Language Selection

English French German Italian Portuguese Spanish

Why The Librem 14 with QubesOS Exceeded My Expectations

Filed under
OS
Security

If you face extreme threats, or even if you are just looking for a high-security operating system for peace of mind, it’s hard to beat QubesOS. While it’s not as easy to use as our default PureOS, it offers a lot of advanced security features that, when combined with the advanced hardware and firmware security features of the Librem 14, makes for one of most secure computers out there.

I have been using QubesOS as my primary OS for many years now, starting with the 3.x release on both my work (Thinkpad X230) and personal (Librem 13v1) computers. Over the last couple years my primary work machine has been a Librem 13v4 running Qubes with 16Gb RAM and solid-state storage. Starting this summer I moved to a Librem 14 for my work computer, our dream laptop that we designed (at least in part) to run Qubes well by adding a fast, 6-core/12-thread CPU and expansion up to 64GB RAM. I’ve been using this laptop constantly over the past few months and I’m convinced that the Librem 14 is the best laptop for Qubes. In this post I wanted to offer a brief retrospective on my experience running Qubes as my primary OS on my Librem 14 compared to past computers.

[...]

I admit I had high expectations for running Qubes on the Librem 14 before I got it. After all, we did design it at least partially with running Qubes in mind. Having now used it for a number of months, I can say that it’s met and exceeded my expectations (and based on some of the feedback I’ve gotten from customers, I’m not the only one). It’s really nice to run Qubes on a machine not only with full hardware support, but also with horsepower to spare. Now that we are almost at shipping parity, and it’s a supported, pre-installed option here at Purism, if you have been curious to try Qubes out, I think the Librem 14 is the ideal platform.

Read more

My Recommendations for the Most Secure Librem 14 Configuration

The Librem 14 is our most secure laptop to date. We aim to make the Librem 14 as secure as possible out of the box for the widest range of customers while also taking ease-of-use and overall convenience into account. We also avoid security measures that take control away from you and give it to us. While we think you should trust us, you shouldn’t have to trust us to be secure.

While we always keep the average customer’s security in mind, we also have a number of customers who face more extreme threats and are willing to trade some convenience for extra security. Those customers have sometimes asked me which combination of options would make their Librem 14 order the most secure.

In this post I will provide what I think are the highest security options you can apply to a Librem 14 order, along with some additional steps to take once you receive your Librem 14. Before I get started though, I want to note that even with these recommendations, there are still additional, more extreme steps a person could take. While I’m providing high security recommendations, my goal here is still to strike a reasonable balance between high security and some level of convenience. For those of you facing even more extreme threats with a higher tolerance for inconvenience, treat these recommendations as a baseline to build on.

Read more

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Flatpak App of the Week: QPrompt – Teleprompter Software for Video Creators

Meet QPrompt (the successor of Imaginary Teleprompter), an open-source teleprompter software for video creators, designed to work across several popular platforms, including Linux and macOS, as well as to be compatible with both mobile and desktops. Written in C++ and QML, QPrompt leverages the Qt and Kirigami frameworks to provide users with a fast, easy to use and flexible GUI with a jitter free experience, which works with cellphones, webcams, tablet teleprompters, and PC-based studio teleprompters. Read more

Today in Techrights

today's leftovers

  • Fedora Server 36 Could Make It Easier To Manage NFS & Samba File Sharing - Phoronix

    Red Hat with the Fedora community have been working for years now to make Cockpit very capable for a web-based interface for administering Linux servers. In addition to this year working on shifting their Anaconda installer to a web-based interface that makes use of Cockpit, from this web management portal they are wanting to make it easier to setup file sharing with NFS and Samba. A Fedora 36 change proposal has been submitted to ship a new Cockpit module to make file sharing with Samba and NFS easier. This new module would provide a graphical web interface for provisioning and maintenance of NFS and Samba shares that can complement the existing command-line based controls for NFS and Samba servers.

  • Emma Kidney: Fedora IoT Web Page - Initial Ideas

    Just an update on what I've been working on :) Click through to see my process and progress starting to create a web page mock-up for Fedora IoT as part of the Fedora Website Revamp! As part of the Fedora Website Revamp, I got tasked with creating a mock-up of the Fedora IoT web page. I reference the Fedora IoT logo a lot here. I was unable to locate high quality SVGs, so I just made some quick vectors as placeholders.

