proposal: second qubes-certified laptop is Lenovo Thinkpad x220/x230

[mfc]

the second qubes-certified hardware should fulfill the following needs:

• laptop
• accessible used / second-hand
• cheap
• globally ubiquitous
• fulfills the System Requirements

I propose we choose the Thinkpad x220: it is the oldest Thinkpad x-series with VT-d (the x200 and x201 do not), all over the place used/refurbished, very inexpensive (~250 USD/EUR), portable, can be loaded with 16gb ram, and seems to have good compatibility: https://www.qubes-os.org/hcl/

All of the chipsets available for it (i5-2520M, i5-2540M, i7-2620M) seem to meet Qubes System Requirements: https://support.lenovo.com/us/en/documents/pd015812

It's worth noting this datasheet includes two other processors for the x220 without VT-d: https://shop.lenovo.com/ISS_Static/ww/wci/us/ww/pdf/X220_datasheet.pdf

I have looked online and not seen x220 advertised with these processors much -- the i3-2310M x220 I have seen online listed instead as the x220i, and the i5-2410M x220 seems to have been a smaller run (I don't see them being sold on ebay or NewEgg).

Still, if we were to choose it we would highlight on the page the compatible processors for the user to ensure they get an appropriate x220.

here is a tech-spec sheet with further details (TPM, etc):
https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf

I would be interested in others' thoughts!

[andrewdavidwong]

Cheapness and ubiquity are big pros, but I have two concerns:

• Recommending that users buy used hardware for Qubes runs contrary to some of the security advice we give (compromised hardware = permanent game over = throw out your laptop and get a new one).
• Does it have a TPM? The HCL cell is blue (unknown).

[andrewdavidwong]

Cheapness and ubiquity are big pros, but I have two concerns:

• Recommending that users buy used hardware for Qubes runs contrary to some of the security advice we give (compromised hardware = permanent game over = throw out your laptop and get a new one).
• Does it have a TPM? The HCL cell is blue (unknown).

[mfc]

Yes it seems to have TPM 1.2 according to this official spec sheet: https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf

Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.

[mfc]

Yes it seems to have TPM 1.2 according to this official spec sheet: https://www.lenovo.com/shop/americas/content/pdf/system_data/x220_tech_specs.pdf

Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.

[andrewdavidwong]

Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.

New hardware and used hardware are not equivalent in this respect. To compromise new hardware, you have limited opportunities:

• Compel the manufacturer to cooperate
• Stage an interdiction operation
• Subvert the manufacturing process

All of these are risky and/or costly. Stakes are high. Being discovered would be a disaster.

To compromise used hardware, all you have to do is:

• Buy new hardware, compromise it, then resell it as used

The seller can pose as a random online merchant and can plausibly deny having compromised the hardware. ("It must have been like that when I bought it. I'm just a reseller.")

[andrewdavidwong]

Compromised hardware could be new hardware as well as old. There isn't really a solution to "I want hardware I can trust" unfortunately.

New hardware and used hardware are not equivalent in this respect. To compromise new hardware, you have limited opportunities:

• Compel the manufacturer to cooperate
• Stage an interdiction operation
• Subvert the manufacturing process

All of these are risky and/or costly. Stakes are high. Being discovered would be a disaster.

To compromise used hardware, all you have to do is:

• Buy new hardware, compromise it, then resell it as used

The seller can pose as a random online merchant and can plausibly deny having compromised the hardware. ("It must have been like that when I bought it. I'm just a reseller.")

[mfc]

I agree with you (from a malicious individual reseller perpective), however used hardware can also be purchased anonymously/pseudonymously much more easily (Craigslist) if you are worried about state-level targeting.

These are issues for the individual to consider during the "buying things" process, it is ultimately the user's choice to buy things, how they go about it, what trust they have with the seller, etc. We are not compelling anyone to purchase anything, nor what method to do so.

I strongly believe that we should be listing/certifying a computer that fills all of those attributes I listed.

[mfc]

I agree with you (from a malicious individual reseller perpective), however used hardware can also be purchased anonymously/pseudonymously much more easily (Craigslist) if you are worried about state-level targeting.

These are issues for the individual to consider during the "buying things" process, it is ultimately the user's choice to buy things, how they go about it, what trust they have with the seller, etc. We are not compelling anyone to purchase anything, nor what method to do so.

I strongly believe that we should be listing/certifying a computer that fills all of those attributes I listed.

[andrewdavidwong]

Ok, sounds like a reasonable idea to me. It's true that we're not compelling anyone, but an official endorsement is significant. As long as we duly inform users of the security risks, I agree we should leave the decision up to them.

[andrewdavidwong]

Ok, sounds like a reasonable idea to me. It's true that we're not compelling anyone, but an official endorsement is significant. As long as we duly inform users of the security risks, I agree we should leave the decision up to them.

[tasket]

IIRC the x220 is very close to its T-series counterparts, the T420 and T420s (and probably the T520 too, although it has no HCL entry). Also Qubes was supposedly developed on the T420 and T420s. So I think those T models from that generation should be among the first to be added to the certified list.

[tasket]

IIRC the x220 is very close to its T-series counterparts, the T420 and T420s (and probably the T520 too, although it has no HCL entry). Also Qubes was supposedly developed on the T420 and T420s. So I think those T models from that generation should be among the first to be added to the certified list.

[mfc]

just to update this, this may merge into #1594 and https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ efforts and instead be a x230 (so positioning this for Qubes 4.0 certification).

on the surface only difference between x220 and x230 seems to be ~price and USB 3.0 ports (which may be worthwhile).

