Free BIOS/Hardware That Support All Your Needs

For the Big list you can find it here: (Certified from FSF as RYF)

https://www.fsf.org/resources/hw/endorsement/respects-your-freedom

Desktop/Workstation which support Qubes OS needs with coreboot BIOS (if you choose libreboot for Qubes then read below)

https://store.vikings.net/image/cache/catalog/Lian-Li-PC-A76X-200x200.png

Notes:

Choosing Libreboot will not work with Qubes for its full needs, as Libreboot doesnt support Vt-d , Doesnt includes microcodes updates (in case you didnt choose the 6200 Opterons) , it doesnt fully support HVM or OMEMO, it doesnt support TPM nor FLAT.

The KGPE-D16 with coreboot/libreboot will run perfectly fine without microcode updates on the 6200 Opterons. 6300 Opterons require microcode updates (otherwise the machine will be unstable, especially when using the hardware virtualization features). 6100 Opterons don’t support IOMMU and it’s recommended to avoid them.

Worth Mentioning (not Certified), Raptor Computing Sytem

https://www.raptorcs.com/

Raptor Talos 2s are great if your using KVM of Vbox but accoding to google groups (this user is sort of a libre hardwar guru)“Power” is not supported by xen so Qubes Os us not supported.

https://groups.google.com/forum/#!msg/qubes-users/A_lT0hGCYGs/cotGa8nGBQAJ

However, this seems to contradict that?

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/6/897/ENUS218-026/index.html

Software requirements

5765-HMB (Power® based)

• PowerVM
  5765-HMW (x86 based)

  KVM 2.5.0 on Ubuntu 16.04 LTS or Red Hat Enterprise Linux® 7
  Xen on SUSE Linux Enterprise Server 12 or Ubuntu 16.04
  VMware ESXi 6.0, or later

Did not check myself. If anything is good, would be good to add here:

i sent 2 emails for their support email, but sadly didnt get a response.

Why Libreboot BIOS cant fit Qubes needs out of the box:

I have spoken to Leah Rowe (the developer of Libreboot) through email and he answered:

Does your hardware support Qubes security check list?
Hardware compatibility list (HCL) | Qubes OS

HVM: yes, but only with microcode updates which are non-free.
libreboot doesn’t include them, but I can flash a coreboot ROM (latest
coreboot) with microcode. the microcode would be the only non-free
software.

what is microcode? answer: the CPU instruction set is implemented by
software that reconfigures the logic gates inside the CPU. the gates
are designed to be configurable, unlike some other CPU architectures
(e.g. ARM) where it’s hardcoded in the circuitry

microcode is the most common way to implement an ISA because it allows
flexibility and also permits mistakes to be corrected: these
corrections are provided via updates.

the microcode built into the CPU is read-only. the “updates” are
applied at each boot, and have to be re-applied again on each
subsequent boot.

when libreboot is installed, there is no microcode update applied by
default due to the fact that libreboot’s goal is to be 100% free
software. however, the coreboot project does distribute them. NOTE: if
you choose to have microcode, the laptop that you receive will not be
RYF-endorsed anymore, but it’ll still be otherwise free software

IOMMU: partial. GPU is not fully isolated

SLAT: no

TPM: no (hardware supports it, but it’s not supported in libreboot)

Qubes should boot, but it would have to be modified to do so.

i see , that sad it doesnt support it out of the box.
when do you think libreboot will fully support Qubes needs?
(TPM,IOMMU…etc). (ofcourse exception would be HVM since it need non-free software)

well never. libreboot can’t support qubes on x200/t400, due to
unstable virtualization without microcode updates

if you want something that works well with qubes and is libreboot, get a workstation with the asus kgpe-d16 board and a 16-core (or 2 16-core!) opteron CPUs in it. it’s plenty fast, supports huge amounts of RAMand supports everything that qubes requires.

opteron 62xx series is stable without microcode updates. avoid older ones and avoid 63xx series

Im communicating with libreboot and vikings regarding 2 points:

• libreboot products insecure due to the fact its missing
  interrupt remapping?

