Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[no name]

A safer idea from my point of view was presented here: Random Mosaic – 
Detecting unauthorized physical access with beans, lentils and colored rice 


On Wednesday, May 3, 2023 at 8:07:24 PM UTC+2 Leo28C wrote:

> On Wed, May 3, 2023 at 5:12 AM Andrew David Wong  
> wrote:
>
>> nor can we control whether physical hardware is modified (whether 
>> maliciously or otherwise) *en route* to the user.
>>
>
> Actually you could:
>
> 1) Laminate product with `warranty void if removed` stickers of various 
> brands and types
> 2) Send PGP-signed high-res photo of sticker placement to buyer before 
> shipping
> 3) Buyer receives product and compares sticker placement to the photo to 
> verify integrity
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f1acc7b-2683-4ab7-a3fa-9850dbebbac8n%40googlegroups.com.

Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Franz]

Many thanks, but for what I know the last Intel  CPUs that allowed to
partially disable Intel ME using Coreboot were Ivy Bridge and Sandy Bridge.

So, what I understood is that the few corebooted computers using these old
CPUs and some AMD Opteron are the safest.

Is there any reason why this new Nova Custom NV41 may reach the same level
of control over Intel ME or perhaps perform even greater security?
Best
Franz

On Tue, Jun 27, 2023 at 6:47 AM Nova Custom (NovaCustom) <
snaaksyst...@gmail.com> wrote:

> Hi!
>
> Thank you for proposing this. It's a very good idea and we are working on
> this!
>
> On Wednesday, May 3, 2023 at 8:07:24 PM UTC+2 Leo28C wrote:
>
>> On Wed, May 3, 2023 at 5:12 AM Andrew David Wong 
>> wrote:
>>
>>> nor can we control whether physical hardware is modified (whether
>>> maliciously or otherwise) *en route* to the user.
>>>
>>
>> Actually you could:
>>
>> 1) Laminate product with `warranty void if removed` stickers of various
>> brands and types
>> 2) Send PGP-signed high-res photo of sticker placement to buyer before
>> shipping
>> 3) Buyer receives product and compares sticker placement to the photo to
>> verify integrity
>>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/b97c5f74-cd2e-484a-a845-30463a2a7982n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qArUwzSJ7yjmPxwWmJn7B1VE6UVPsY85NtGFo%3Df7UsC8g%40mail.gmail.com.

Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Nova Custom (NovaCustom)]

Hi!

Thank you for proposing this. It's a very good idea and we are working on 
this!

On Wednesday, May 3, 2023 at 8:07:24 PM UTC+2 Leo28C wrote:

> On Wed, May 3, 2023 at 5:12 AM Andrew David Wong  
> wrote:
>
>> nor can we control whether physical hardware is modified (whether 
>> maliciously or otherwise) *en route* to the user.
>>
>
> Actually you could:
>
> 1) Laminate product with `warranty void if removed` stickers of various 
> brands and types
> 2) Send PGP-signed high-res photo of sticker placement to buyer before 
> shipping
> 3) Buyer receives product and compares sticker placement to the photo to 
> verify integrity
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b97c5f74-cd2e-484a-a845-30463a2a7982n%40googlegroups.com.

Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Qubes]

Leo28C wrote:
On Wed, May 3, 2023 at 5:12 AM Andrew David Wong > wrote:


nor can we control whether physical hardware is modified (whether
maliciously or otherwise) *en route* to the user.


Actually you could:

1) Laminate product with `warranty void if removed` stickers of various 
brands and types
2) Send PGP-signed high-res photo of sticker placement to buyer before 
shipping
3) Buyer receives product and compares sticker placement to the photo to 
verify integrity



This is a great idea, you should contact Nova and propose it to them.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c28ae291-97e6-a918-68de-e6e7f6dc5e44%40ak47.co.za.

Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Andrew David Wong]

On 5/3/23 8:30 AM, Leo28C wrote:
> On Wed, May 3, 2023 at 5:12 AM Andrew David Wong  wrote:
> 
>> nor can we control whether physical hardware is modified (whether
>> maliciously or otherwise) *en route* to the user.
>>
> 
> Actually you could:
> 
> 1) Laminate product with `warranty void if removed` stickers of various
> brands and types
> 2) Send PGP-signed high-res photo of sticker placement to buyer before
> shipping
> 3) Buyer receives product and compares sticker placement to the photo to
> verify integrity
> 

We (the Qubes OS Project) can't do that, because we never take possession of 
inventory. When you purchase a Qubes-certified computer from a vendor, you are 
purchasing directly from that vendor.

