Linux Laptops? System76? Other options?

My current laptop is nearly 10 years old and I’m looking to get something with a bit more power. I’m considering System76.

Has anyone used their laptops? Are there any other laptops that you guys use?

2 Likes

I use Framework, and personally have been very happy with their product: https://frame.work

9 Likes

There is a fairly recent thread on this that you might want to check out: Experience with System 76?

I’m using a Lenovo Thinkpad for academic stuff.

1 Like

Hard to give a suggestion without knowing your use case. Can you elaborate on what you will mainly do with this computer? “more power” can mean a lot depending on what tasks you use the computer for.

Just beware they did have a recent data leak. Looks like social engineering and not an actual security flaw was the issue.

However, we are relieved to note that the leaked PII is claimed to consist solely of the following details: full name, email address, and the balance owed.

Have to say though, if I was in the market for a laptop they would be who I would look at. Love the modularity.

2 Likes

Same. Mine’s a couple years old now still going strong. The new Framework 16 looks very cool.

Also they have very good linux support. Mine works pretty much flawlessly with Fedora.

2 Likes

Linux-focused laptop vendors:

  1. System76
  2. Framework
  3. Tuxedo
  4. Starlabs
  5. Slimbook
  6. Purism
  7. Pinebook

Major vendors that have pretty good linux support:

  1. Dell XPS (“Developer Edition” comes pre-installed with Ubuntu)
  2. In the past I believe Lenovo offered models with Ubuntu or Fedora, not sure if they still do.
2 Likes

Purism is a meme, they have hardware switches that are theatre at best even if they work (and in the GOS rooms there have been reports that they don’t even work)

The other vendors are mostly alright though imo

1 Like

You might want to look at Ubuntu certified laptops. Anything on there is good for Ubuntu, not necessary Linux.

Other than the Ubuntu certified laptops, I would buy Framwork.

1 Like

This is what I would do. Did some research with some other people on this:

1. Framework

Framework is bad with firmware updates. They are so bad, the 12th and 13th gen Intel computers have not gotten any updates since their release. 1, 2.

The AMD models get updates a bit more frequently, but IIRC they are still all vulnerable to Logofail according to their forums.

They do not seem to take firmware security seriously and I’d recommend avoiding them.

2. StarLabs

No Boot Guard.

AMD Platform Secure Boot is the equivalent.

3. Purism

Circular logic. PureBoot cannot provide anti tampering by design. They are trying to check whether the firmware has been tampered with by trusting the measurements given to the TPM by the firmware, which the firmware can always lie about.

No Boot Guard to talk about. Decrepit old hardware with no memory encryption. Overpriced.

On top of that, the CPU is unfused. (The eFuse is to prevent tampering)

4. System76

HSI 0 on most models. Very concerning results on LVFS like BootGuard fuse not being blown. fwupdmgr security is not very reliable so that that with a grain of salt. However, exercise extreme caution with System76 because this does not look promising. They only just got secure boot very recently, some notes there about bricking if you have 10th gen or earlier.

5. Modern Dell Latitude/Precision

HSI 4

  • Secure Cored
  • Regular firmware updates
  • vPro Enterprise models have Memory Encryption
  • Blows Fuses on security updates, preventing downgrade attacks
  • Minor issue of not measuring whether hyper-threading is enabled in the firmware or not. The Microphone toggle in the firmware doesn’t work. No deal breaker.

The HSI level is going to be shown in GNOME:

6 Likes

Would recommend to stay away from Linux focused vendors, because some of them don’t even get the minimum of security right. Choose a laptop from a reputable brand like Dell, Microsoft or Lenovo and preferably a secured-core device which will provide a good security baseline. Dell and Microsoft also provide longer firmware updates than other brands, but I don’t know how Linux support is on Microsoft devices.

1 Like

Framework is bad with firmware updates. They are so bad, the 12th and 13th gen Intel computers have not gotten any updates since their release.

It seems like Framework has been releasing beta firmware updates for 12th gen laptops, so if security is a priority for you, you could install those 1, 2. I actually seem to get beta updates by default on my 11th gen laptop using fwupdmgr in linux.

