I noticed PG recommends the Google Pixel phone, but does not recommend laptop hardware. Is there a particular reason there is no recommended laptop? Is that in discussion?
Picking the right laptop has been really confusing and having a PG-recommended solution would do wonders for my short-term mental health.
I’m planning to run Fedora – I was considering Framework but was reading on these forums about security concerns. So maybe I’ll be going with Dell? I’m just not sure how to balance Linux-friendliness with security.
That seems outdated because the site does recommend the Pixel phone. Is there a more recent answer? Or any specifics regarding particular laptop brands, especially as they relate to security?
Please note that, in the linked thread, @dngray was responding to a request for “a section or guide on choosing a desktop or laptop computer,” so the fact that there’s now a separate page for the Google Pixel recommendation does not make dngray’s comment outdated.
Preface: i am not a member of the Privacy Guides team. I’m just a member of this forum.
With that said; considering that the google pixel is the only cellphone supported by GrapheneOS, and the main line of phones supported by DivestOS it makes sense for Privacy guides to recomend tge pixel line up.
Very few laptop, and desktop operating systems have as strict hardware requirements as GrapheneOS or DivestOS. The only ones that come to mind are MacOS and QubesOS.
In the case of Qubes, it is less that the OS is tied to a specific device e.g. Pixels and GrapheneOS. Rather there is a Hardware compatibility list and a system requirements page which should enable an end user to run the OS on a wide range of hardware.
Given that the recommended desktop operating systems are not tied to specific hardware (except maybe Qubes), it makes very little sense to try and establish a general recommended hardware section.
I would suggest you Dell because it’s Ubuntu certified. The device I am uisng is from Dell and came with Ubuntu 18.04 LTS pre-installed when I bought it.
They even had the fingerprint sensor working from Goodix which I didn’t notice and don’t know to use it on other Distros as of now.
Other than that, they are very good for Linux specifically.
Indeed, I do also receive updates from Dell via LVFS.
I think the discrepancy is just due to practicality. In the Android space their is one line of smartphones that stands out from the rest with respect to security. It is also the only line of smartphones supported by PG’s top recommendation for mobile OS. Its really easy to make that recommendation.
There are just a ton more variables and complications in the desktop/laptop space, and the choice is not so clearcut or obvious. The work of maintaining recommendations in this space would be much greater (and in my opinion the weight/authority of the recommendation would be much weaker).
Really there aren’t any metrics that make one laptop better than another besides firmware support. We would say aim for the higher HSI levels (ultimate level is HSI4 so Ryzen Pro and vPro), as at least that means you’re getting better security to enforce your privacy. Of course those laptops will cost more as they’re aimed at business and not general consumers. They also tend to be supported for a longer term.
There really is no “private laptop” because there is no “not private” laptop really - at least among common brands.
That’s probably the other thing I would look at if you’re not dual booting or running firmware updates on Windows.
If you serious about your privacy and security, you can check the Qubes OS certified hardware list: Certified hardware | Qubes OS
For other models, you can look at whatever models are supported by Libreboot or coreboot. However, these are generally much older models, mostly old Dell, HP, and Lenovo ThinkPads.
Brands for newer models typically include Star Labs, Insurgo, Nitrokey, System76, and NovaCustom.
Basically, get whatever supports FOSS and a model that you can customize however much you want. There is nothing necessarily wrong with newer ThinkPads or Dell laptops, but you’re going to be stuck with whatever BIOS/UEFI they come with and Intel ME, if you are using Intel processors. Some of the manufacturers mentioned above, like System 76, provide options to disable Intel ME.
surprised it took this many posts in the thread to finally get some ME FUD, but we did it guys!
At least two of those brands are Clevo rebadges for their laptops, which aren’t going to have great security given the poor firmware update cadence.
Qubes is a solution to a particular problem, it doesn’t make sense for every person who wants privacy and security, just try and find discussion about the root of trust for HEADS on their forums without making an account (I know of at least 1 discussion thread they hid behind the login wall, just ask Tommy from PrivSec). What does that say about their hardware security?
surprised it took this many posts in the thread to finally get some ME FUD, but we did it guys!