However, you could offer your suggestion to the vendors who sell 
Qubes-certified hardware.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b69230c2-621f-6650-f104-4f2e1fe242dd%40qubes-os.org.

Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Leo28C]

On Wed, May 3, 2023 at 5:12 AM Andrew David Wong  wrote:

> nor can we control whether physical hardware is modified (whether
> maliciously or otherwise) *en route* to the user.
>

Actually you could:

1) Laminate product with `warranty void if removed` stickers of various
brands and types
2) Send PGP-signed high-res photo of sticker placement to buyer before
shipping
3) Buyer receives product and compares sticker placement to the photo to
verify integrity

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAALhvVYsei7LV4qJyoyQDYpvvrxfLbi65iDBo0U7nh6%3Dq0PmGw%40mail.gmail.com.

[qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

[Andrew David Wong]

Dear Qubes Community,

It is our pleasure to announce that the [NovaCustom NV41 
Series](https://configurelaptop.eu/nv41-series/) laptop has become the fifth 
[Qubes-certified computer](https://www.qubes-os.org/doc/certified-hardware/) 
for Qubes 4.X!

## About the NovaCustom NV41 Series

The [NV41 Series](https://configurelaptop.eu/nv41-series/) is a 14-inch laptop 
from [NovaCustom](https://configurelaptop.eu/), a European vendor known for 
their highly customizable, Linux-friendly laptops. This 12th Generation Intel 
Core (Alder Lake) laptop comes with Dasharo coreboot open-source firmware, 
USB-C charging, the latest Intel Xe graphics, and up to 64 GB of memory.

## Qubes-certified configurations

The following configuration options are certified for Qubes OS 4.X:

Processor:
- Intel Core i5-1240P processor
- Intel Core i7-1260P processor

Memory (Dual Channel):
- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)

M.2 storage chip:
- Samsung 980 SSD (all capacities)
- Samsung 980 Pro SSD (all capacities)

Wi-Fi and Bluetooth:
- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + 
Bluetooth 5.3
- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
- No Wi-Fi/Bluetooth chip

### Notes on Wi-Fi and Bluetooth options

- When viewed in a Linux environment with `lspci`, the "Killer (Intel) 
Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3" device 
displays the model number "AX210." However, according to its [Intel Ark 
entry](https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html)
 (in the "Product Brief" file), they are actually the same Wi-Fi module.

- Similarly, when viewed in a Linux environment with `lspci`, the "Blob-free: 
Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0" device displays 
the model number "AR9462," which seems to be just the Wi-Fi chip model number, 
whereas "QCNFA222" seems to be the model number of the whole device (which 
include Bluetooth). Meanwhile, the Bluetooth device presents itself as "IMC 
Networks Device 3487."

- The term "blob-free" is used in different ways. In practice, being 
"blob-free" generally does *not* mean that the device does not use any 
closed-source firmware "blobs." Rather, it means that the device comes with 
firmware *preinstalled* so that it does not have to be loaded from the 
operating system. In theory, the preinstalled firmware could be open-source, 
but as far as we know, that is not the case with this particular Atheros 
Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the 
past, but only for other device models, as far as we are aware.) Meanwhile, the 
Free Software Foundation (FSF) 
[considers](https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary)
 unmodifiable preinstalled firmware to be part of the hardware, hence they 
regard such hardware as "blob-free" from a software perspective. While common 
usage of the term "blob-free" often follows the FSF's interpretation, it is 
worthwhile for Qubes users who are concerned about closed-source firmware to 
understand the nuance.

## Special note regarding the need for `kernel-latest`

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. At the time of this announcement, `kernel-latest` is 
*required* for the NovaCustom NV41 Series to function properly. Therefore, all 
potential purchasers and users of this model should be aware that they will 
have to select a non-default option (`Install Qubes OS RX using kernel-latest`) 
from the GRUB menu when booting the installer. However, since Linux 6.1 has 
officially been promoted to being a long-term support (LTS) kernel, it will 
become the default kernel at some point, which means that the need for this 
non-default selection is only temporary.

## What is Qubes-certified hardware?

[Qubes-certified hardware](https://www.qubes-os.org/doc/certified-hardware/) is 
hardware that has been certified by the Qubes developers as compatible with a 
specific [major release](https://www.qubes-os.org/doc/version-scheme/) of Qubes 
OS. All Qubes-certified devices are available for purchase with Qubes OS 
preinstalled. Beginning with Qubes 4.0, in order to achieve certification, the 
hardware must satisfy a rigorous set of [requirements], and the vendor must 
commit to offering customers the very same configuration (same motherboard, 
same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.

[Qubes-certified 
computers](https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-computers)
 are specific models that are regularly tested by the Qubes developers to 
ensure comp