The research study regarding interrupt remapping:

• the Thinkpad X200 and X60 laptop series. Users utilizing
  coreboot/libreboot with Intel CPUs are not necessarily safe, since the
  Firmware Support Package (FSP) can still potentially modify things in a
  malicious manner.

mentioned in our Wiki:

Leah Rowe answered:

• is that true libreboot products insecure due to the fact its missing
  interrupt remapping?

The research study regarding interrupt remapping:

https://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

This is false. You have te consider the fact that the firmware is all free. This makes it inherently more secure because you know for a fact that there are no backdoors, unlike most proprietary firmware.

Also, Vt-d is supported in coreboot.

• the Thinkpad X200 and X60 laptop series. Users utilizing
  coreboot/libreboot with Intel CPUs are not necessarily safe, since the
  Firmware Support Package (FSP) can still potentially modify things in a malicious manner.

FSP is not present on these laptops. Where did you hear this?

There’s obviously some misinformation going around.

I would like to add to the list our Librebox (https://libretrend.com) running Coreboot. The Librebox comes with a TPM (v2) and we are working to integrate QubesOS as soon as possible.

I’ll be happy to help in anything.

not really , i think u missed the topic name. i said Free not Open Source.

also libretrend with all due respect is insecure with the same cause of purism = they neutralize Intel ME and that doesnt Mitigate the security issue.

i have 2 good news for you:

• If your hardware can work as well with Libreboot , then i can list it up (same the case with d8 or d16).
• If your hardware support Qubes OS needs then i can list it in our wiki (even with just coreboot support, but it will be treated same as purism case). also provide the readings of hcl report:

how to generate it:

Thank You!

Raptor Engineering finally answered me about Qubes Support:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Apologies for the delay in response; we overlooked your message when it came in. While Qubes does not support our hardware (they are looking for funding to do so) the hardware itself is quite capable and far more secure than equivalent x86 machines. Please see responses below…

On 12/06/2018 04:41 AM, bo0od wrote:

Hi There,

Im from Whonix Anonymous staff and i saw your products and i really
liked it!

so my questions are:

• Does your hardware/BIOS features support Qubes needs?

• HVM: Intel VT-x or AMD-v technology (required for running HVM domains,
  such as Windows-based AppVMs)

POWER provides full hardware virtualization extensions including support
for nested VMs (in IBM lingo, these are "LPAR"s). Please see the POWER
ISA [1] Chapter 2 for more details, along with the LPAR sections in the
POWER9 User Manual [2]. Note that Linux and QEMU have full accelerated
KVM support for these features including PCIe passthrough.

• IOMMU: Intel VT-d or AMD IOMMU technology (required for effective
  isolation of network VMs and PCI passthrough)

See above. The POWER9 architecture is actually more secure than x86 in
that each PCIe slot uses its own endpoint (PEC), so it is safe by
default (no traffic allowed until IOMMU is properly configured,
peripherals will fault out with EEH on invalid DMA).

• SLAT: Second Level Address Translation (SLAT): Intel VT-x support for
  Extended Page Tables (EPT) or AMD-V support for Rapid Virtualization
  Indexing (RVI).

This feature seems to be a bit of an x86 implementation peculiarity.
IBM offers similar features (nested VMs) via a different mechanism [3].

• TPM: TPM with proper BIOS support (required for Anti Evil Maid)

We have this and an owner controlled secure boot. Furthermore Raptor
has been on the forefront of trustworthy security technology (note this
is different than “Trusted Computing” or whatever euphemism Palladium
goes by these days) with our FlexVer technology [4][5]. That technology
is actually in use on our public cloud offering (IntegriCloud) and we
are actively seeking interest / funding to release it as a standalone
product for the POWER systems.

If you have any further questions please feel free to ask!

• x64 OS architecture

Hardware compatibility list (HCL) | Qubes OS

Thx!