1 Like

Does seem the beta release v3.08 addresses logofail and perhaps things will speed up with the 11th gen.

We’ve been delayed on BIOS updates due to issues we found in the update process, especially on Linux, and due to staffing constraints at our ODM partner. We’re working with them to enable more consistent staffing for sustaining work on launched programs. Note that there is a matching firmware update in progress for 12th Gen Intel Core, and the release schedule has been slow due to these issues.

The last CVEs I see for 11th gen were in 2022, in v3.17. I’m sure there were some others in 2023.

2 Likes

It looks like Lenovo still offer some Linux devices (Only one laptop, and a few mini PCs).

https://www.lenovo.com/us/en/d/linux-laptops-desktops/

2 Likes

Unfortunately it isn’t a proper implementation:

Note that the Secure Boot support present is only intended for allowing Microsoft Windows installation checks to pass. It should not be relied on for system security due to limitations of the implementation.

6 Likes

Thank you for this list and all the other comments in this tread.

To my anecdotal view/recall, it seems that hardware discussions on privacy forums break down into 4 differentiating preference camps:

1- install Linux on anything, maybe something already at hand, maybe for the sake of not allowing a device to go to the landfill.
2-install Linux on a laptop that is known to work well which leads to lists like the Ubuntu or Qubes compatibility lists.
3-focus on using Linux on a device with a proper HSI, probably HSI:4 which leads to basically Dell, Lenovo, etc.
4-focus on neutering Intel ME and avoidance of AMD PSP which leads to many of the Linux niche shops including some very old laptops.

Is there any way to accomplish HSI:4 hardware + neutered IME?

Or, is it more realistic to focus on HSI:4 with hardware-compatible Linux distro and consider an IME vuln to be a distraction (since associated zerodays would be notably costly to delpoy)?

Threat model = average privacy conscious person not working in a critical-information job, keep personal stuff private (family photos, etc), avoidance of ad-tech surveillance, avoid ransomware attacks, but also avoid privacy invasion trends/creep (near-term future resilience).

4 Likes

For most people IME is not a concern because finding 0 days in it is very difficult and expensive and wouldn’t be ‘wasted’ on an average person.

2 Likes

believe Lenovo does this still. i ordered a thinkpad with Fedora preinstalled last year

1 Like

No, because you need some of that firmware for the newer features.

and even then it’s arguable whether giving up all the newer security features is even better.

Note there’s never ever been any “evidence” that ME is somehow spyware, it’s a misconception “free” folks spread because “haven’t seen source code”.

The realistic truth is x86_64 has patents. Not really worth worrying about open platform until RISC-V is common or something less encumbered.

3 Likes

Not sure what you’re all talking about because numerous well-documented security vulnerabilities in IME have been found (here’s one list of them). Whether it’s spyware or not is up for debate, but it is a concern and should absolutely be disabled if you have the option regardless of whether it’s a spooky backdoor or spyware, in the simple interest of attack surface reduction.

I probably wouldn’t use tools which go beyond (e.g. by ‘neutralizing’ IME firmware) the “supported” method of disabling IME by setting the HAP bit though, due to potential unforeseen consequences. Basically… if your device gives you the option in the BIOS or whatever, do it, but… probably not something most people need to worry about otherwise.

More reading on the topic of IME elsewhere: Intel ME and more


Anyways, all of this being said, it doesn’t sound like hardware vulnerabilities are even a likely threat for you? Seems like you’ll be alright with any hardware given you’re running modern Linux.

I wouldn’t go overboard with this kind of stuff unless you just enjoy it.

2 Likes

I mean intentional backdoors put by “insert security agency”. Every thing has vulnerabilities, even open source firmware. TLDR most of the misconceptions come from a particular part AMT which is meant for fleet management.

The issue is if you want those newer features, in the higher HSI levels you need some firmware to do that.

Right, and that tool is unmaintained and hasn’t been tested since Coffee Lake (8th gen intel). If your CPU is that old then it’s going to be unsupported anyway.

2 Likes