It’s not FUD, It’s proprietary tech. Given the number of security vulnerabilities, it’s a cause for concern. With anything proprietary you are trusting the original developer/manufacturer and you have no insights. It begs the question why you would want to use something proprietary over FOSS, especially if you are concerned about privacy and security.
Qubes is a solution to a particular problem, it doesn’t make sense for every person who wants privacy and security, just try and find discussion about the root of trust for HEADS on their forums without making an account (I know of at least 1 discussion thread they hid behind the login wall, just ask Tommy from PrivSec). What does that say about their hardware security?
Qubes is a specific solution, yes, but they do provide a list of certified hardware. Since OP is looking for information on picking a Laptop, they do provide starting points. Maybe not the exact models, but nonetheless the laptops and customization options are preferable over just getting an Asus laptop, especially if you are looking to use Linux, want something hackable, and are going to use FOSS.
Because threat model, which is something even talked about on this very website we’re conversing on
From the OP:
i.e., they want a secure platform to run Linux on. Not something hackable, unless @Eazy that is indeed something you want to do and myself and others recommending more secure options have misunderstood your post
100% correct. It’s just for normal daily use, but I’m coming from Mac and just want to know how I can best approximate its security. (I went with Fedora specifically because of PG’s recommendations in this regard, which is why I was hoping PG could offer similar advice on hardware.)
This is exactly why I’d love a formal PG recommendation – I’ve heard such conflicting advice, with many saying to go with System76 or Framework and others saying that those lack the security of Dell or HP.
This is exactly the kind of information I’m looking for. With this in mind, what specific laptop/brand would you recommend for a general consumer? Ignoring cost, what makes the most sense if weighing both security and usability? I don’t mind going with something more expensive and geared towards enterprise as long as it doesn’t mean a major loss in usability. (Again, this is why a PG page on laptops would be really useful – I wasn’t aware that business laptops had inherently better security than consumer-focused ones.)
Framework is actually decent now, there’s a post somewhere else in the forums where someone showed they’ve upped their firmware update game and they meet HSI3 too.
But to keep it simple, I’d just go with any Dell or Surface[1] laptop listed on MS’s Secured Core Windows 11 PC list if you want Peak Security™️or a Framework if you want to save some money and get a cool, upgradable, repairable machine that’s still reasonably secure. All three options should also have great longevity, with MS in particular making a commitment to longer term firmware updates on the newer Surfaces a little while ago, and Framework of course being Framework.
Do note that you will have to specifically get the “Surface for Business” version. Also you get the nasty red banner if you enroll your own keys for secure boot on Fedora (or any other linux) but you won’t see the boot screen that often so really, who cares ↩︎
Just to add some additional info for reference. Since you mentioned the use of Fedora you can check Red Hat hardware list. Another place to visit, it may worth having a look to the Linux Hardware database to check compatibility.
It’s always hilarious like they pretend that AMD doesn’t have an equivalent. Really just goes to show how damaging sensationalist privacy advocates have been on the topic in the past.
Probably Dell Precision or Latitude, or something in that series. Of course not all of those have vPro, or are Ryzen Pro, same with the Lenovo offerings. One thing to keep in mind about the framework is you get less ports because of the modularity. Personally I prefer to just have all the ports I mostly need rather than swap them about.
Very helpful, thanks! Any idea why none of the Linux-focused brands are on this list? Just too small for Red Hat to take the time to test?
And I still don’t quite understand what makes the Precision/Latitude preferable to the XPS. It seems like I can configure an XPS to have the same specs – what is it that’s fundamentally different about the business lines?
That and probably they may not pass Red Hat’s criteria to be included in the trusted hardware list.
About the XPS question I’m not sure, but there is a difference between the vPro Essential and the vPro Enterprise. Maybe they were advising that if you are aiming for ultimate security to look for vPro Enterprise laptops.
Edit: Sorry, I think I know what they are referring to regarding the business line. Normally the business line receives firmware updates for longer periods to come. Not sure if is a possibility for you but Intel will be launching in the next months the new Lunar Lake that may worth waiting if you are looking to get an Intel laptop with better battery.