[1] https://wiki.raptorcs.com/w/images/c/cb/PowerISA_public.v3.0B.pdf

[2]
https://wiki.raptorcs.com/w/images/8/89/POWER9_um_OpenPOWER_v20GA_09APR2018_pub.pdf

[3]
https://wiki.raptorcs.com/w/images/0/08/Taking-it-to-the-Nest-Level-Nested-KVM-on-the-POWER9-Processor-Suraj-Jitindar-Singh-IBM.pdf

[4] https://www.raptorengineering.com/TALOS/documentation/flexver_intro.pdf

[5]
https://www.raptorengineering.com/TALOS/documentation/integrimon_intro.pdf

---

Raptor Engineering Sales
Phone: +1 (512) 690-0200
https://www.raptorengineering.com

Follow us on Twitter:
https://twitter.com/RaptorEng

Follow us on GNU Social:
https://social.raptorengineering.io/raptoreng
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJcJS4OAAoJEJcY8NXk1BLEtSUP/RaQY0SIT8ASV2Jfjv6b6ePi
3YrQww4UdfrUgGH80AapYlcvdyq1npLp3Vk3drEMvTr3khcTVfeSadyNP4/TNRQ/
+Mu6K23tL0Im1rM2ASNXXm0Z4sLn5C2N57XZFqb9iuCYXqWEonKWNWQ8nmZhfDMk
CSKsqH89lt2WwbnFa12t9NatvvY8nEJuCNkT0uLw6EHe3u5YzulEJL2DLC2pImiz
bxbAohcA1ekEhIwve+pk5bhEC6GVgLpm64VObP9ER2gWW6GEbvMY1KeDVc9yLDsb
Hzt71/SDPI46bV1STmo61rLGbytEex01EMmm2vnUg7wJtOmkrSdJp+8Kd+4gWtwz
Ayc9wV0OlkIF5pfYAUnUA7rDV+ZJVUjTG8ytzM3LkK3OAazhI8/Fl8WfxbY24/IS
+75BxVD/vMK5rcvoxiwaxp1FXlVG71i6rr9/7j0Ro/BdWYbz7Dh+ZXKtfWo/2X5E
QoYqsSuBSrPQtWF89B69AiwwqSmz9ZDKI26wuen7o4vFwSeOzQJyYqRIBMhgJhe6
Wrwd3g0Ip7mUZv9SCY/SW3i+03qDepIYWrvrvc+OFj7EQRB6cFG5KvGId74gQJPj
/AqhQAEwzsluWB5gopaYC/MdmG6kwTUMkqVfegS/ro+a4G6DOHH8myRP51fN5Q/w
xJpJd79gKCXIWo7hBkk2
=mzYx
-----END PGP SIGNATURE-----

Correction: IOMMU not OMEMO , SLAT not FLAT

I have communicated with their support and asked them if they have blobs or DRM on their products they responded:

Hi there.

Yes, we do not have blobs or DRM. We hate them as much as you do.

We expect to receive our certification from FSF shortly.

Best regards.

So hope the company to join efforts and provide RYF hardware, we need this for the future.

Update: talos/mini talos now certified as RYF hardware:

https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom

• Purism's FSP Reverse Engineering Effort Might Be Stalled - Phoronix

https://www.reddit.com/r/linux/comments/8ioutt/purisms_intel_fsp_reverse_engineering_info_was/

In the future, even your RAM will have firmware; and the subject of POWER10 blobs

That make POWER another face for the same coin of intel/amd/arm…

Wonder what OpenPOWER mean if there are blobs same as the rest… firmware for RAMs?!

@JeremyRand aware of this?

Sorry I missed your ping. Yes, everyone in the Talos community is aware of the POWER10 blob situation. My understanding is that Raptor has not given up on OpenPOWER (and they are working behind the scenes to try to improve the situation), but for the moment, the best advice for consumers is to stick with POWER9, which is unaffected by the blobs and is not going away anytime soon.

The most recent/useful public statement about POWER10 from Raptor that I’m aware of is in this interview with Peter Czanik. As a side note @nurmagoz, the article that @Patrick linked to is by Hugo Landau, who is one of my colleagues at Namecoin – so I’m pretty well aware of the articles he publishes.