Are old laptops like the T430/X230 vulnerable?

I’m looking for cheap-ish laptops to run Qubes OS. Based on their community-recommended computers, it looks like the ThinkPad T430 and X230 would be the cheapest options. Since these computers are quite old, I was wondering how outdated their firmware is and whether there are any known vulnerabilities to be concerned about?

They’re pretty dated so their CPU, dedicated GPU (if applicable), nor motherboard receive microcode nor BIOS updates anymore. If you install Coreboot or a fork of it, you can get updates to the open source portion of the BIOS (or go with Libreboot to strip the out-of-date closed source BIOS components).

This is particularly why I am looking to upgrade my laptop. Qubes OS recommends getting an Intel CPU that still receives microcode updates. If you want Coreboot, you’ll likely need to go with a vendor that provides it like System76 or one of Qubes OS’ certified machines.

I know they don’t receive updates anymore and therefore aren’t ideal, but I’m mainly interested in figuring out if they’re currently known to be vulnerable because I have to stick to a small budget and don’t have many other options. If there’s a serious vulnerability in the microcode or something, maybe I’d just give up on Qubes entirely. I don’t plan on bothering with Coreboot either since it’s a lot of work just to replace a small portion of the firmware. I’m more concerned with things like vulnerabilities in the microcode for example.

Would you have a source for that? I ask just in case they elaborate on why in their documentation. I haven’t been able to find anything aside from their recommended computers which include old devices like the T430.

Unfortunately my budget wouldn’t allow for it. There’s also mixed opinion as to whether those sorts of laptops are better or worse for security. Not to mention I’ve heard terrible things about Purism and System76 customer service and warranty both online and from friends.

From my (limited) research it’s fine, though it depends on your threat model.

You can’t ensure firmware integrity, therefore bootkits are possible if your dom0 is somehow compromised or an attacker has physical access to your device, but AFAIK the software mitigations should be enough for the CPU vulns.

1 Like

Sorry to ask, I’ve just heard different things from different people. Would you be able to elaborate on the limited research you did and if you remember any sources that stood out?

Am I right to assume an updated version of Qubes OS would include those mitigation by default? Or are you talking about manual hardening?

I’m yet to hear of something like a privilege escalation vuln in the bios that doesn’t already require root/admin privileges (or physical access, of course) to exploit. In qubes that would be root access in dom0.

I would also assume that there would be a lot of noise if there ever was a way to break guest isolation with a hardware or firmware vulnerability for which there are no mitigations available. Particularly in certified hardware.

I would assume so, as Qubes’s sole purpose of existence is security, but I don’t know how you can verify this in Qubes. In a “normal” linux distro, you can check with lscpu.

1 Like