Any change to the likelihood of this point being addressed by StarLabs, given recent Qubes certification?
Just for my notes, “modern” here means after a certain year, or generation?
If used is an option:
2nd hand intel Macbook Pros (2015-2020) unironically make excellent Linux laptops and are not very expensive.
1 Like
(re: patch to improve battery life on AMD Framework)
What timing, today this landed in power-profiles-daemon (v0.20).
This PR is now merged upstream is part of the 0.20 release. Several people have reported battery life improvements between 2x and 3x from this change request.
Users of rolling distros like Arch or OpenSUSE should get it soon, Fedora and Ubuntu with the upcoming releases hopefully.
1 Like
Surprised nobody suggested the MNT Reform (and Pocket reform, but that’s a palm PC there)
But again, I’m unable to provide a decent security analysis on it, nor if the company is on par with privacy truly.
If only the battery were easily replacable…
Depending on the model it’s actually not that hard, see iFixit videos.
1 Like
I’d like to mention NovaCustom too.
- At least 5 years firmware updates after your purchase
- Boot Guard will be implemented with their next Dasharo firmware update
- Will be able to achieve up to HSI:3 after BootGuard is implemented
- No memory encryption unfortunately
1 Like
Is the need for memory encryption for advanced protection, like when someone got physical access to your computer and wants to do a complete memory dump (of the RAM) to get certain encryption keys?
Yes, protects mainly against physical attacks on hardware.
Ok so this recent post had me on a bit of chasing a rabbit hole.
Right now I am looking at HP Mini PC from an older generation (i3-1215U) (because somehow it is the only one available brand new through online retail where I am.
What hardware can I get at least an HSI-3 level of security? The enterprise hardware of Dell, HP and Lenovo? Anyone care to post what the HSI score of their daily driver is? Mine is… HSI-0, unfortunately… 
like… all of them… The “trash” PC i have for work has I think at least HSI-2
Definitely something to look at in the future, on my next upgrade cycle.
Well as I said above, NovaCustom will have HSI-3 by default soon so that is an option.
Framework laptops (13th Gen) achieve HSI-3. They can achieve HSI-4, assuming you get the vPro enabled CPU. I would not recommend Framework for now though as they have a bad history with shipping firmware updates. (Intel 13th Gen has not recieved a firmware update from launch) They would be a good option in the future however when they sort out their firmware updates and ship them consistently. (Outdated firmware leads to Framework laptops showing HSI-0)
Dell, Lenovo and HP enterprise hardware is the same deal as Framework (HSI-4 with vPro CPU, HSI-3 without) but they ship firmware updates consistently.
I have an HP Pavillion (a non-enterprise laptop aafik) lying around with HSI-3 though so maybe HP consumer laptops also have a good standard for security. I recieve firmware updates on it too.
1 Like
You can check fwupd’s site for hardware security of various laptops. (Note : The results are uploaded by endusers of the devices so may not be 100% accurate. However I was able to verify that my laptop has the same HSI security as listed on fwupd’s site.)
Theoretically all of the listed manufacturers’ enterprise hardware should be good enough and reach a HSI3 level of security. For example the ThinkPad E16 Gen 1 meets this HSI level.
For Linux, a laptop that supports fwupd firmware updates is a must. Some laptops offer bootable CDs for manual firmware updates, but that isn’t the same level of support as automatic updates.
Also, I would avoid system76 since none of their laptops receive updates via fwupd despite them marketing themselves as a Linux focussed laptop company. For a while they had their custom firmware updater for updating all device firmware.
2 Likes
So I dug in a bit deeper with my various systems. Turns out I need to download the firmware from the manufacturer’s website and then flash the BIOS into my devices. My laptop daily driver went from HSO-0 to at least an HSI-1 but my gaming machine remains sadly HS:0. Fair enough.
Having an up to date BIOS → sudo fwupdmgr update command–> reboot improved my security. Turns out I was neglecting my hardware/firmware updates and should check the entire computer in my home.
I have a new computer coming from a more enterprise focused brand and it should improve my non-gaming daily driver usage. I now have a proper option to just have a VLAN separated Windows 11 gaming machine with no other activity whatsoever.
For a while they had their custom firmware updater for updating all device firmware.
It still exists, and is FOSS, with official deb binaries and unofficial rpms. It’s on AUR, too. I’ve never had any trouble getting it (at least its CLI) working on any of the distros I’ve tried.
The biggest issue with them is it seems most of their hardware is HSI-0 or 1. Also some devices rely on DKMS (unsupported in Fedora Atomic), and it seems firmware updates are infrequent or rare on many devices.
What about 2015-2020 Intel iMacs? I’d like to extend the life of mine once Apple is done with it in a few years.
Worth nothing that I was particularly interested in installing Fedora Silverblue on it.
While the firmware updater that they use is FOSS, the method they use to update does not even follow the UEFI spec. They use a proprietary tool to flash their firmware.
From the blog post that I linked :
Discussions got stuck when we found out they currently use a nonfree firmware flash tool called
afuefirather than use the UEFI specification calledUpdateCapsule.
Just curious how you went with this?
I’ve gone through the thread but did nobody mention buying a regular Windows PC laptop and hardening the Windows install as much as possible and then using a sandbox App to run Linux in???
1 Like
I see on Dell.com that there are XPS’s available with IME disabled and Ubuntu pre-installed. I imagine if IME is disabled and out-of-band management is not present then the laptop would lack memory encryption, correct? What else would this lack? Might it have a reasonable HSI?
(Yes, I am one of those people that remain uncomfortable with the IME.)
I like to evade the pervasive financial surveillance when I can. Does anyone know how to source new Dell XPS laptops as anonymously as possible, ie:
-walk into a store and buy with cash
-order with crypto and ship someplace that is not your home
I can’t see anyplace that sells this XPS Linux version in-person for cash and Monero does not appear to be an option on Dell.com (shocker).
Has anyone bought a Linux non-IME Dell XPS via AnonShop? I can’t see this version for sale on Amazon, though. Have you ordered one via AnonShop from Dell.com?
It is a long-shot, but has anyone seen these for sale at any tech conferences maybe being offered as developer laptops?
1 Like
I always see conflicting information regarding this.
Most of the newer security features seem to be related to protection against persistence or physical attacks, and many of the firmware vulnerabilities already require root access to exploit, meaning that the underlying system is already fully compromised if the vulnerability can be exploited. Exceptions to this are CPU vulnerabilities that allow for information disclosure by unprivileged users, but there are kernel mitigations and microcode updates available to help mitigate them.
Am I wrong here? Have there been firmware vulnerabilities in the past that allowed for RCEs or privilege escalation from unprivileged to kernel or above?
edit: Qubes even recommends laptops from 2012. I trust that they wouldn’t recommend these devices if they were that insecure
It needs to be vPro to have the memory encryption, and I doubt you can disable IME meaningfully on any modern CPUs, so don’t bother.
(Yes, I am one of those people that remain uncomfortable with the IME.)
Then don’t use x86, if they wanted to put a backdoor in there they could just put it at an even lower level. All alternative platforms will have something similar to IME. That is life.
That IME option on the dell website, is about disabling some of the remote management stuff you might want to use as an enterprise, it does not “disable ME”, as you cannot on a modern platform, so it’s not the same thing as ME cleaner or what have you.
They don’t recommend them so much as they’ve been tested. I wouldn’t be wanting to use a laptop from 2012 for some perceived threat vs a real threat which is an APT giving you some persistent malware.
The latter is far more likely. Don’t use a platform from 2012 and expect it to be secure.
3 Likes