpad x-series with VT-d (the x200 and x201 do not), all over the place used/refurbished, very inexpensive (~250 USD/EUR), portable, can be loaded with 16gb ram, and seems to have good compatibility: https://www.qubes-os.org/hcl/
All of the chipsets available for it (i5-2520M, i5-2540M, i7-2620M) seem to meet Qubes System Requirements: https://support.lenovo.com/us/en/documents/pd015812
It's worth noting this datasheet includes two other processors for the x220 without VT-d: https://shop.lenovo.com/ISS_Static/ww/wci/us/ww/pdf/X220_datasheet.pdf
I have looked online and not seen x220 advertised with these processors much -- the i3-2310M x220 I have seen online listed instead as the x220i, and the i5-2410M x220 seems to have been a smaller run (I don't see them being sold on ebay or NewEgg).
Still, if we were to choose it we would highlight on the page the compatible processors for the user to ensure they get an appropriate x220.
here is a tech-spec sheet with further details (TPM, etc):
https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf
I would be interested in others' thoughts!