GrapheneOS utilizes Pixel phones over other options because Pixels offer better security than competitors. PG also recommends the Pixel for security reasons.
Is there a particular reason why PG doesn’t recommend laptop hardware? Is there a particular laptop manufacturer that offers better security than others? Right now, I’m between System76 and Dell, but I’m open to others if someone offers better security.
(Edited for clarity.)
What kind of security do you want? What is your threat model? What are you trying to secure and at what level?
I’m afraid you need to be a lot more clear and explain yourself more for us to evaluate your needs to provide recommendations in accordance with it.
But I do like full disk encryption of Linux since it is more than enough for me. I don’t or never sell my computer to others so deleting data in the best way possible is not a priority for me.
I edited my OP for clarity. Really, I’m just looking for recommended laptop hardware from a general security perspective, similar to how PG and GrapheneOS recommend the Pixel phone for security.
There is a guide on how to choose PC hardware Choosing Your Hardware - Privacy Guides
It is a list of criteria to look for, not specific vendors
I’m not part of PG’s team or have any involvement with the project but if I’m not mistaken and needs to summarize the main reason is that major laptop manufactures uses Intel or AMD CPUs, both have their own components in theirs CPUs that are closed sourced and pointed to be security and privacy problematics. Intel IME and AMD PSP. Qualcomm ARM CPU isn’t yet proved to be on pair with other CPUs in terms of user experience. Apple is the only real game player but offers a very closed ecosystem.
If you ignore that criteria then you should make sure that your hardware is from a manufacture that pushes security and firmware patches. Which as of the time that I’m writing this that I’m aware are the following: Apple, Dell, Framework, Lenovo, Microsoft Surface, Chromebooks and NovaCustom. Not sure about other options. You can have a good read about this in this place FwupdPlugin – 1.0: Host Security ID Specification
This is just a very short and direct to the point answer that requires quite a lot of better wording but thought that I could just share a quick reasoning.
Edit: I should just add that I heard rumors that the GrapheneOS plan to be involved in some sort of “de-Google” Chromebook project but don’t quote me on that
I think discussing specific hardware could be a worthwhile topic to write about in the Community Wiki
It has been on our radar for quite some time. A lot of it has to do with formalizing the criteria from which people should do their research. There also has been some opposition on the basis that we are not primarily a hardware-oriented website.
There are so many questions that could go into this category with room for endless debate. For example, should we require webcam/microphone kill switches? How about Linux support? To what extent should we encourage these vendors over hardening your pre-existing laptop.
A similar discussion has been made here about desktop hardware recommendations.
I won’t speak for the entire team, but I have observed a few staff members being skeptical with Intel ME/AMD PSP being a major concern in the first place. While hypothetical security concerns are important, I think our mission revolves more around practical privacy protections first. Then again, this debate has been discussed on this forum previously
But what I can confirm is that Intel ME/AMD PSP is not the reason why we haven’t recommended anything yet. But I’m sure it can be a topic for future discussion if the community does desire laptop/desktop recommendations.
The main reason is ultimately there are new laptops every few months. Would this genuinely be expected to become Hardware Guides?
What determines a good laptop in terms of privacy? We make the point that security is what enforces privacy. So a vendor should be expected to provide updates, (to their firmware), good security features.
I wrote about that here and in fact I would make the point that a laptop with only partially working ME is probably less private than one with vPro/Ryzen Pro, Encrypted RAM, and those other features seen on higher end business laptops.
The frankly silly perspective that ME is somehow going to make a laptop less private is really based on absolutely nothing but some old rubbish and paranoia from free software advocates that don’t really know anything.
If they (the vendor) make the hardware and want to put a backdoor in it, then they will and it will simply be somewhere where you don’t even know and can’t do anything about it.
Notice the conversation never comes up when talking about AMD PSP or Apple hardware? That’s because the furor was about ME and and the people that harp on about it never think that every platform has something like this, just with a different name.
Isn’t this also true of smartphones? Yet the Pixel is recommended. All I’m looking for is a similar recommendation for a laptop. Just some advice saying “this is the ideal hardware on which to install Fedora/Qubes/etc.”
I understand the complexity that goes into choosing the right hardware, but what makes PG so great and unique in this space is that it can boil down the complexity for an average privacy- & security-focused consumer and offer recommendations based on high-quality standards. Is that simply not possible in this case?
Even the advice offered in this thread involves far more complex decision-making than other PG recommendations. What I was hoping for was a recommendation of a particular manufacturer that meets PG-approved security standards – again, similar to the way PG recommends Pixel due to its hardware security.
The difference is that there is a clear answer because of Graphene OS, which requires Pixel phones only.
You can technically use any laptop or desktop computer. Depending on your threat model, you may want to use laptops with continued firmware updates for better security or laptops with better Linux support.
Another situational example would be certain laptops with the latest Intel Core Ultra series chips. For a period of time (and perhaps even now but I haven’t checked), they did not support Tails OS. So, if you really needed a Tails instance but have a brand new laptop, you may find that specific usage case troubling for you.