  • I'm Thinking About You Right Now!

    My sole role at Debian alongside my teammate, aided by our mentors, is to facilitate the Node.js 16 and Webpack 5 Transitioning. What exactly does that mean? Node.js 16, as of the time of this writing, is the active LTS release from the Node.js developers while Webpack 5 is also the current release from the Webpack developers. At Debian we have to work towards supporting these packages. Debian as an OS comes with a package manager coined Advanced Package Tool or simply APT on which command-line programs specific to Debian and it's many-flavored distributions, apt, apt-get, apt-cache are based. This means before the conception of yarn and npm, the typical JavaScript developer's package managers, apt has been. Debian unlike yarn and npm, ideally only supports one version of a software at any point in time and on edge cases may have to support an extra one as noted in this chat between my mentor and a member.

  • Running OpenWRT x86 in qemu

    Sometimes it's nice for testing purpose to have the OpenWRT userland available locally. Since there is an x86 build available one can just run it within qemu.

  • Tiger Lake-U system offers 2.5GbE and dual GbE with PoE

    Arbor’s fanless, rugged “ARES-1980” runs Ubuntu or Win 10 on Intel’s 11th Gen U-series CPUs with up to 64GB DDR4, 2.5-inch SATA, triple display support, 2.5GbE, 2x GbE with PoE, 4x USB 3.2 Gen2, 4x serial, DIO, 2x M.2, and mini-PCIe. Arbor has launched a rugged, 210 x 180 x 60mm ARES-1980 embedded PC designed for industrial and in-vehicle applications. The system, which follows earlier ARES-branded Arbor computers such as the Apollo Lake based ARES-5310, runs Ubuntu 20.04 or Windows 10 IoT on Intel’s 11th Gen Tiger Lake-U processors.

  • Google Open Source Programs Office: The business impact of open source

    Amanda Casari is an open source scientist with the Google Open Source Programs Office where she leads Google’s research and engineering work with Project OCEAN. Open source programs offices (OSPOs) are established in organizations as a means to centralize policies, strategies, and guidance, and to ensure common practices across complex teams working on open source projects. Amanda offers some structure for any organization working with open source that is considering starting an OSPO of their own.

  • Mozilla Privacy Blog: European Parliament green-lights crucial new rulebook for Big Tech

    Today the European Parliament adopted its report on the draft Digital Services Act, the EU’s flagship proposal to improve internet health. Today’s vote is a crucial procedural step on the road to bringing the draft rules to reality, and we commend Members of Parliament for their efforts.

  • LibreOffice developer community - LibreOffice Development Blog

    Do you want to contribute to the LibreOffice development, but you don’t know enough about the LiberOffice code internals? Do you want to enhance the application or fix a bug in LibreOffice, but you don’t know how to do that? LibreOffice developer community can help you not only for at the beginning, but by helping you focus on the right aspect of the code. Reviewers will review your code that eventually will be part of the LibreOffice code!

  • Louis-Philippe Véronneau - Montreal Subway Foot Traffic Data, 2021 edition

    For the third time now, I've asked Société de Transport de Montréal, Montreal's transit agency, for the foot traffic data of Montreal's subway. I think this has become an annual thing now :)

  • Google sours on G Suite freeloaders, demands fee or flee • The Register

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere. "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

  • On DEI Research: Why the Linux Foundation? Why now? [Ed: Linux Foundation may struggle to justify its very own existence]

    The open source community is working on many simultaneous challenges, not the least of which is addressing vulnerabilities in the core of our projects, securing the software supply chain, and protecting it from threat actors. At the same time, community health is equally as important as the security and vitality of software code. We need to retain talented people to work on complex problems. While we work urgently on implementing security best practices such as increasing SBOM adoption to avoid another Log4J scenario, we can’t put the health of our communities on the open source back burner, either. Our communities are ultimately made up of people who contribute, have wants and needs, and have feelings and aspirations. So while having actionable data and metrics on the technical aspects of open source projects is key to understanding how they evolve and mature, the human experience within project communities also requires close examination.