---

also would be nice to confirm if the laptop with coreboot could boot from sdcard for AEM (see related qubes-users thread).

[mfc]

just to update this, this may merge into #1594 and https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ efforts and instead be a x230 (so positioning this for Qubes 4.0 certification).

on the surface only difference between x220 and x230 seems to be ~price and USB 3.0 ports (which may be worthwhile).

---

also would be nice to confirm if the laptop with coreboot could boot from sdcard for AEM (see related qubes-users thread).

[mfc]

hardware compatibility

To permanently enable middle button scrolling for x220/x230, create the following script in your dom0 home directory:

sudo vi start_trackpoint.sh

#!/bin/sh
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation” 1
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Button” 2
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Timeout” 200

Make it executable:

sudo chmod +x start_trackpoint.sh

And a file to execute it on boot:

sudo vi /etc/xdg/autostart/ibm-trackpoint.desktop

[Desktop Entry]
Type=Application
Exec=/home/[USER]/start_trackpoint.sh
Terminal=false
Name=IBM Trackpoint
GenericName=IBM Trackpoint
StartupNotify=false
Categories=System;X-Xfce-Toplevel;

modified from https://www.peerlyst.com/posts/evaluating-qubes-os-as-a-penetration-testing-platform-andrew-douma

[mfc]

hardware compatibility

To permanently enable middle button scrolling for x220/x230, create the following script in your dom0 home directory:

sudo vi start_trackpoint.sh

#!/bin/sh
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation” 1
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Button” 2
xinput set-prop “TPPS/2 IBM TrackPoint” “Evdev Wheel Emulation Timeout” 200

Make it executable:

sudo chmod +x start_trackpoint.sh

And a file to execute it on boot:

sudo vi /etc/xdg/autostart/ibm-trackpoint.desktop

[Desktop Entry]
Type=Application
Exec=/home/[USER]/start_trackpoint.sh
Terminal=false
Name=IBM Trackpoint
GenericName=IBM Trackpoint
StartupNotify=false
Categories=System;X-Xfce-Toplevel;

modified from https://www.peerlyst.com/posts/evaluating-qubes-os-as-a-penetration-testing-platform-andrew-douma

[tasket]

AEM seems to be a compat tripping point right now. How compatible are these models with the latest AEM w/ tboot 1.9.4?

See issue #2155

[tasket]

AEM seems to be a compat tripping point right now. How compatible are these models with the latest AEM w/ tboot 1.9.4?

See issue #2155

[Jarwolf]

I read this whole page and found it very interesting. I am wanting to have a Laptop that works with Qubes. I have an Windows MSI ib shuxh u play games and such on, which is out of the equation. I have an HP notebook of some sort and has Windows. I am currently installing it on here abd had to boot the USB from UFI i think it was. It was the only way to actually to get it to install. Now' previously, It asked for the 'disc password' on the boot up og Qubes. As soon as I woukd hit enter after inserting my password no moe then 5 seconds later, the laptop shuts down. I can't afford 1500 on a laptop...Honestly, just spent the last 600 i had on bills and a ham radio, so yep...im keeping my fingers crossed that this will work this time around.

[Jarwolf]

I read this whole page and found it very interesting. I am wanting to have a Laptop that works with Qubes. I have an Windows MSI ib shuxh u play games and such on, which is out of the equation. I have an HP notebook of some sort and has Windows. I am currently installing it on here abd had to boot the USB from UFI i think it was. It was the only way to actually to get it to install. Now' previously, It asked for the 'disc password' on the boot up og Qubes. As soon as I woukd hit enter after inserting my password no moe then 5 seconds later, the laptop shuts down. I can't afford 1500 on a laptop...Honestly, just spent the last 600 i had on bills and a ham radio, so yep...im keeping my fingers crossed that this will work this time around.

[mfc]

just to add a potential argument against the x230, in order for the USB qube to work one has to set pci strict reset to false, which is a security risk. Setting USB controller to USB2.0 only in BIOS is insufficient. When I have some more free time I will do a reinstall on a Heads/coreboot machine and see if I have to set this to false on that machine as well.

[mfc]

just to add a potential argument against the x230, in order for the USB qube to work one has to set pci strict reset to false, which is a security risk. Setting USB controller to USB2.0 only in BIOS is insufficient. When I have some more free time I will do a reinstall on a Heads/coreboot machine and see if I have to set this to false on that machine as well.

[reconmaster]

With a refurbed x230, 4.0 installed reasonably well. Only issue with default lenovo firmware was sys-net. Subsequent research suggests coreboot can resolve this, and I'll be trying libreboot over xmas. I suspect this may be related to @mfc point about pci reset flag.

I'd say if providing support for these older comps, it would probably be pragmatic to focus on those supported by open firmware. Given the risks incurred with the ME, securing the hardware stack should align with Qubes' mission statement. Probably a disclaimer about dangers of low-level threats should at least accompany them where ever they end up in the docs.

[reconmaster]

With a refurbed x230, 4.0 installed reasonably well. Only issue with default lenovo firmware was sys-net. Subsequent research suggests coreboot can resolve this, and I'll be trying libreboot over xmas. I suspect this may be related to @mfc point about pci reset flag.

I'd say if providing support for these older comps, it would probably be pragmatic to focus on those supported by open firmware. Given the risks incurred with the ME, securing the hardware stack should align with Qubes' mission statement. Probably a disclaimer about dangers of low-level threats should at least accompany them where ever they end up in the docs.

[andrewdavidwong]

Assigning to @rootkovska and @marmarek to decide.

[andrewdavidwong]

Assigning to @rootkovska and @marmarek to decide.