which is better given the context of this place?
And if you can please, why.
When it comes to the laptop itself, I would never recommend a MacBook unless you need what Apple Silicon can offer you, which is pretty much the gold standard when it comes to performance and efficiency.
As for privacy and security, installing Asahi Linux on your MacBook will completely cook your boot security and break hardware security features, so a ThinkPad is your best option for running Linux.
7 Likes
Before buying, double check that the Thinkpad you’re looking at has an HSI-4 rating here: LVFS: HSI Devices
1 Like
Are there any Thinkpads that actually support HSI-4? I have one that can achieve HSI-3 But lacks the encrypted memory to meet HSI-4.
Yes, quite a few: eg. the T14 Gen 5: LVFS: HSI Device
Basically AMD messed up and didn’t properly expose many aspects via the PSP until the 8000 series. So look for Ryzen Pro 8000 series or their newer Ryzen AI Pro XXX series. On the Intel side you want vPro models.
1 Like
Nice, thanks.
You may actually be able to enable TSME in the EFI (even on non-Pro variants), but it won’t correctly report as enabled unless you’re on a 8000 series or newer so you won’t get the rating.
1 Like
Linux on a standard (x86) laptop anyday for hardware and software compatibility. I would suggest buying from manufacturers that support Linux such as System76 (they also provide their own distro). Dell and some other major OEMs also sell laptops with Ubuntu, I would just avoid paying for a Windows license.
Macbook + Asahi pros:
- no known built-in platform spyware such as Intel ME or AMD PSP omnipresent in modern x86-64 platforms
- better power efficiency
Macbook + Asahi cons:
- no secure boot for Asahi Linux yet, although this does not affect MacOS boot security or FileVault-encrypted data on MacOS partition
- arm64 architecture means you will have to compile some software (e.g. Tor Browser, Mullvad Browser, Signal-Desktop, IVPN app) yourself
- not everything is yet mainlined into Linux kernel and Asahi kernel package updates may be lagging sometimes
Update: Asahi COPR had an outdated 6.14.8 kernel at the time of initial posting, 5 hours later it got 6.15.10, and developer said 6.16.3 will be available soon.
Asahi on Macbook M1+ is great, especially if you like tinkering and OpenGL (graphics programming). Otherwise, you should stay with MacOS in particular if you care about security. Full disk encryption is not supported on Asahi and there is no incentive in the dev team to work on it. Besides this detail, it is very stable and as secure as any other PC running Fedora (if you choose their flagship '“Asahi Remix”). The team developing the OS is small but dedicated. I tried it and it is very user-friendly to install and to use. However, be prepared to miss features like: monitor 120Hz refresh rate not available (only 60Hz), poorer battery (sort of), some buttons and icons disappear (for some odd reason), and maybe other small issues. Overall, it is a more private alternative than MacOS, but if you care about FDE you should not install it. That alone made me delete Asahi because even Windows users have BitLocker, which makes them safer than me, and I can’t accept that after all my efforts into privacy/security. To be fair, there is a way to manually have LUKS on your Asahi partition, but it is a complicated and dangerous process that you need to carry out manually and at your own risks. At the end of the day, I prefer to buy a regular PC to install Linux on it, and buy a MacBook if I need MacOS.
Thinkpad, and make sure you buy a model without soldered RAM for better repairability
It’s not supported out of the box via installer but can be done manually after installing. It is Fedora Linux after all.
Or users can put some commands into the terminal and set it up themselves. Only needs to be done once.
Depends on user’s skill. Asahi on Macbook is probably not the easiest choice for users without Linux experience.
1 Like
How do you feel about Intel TDT from the vPro models? Do you enable it?
“Intel® Threat Detection Technology (Intel® TDT). As one of the built-in hardware-based security capabilities on Intel vPro-based devices, Intel TDT profiles and detects malware using CPU telemetry and Machine Learning algorithms. Intel TDT also enables software-based security solutions to scan deeper and more frequently to find file-less attacks sooner.”
Asahi is more of a proof of concept project than a real Linux distro. It’s great to have it, some of us still keep an eye on it, and the dev behind it is nice. Should anyone use it as their main operating system? Nope. Big nope. And I’m not even talking about safety. In terms of security, Asahi will never ever be like Tails. And is still very far away from Ubuntu.
As others already advised, if you want to main on Linux, you better go with anything but an Apple Silicon Mac. You will save a lot of money, won’t compromise your system, won’t have to deal with an unstable OS, and so on.
And I’m saying all of this as a lifelong Mac user. (I was on Windows 98 and XP as well tho)
Linux is about so many things. Besides the OS in itself, it’s also a great opportunity for you to custom build your own computer. You could go for a Framework laptop 
https://frame.work/be/en (I didn’t even know that they started selling a desktop version of it)
1 Like
I would describe it as a Fedora flavor. It is Fedora Linux with a custom kernel to support more hardware than mainline, custom bootloader (m1n1) to get U-Boot working on Apple Silicon and some additional packages like speaker safety daemon which protects speakers from overheating. Custom mesa fork is being retired because everything has been upstreamed in version 5.2. After marcan’s departure from the project they have also been actively working on upstreaming their kernel changes to mainline.
Why are you even comparing a generic desktop OS with a specialized anonymity OS designed to boot from USB sticks?
Plain Fedora Linux will also never be like Tails, yet Fedora is recommended by Privacy Guides. Asahi compares to Ubuntu pretty much like Fedora compares to Ubuntu. And there is unofficial Ubuntu Asahi Remix if you prefer Ubuntu.
By the way, some of the hardenings done in Secureblue can be manually applied to Asahi/Fedora. Unfortunately, not the hardened_malloc because it doesn’t play well with 16k memory pages.
What they really should improve, is the curl-bashing security negligence for installation.
How long ago did you try it and which stability issues did you experience? I’m getting a feeling that you tried it in times of Arch Linux ARM version which has been retired for a long time.
Tails isn’t secure.
Depends on what you mean by “secure.“ You can always go a bar higher when it come to security and if you go high enough nothing is secure.
Tails is more or less. “If it isn’t broke don’t fix it.”
1 Like