  • A Desktop Environment For The Web Browser?!?! - Invidious

    Have you ever wanted to do everything inside of the web browser, well imagine if you have an entire desktop environment inside of your web browser, well that's DaedelOS

  • Linux Action News 224

    We explain SUSE Liberty Linux and contemplate why the community seems to be selecting distributions with newer kernels.

  • Building A Silent Linux Desktop For 2022 With The Streacom DB4 Review - Phoronix

    The long time Phoronix reader, with an excellent long-term memory, may remember an odd article from back in August 2017 on buying a passively cooled computer. It tells the tale of the consumer who decided to buy a rather niche, fanless, therefore passively cooled computer. Well, that was been my computer for four and a half years. Even though the I7-7700T the article portrayed has served me well. It did start to show age a little. Especially as of late, it will sometimes spontaneously reboot. It does so very rarely, without prior warning and seemingly unprovoked. Its a bit of a nuisance. While I wrote that article in 2017 I had also come to learn of the existence of the Streacom DB4 The DB4, of all computer cases that allow for their innards to be passively cooled, has since always been the proverbial unattainable love to me: Stunning, exciting, exclusive and she knows it.

Kernel and Graphics: AMD, Zink, and Openwashing of GPUs

  • AMD Preps for Zen 4: Different Types of Cores Now Supported in Linux | Tom's Hardware

    Perhaps, a more intriguing innovation is a new Scalable Machine Check Architecture (SMCA) of some future AMD platforms that could use different types of SMCA and therefore cores. "Future AMD systems will have different bank type layouts between logical CPUs," wrote Yazen Ghannam, an AMD engineer. "So having a single system-wide cache of the layout won't be correct. […] Patch 1 adds new bank types and error descriptions used in future AMD systems. Patch 2 adjusts how SMCA bank information is cached." So far, AMD has not announced a single hybrid processor that integrates different types of cores, though the company has never completely excluded such a possibility. Since AMD will have Zen 4 and Zen 4C cores next year, perhaps this is the time when the company might consider a CPU with both big and smaller cores. Alternatively, a new SMCA may indicate that Zen 4C will have a different machine check architecture than other Zen cores, which is why AMD needs to implement its support into Linux.

  • Zink 4ever

    After weeks of hunting for the latest rumors of jekstrand’s future job prospects, I’ve finally done it: zink now supports more extensions than any other OpenGL driver in Mesa. That’s right. Check it on mesamatrix if you don’t believe me. A couple days ago I merged support for the external memory extensions that I’d been putting off, and today we got sparse textures thanks to Qiang Yu at AMD doing 99% of the work to plumb the extensions through the rest of Mesa. There’s even another sparse texture extension, which I’ve already landed all the support for in zink, that should be enabled for the upcoming release.

  • Zink OpenGL-on-Vulkan Now Offers Broader OpenGL Coverage Than RadeonSI, Intel - Phoronix

    When it comes to OpenGL extension support, the Zink generic OpenGL-on-Vulkan implementation now has as robust coverage as core Mesa offers and what is implemented by the LLVMpipe software driver, RadeonSI Gallium3D, and the Intel i965 drivers. Zink has already offered OpenGL 4.6 support but now after recently adding some additional extensions that aren't mandated by version 4.6, it is now on-par with the other drivers for the raw number of extensions exposed and exceeds the other drivers for non-core extensions. Zink along with core Mesa / LLVMpipe / RadeonSI / i965 are at 160 extensions exposed while being the set of open-source drivers supporting OpenGL 4.6.

  • Radeon AOMP 14.0-1 Released Along WIth New GPUOpen Tool Updates - Phoronix

    A handful of new AMD Radeon open-source GPU sofware releases were made today for developers. First up, AOMP 14.0-1 is out. AOMP is AMD's downstream of LLVM/Clang targeting OpenMP offloading for Radeon GPUs. AOMP is one of several downstreams maintained at AMD and this one is all about carrying the latest Radeon OpenMP GPU offloading work until it is all upstreamed -- or in other cases, patches that are experimental or not applicable for upstreaming.