- dedicated, certified security coprocessor (Titan M2) - on pixel it's fused with verified boot, offers key storage, firmware isolation and anti rollback.
- verified boot: mandatory and backed by Titan, immutable boot from. Almost all laptops lack as much as anti rollback.
- strong hardware-backed key protection and actually isolated TEE. Yes, I know about Intel (SGX/TDX) and AMD (SEV/SME). Broken into many times over. How many commodity hardware devices offer comprehensive protections like Titan-backed TEE?
- secure hardware-backed disk encryption key derivation (with throttling of course)
- on-device attestation: complete verification of the entire chain. Dreaded Play Integrity or open AOSP / GrapheneOS hardware attestation. Which PC vendors can offer that? Perhaps Apple but that's not a pc and you won't run qubes on that?
- physical anti-tamper: which laptops wipe encryption keys stored in the secure hardware when you're trying to unlock the bootloader?
- physical memory tagging (see ARM MTE). Apple offers some but again, that's not for qubes. Intel promises MKTME in the future.
- does your laptop disable all the unconnected ports whilst the laptop is broken? Does your pin/password verification happen inside TEE/TPM, not in the OS?
- modes similar to PXN/SMEP, SMAP/PAN (to stop these pesky wifi/gpu firmware from reading userpace memory). There's some support for SMEP and SMAP on intel/amd
- microcode and firmware upgrades velocity
There are reasons GOS doesn't support any hardware other than pixels. Regrettably and thankfully that is about to change soon <3
Don't read me wrong, qubes is brilliant and on SOME hardware (business grade laptops with TPM 2.0, verified firmware upgrade process with some protections and proved track progress with rapid hardware drivers and firmware upgrades -- sure, brilliant choice. For pcs.
But is not even remotely close security-wise..
Best available would be probably Purism Libre (lacking TPM if I read it correctly, weak hardware but, oh well, pixel is not super fast either lol), or something with coreboot perhaps?
Whats the safest and still useful laptop hardware you cna think of?
Let's compare with with pixel.
- dedicated, certified security coprocessor (Titan M2) - on pixel it's fused with verified boot, offers key storage, firmware isolation and anti rollback.
- verified boot: mandatory and backed by Titan, immutable boot from. Almost all laptops lack as much as anti rollback.
- strong hardware-backed key protection and actually isolated TEE. Yes, I know about Intel (SGX/TDX) and AMD (SEV/SME). Broken into many times over. How many commodity hardware devices offer comprehensive protections like Titan-backed TEE?
- secure hardware-backed disk encryption key derivation (with throttling of course)
- on-device attestation: complete verification of the entire chain. Dreaded Play Integrity or open AOSP / GrapheneOS hardware attestation. Which PC vendors can offer that? Perhaps Apple but that's not a pc and you won't run qubes on that?
- physical anti-tamper: which laptops wipe encryption keys stored in the secure hardware when you're trying to unlock the bootloader?
- physical memory tagging (see ARM MTE). Apple offers some but again, that's not for qubes. Intel promises MKTME in the future.
- does your laptop disable all the unconnected ports whilst the laptop is broken? Does your pin/password verification happen inside TEE/TPM, not in the OS?
- modes similar to PXN/SMEP, SMAP/PAN (to stop these pesky wifi/gpu firmware from reading userpace memory). There's some support for SMEP and SMAP on intel/amd
- microcode and firmware upgrades velocity
There are reasons GOS doesn't support any hardware other than pixels. Regrettably and thankfully that is about to change soon <3
Don't read me wrong, qubes is brilliant and on SOME hardware (business grade laptops with TPM 2.0, verified firmware upgrade process with some protections and proved track progress with rapid hardware drivers and firmware upgrades -- sure, brilliant choice. For pcs.
But is not even remotely close security-wise..
Best available would be probably Purism Libre (lacking TPM if I read it correctly, weak hardware but, oh well, pixel is not super fast either lol), or something with coreboot perhaps?
Whats the safest and still useful laptop hardware you cna think of? Let's compare with with pixel.