Linux Laptops? System76? Other options?

Any change to the likelihood of this point being addressed by StarLabs, given recent Qubes certification?

Just for my notes, “modern” here means after a certain year, or generation?

If used is an option:
2nd hand intel Macbook Pros (2015-2020) unironically make excellent Linux laptops and are not very expensive.

1 Like

(re: patch to improve battery life on AMD Framework)

What timing, today this landed in power-profiles-daemon (v0.20).

This PR is now merged upstream is part of the 0.20 release. Several people have reported battery life improvements between 2x and 3x from this change request.

Users of rolling distros like Arch or OpenSUSE should get it soon, Fedora and Ubuntu with the upcoming releases hopefully.

1 Like

Surprised nobody suggested the MNT Reform (and Pocket reform, but that’s a palm PC there)

But again, I’m unable to provide a decent security analysis on it, nor if the company is on par with privacy truly.

If only the battery were easily replacable…

Depending on the model it’s actually not that hard, see iFixit videos.

1 Like

I’d like to mention NovaCustom too.

  • At least 5 years firmware updates after your purchase
  • Boot Guard will be implemented with their next Dasharo firmware update
  • Will be able to achieve up to HSI:3 after BootGuard is implemented
  • No memory encryption unfortunately
1 Like

Is the need for memory encryption for advanced protection, like when someone got physical access to your computer and wants to do a complete memory dump (of the RAM) to get certain encryption keys?

Yes, protects mainly against physical attacks on hardware.

Ok so this recent post had me on a bit of chasing a rabbit hole.

Right now I am looking at HP Mini PC from an older generation (i3-1215U) (because somehow it is the only one available brand new through online retail where I am.

What hardware can I get at least an HSI-3 level of security? The enterprise hardware of Dell, HP and Lenovo? Anyone care to post what the HSI score of their daily driver is? Mine is… HSI-0, unfortunately… :face_with_raised_eyebrow: :thinking: :dizzy_face: :confounded: :persevere: like… all of them… The “trash” PC i have for work has I think at least HSI-2

Definitely something to look at in the future, on my next upgrade cycle.

Well as I said above, NovaCustom will have HSI-3 by default soon so that is an option.

Framework laptops (13th Gen) achieve HSI-3. They can achieve HSI-4, assuming you get the vPro enabled CPU. I would not recommend Framework for now though as they have a bad history with shipping firmware updates. (Intel 13th Gen has not recieved a firmware update from launch) They would be a good option in the future however when they sort out their firmware updates and ship them consistently. (Outdated firmware leads to Framework laptops showing HSI-0)

Dell, Lenovo and HP enterprise hardware is the same deal as Framework (HSI-4 with vPro CPU, HSI-3 without) but they ship firmware updates consistently.

I have an HP Pavillion (a non-enterprise laptop aafik) lying around with HSI-3 though so maybe HP consumer laptops also have a good standard for security. I recieve firmware updates on it too.

1 Like

You can check fwupd’s site for hardware security of various laptops. (Note : The results are uploaded by endusers of the devices so may not be 100% accurate. However I was able to verify that my laptop has the same HSI security as listed on fwupd’s site.)

Theoretically all of the listed manufacturers’ enterprise hardware should be good enough and reach a HSI3 level of security. For example the ThinkPad E16 Gen 1 meets this HSI level.

For Linux, a laptop that supports fwupd firmware updates is a must. Some laptops offer bootable CDs for manual firmware updates, but that isn’t the same level of support as automatic updates.

Also, I would avoid system76 since none of their laptops receive updates via fwupd despite them marketing themselves as a Linux focussed laptop company. For a while they had their custom firmware updater for updating all device firmware.


So I dug in a bit deeper with my various systems. Turns out I need to download the firmware from the manufacturer’s website and then flash the BIOS into my devices. My laptop daily driver went from HSO-0 to at least an HSI-1 but my gaming machine remains sadly HS:0. Fair enough.

Having an up to date BIOS → sudo fwupdmgr update command–> reboot improved my security. Turns out I was neglecting my hardware/firmware updates and should check the entire computer in my home.

I have a new computer coming from a more enterprise focused brand and it should improve my non-gaming daily driver usage. I now have a proper option to just have a VLAN separated Windows 11 gaming machine with no other activity whatsoever.

For a while they had their custom firmware updater for updating all device firmware.

It still exists, and is FOSS, with official deb binaries and unofficial rpms. It’s on AUR, too. I’ve never had any trouble getting it (at least its CLI) working on any of the distros I’ve tried.

The biggest issue with them is it seems most of their hardware is HSI-0 or 1. Also some devices rely on DKMS (unsupported in Fedora Atomic), and it seems firmware updates are infrequent or rare on many devices.

What about 2015-2020 Intel iMacs? I’d like to extend the life of mine once Apple is done with it in a few years.

Worth nothing that I was particularly interested in installing Fedora Silverblue on it.

While the firmware updater that they use is FOSS, the method they use to update does not even follow the UEFI spec. They use a proprietary tool to flash their firmware.

From the blog post that I linked :

Discussions got stuck when we found out they currently use a nonfree firmware flash tool called afuefi rather than use the UEFI specification called UpdateCapsule.

Just curious how you went with this?

I’ve gone through the thread but did nobody mention buying a regular Windows PC laptop and hardening the Windows install as much as possible and then using a sandbox App to run Linux in???

1 Like