Laptop Hardware Security

[TommyTran732]

No description provided.

[cloudflare-workers-and-pages]

Deploying privsec-dev with    Cloudflare Pages

Latest commit:	6ff18d4
Status:	✅  Deploy successful!
Preview URL:	https://4fa2b80c.privsec-dev-2oz.pages.dev
Branch Preview URL:	https://laptop-hardware-security.privsec-dev-2oz.pages.dev

View logs

[netlify]

✅ Deploy Preview for privsec-dev ready!

Name	Link
🔨 Latest commit	6ff18d4
🔍 Latest deploy log	https://app.netlify.com/sites/privsec-dev/deploys/666774f691f5d000086394b4
😎 Deploy Preview	https://deploy-preview-244--privsec-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[wj25czxj47bu6q]

Post images should not be placed in the /static directory. Follow the correct format as in https://github.com/PrivSec-dev/privsec.dev/tree/main/content/posts/knowledge/ChromeOS%20Questionable%20Encryption.

[TommyTran732]

Are we gonna start moving other posts later too? Because there are a lot of them in /static

[oppressor1761]

It seems it's not strictly one update per month. Sometimes there's several months without updates.

[oppressor1761]

Also Dell and Lenovo never promised how long they would support their PCs

[TommyTran732]

It seems it's not strictly one update per month. Sometimes there's several months without updates.

Yes, its a general rule. It doesn't always hold.

Also Dell and Lenovo never promised how long they would support their PCs

They typically support them for years and years. Even 8th gen Dell and Lenovo are still getting updates.

[nihil-admirari]

Lenovo's Product Specification Reference does have an ‘End of Support’ column: https://psref.lenovo.com/Product/ThinkPad/ThinkPad_T14_Gen_5_Intel?tab=model.

[duck09]

Have the Microsoft Surface line of laptops been considered? Not the ARM ones (not sure if they they have memory encryption) but the Surface Laptop 6 for example. I'm pretty sure they meet all the requirements and the only downside would be Linux support but this is an article about general Laptop Hardware Security. Thoughts?

[nihil-admirari]

AMD vs. Intel: https://www.qubes-os.org/doc/system-requirements/

Intel and AMD handle microcode updates differently, which has significant security implications. On Intel platforms, microcode updates can typically be loaded from the operating system. This allows the Qubes security team to respond rapidly to new vulnerabilities by shipping microcode updates alongside other security updates directly to users. By contrast, on AMD client (as opposed to server) platforms, microcode updates are typically shipped only as part of system firmware and generally cannot be loaded from the operating system. This means that AMD users typically must wait for:

1. AMD to distribute microcode updates to original equipment manufacturers (OEMs), original design manufacturers (ODMs), and motherboard manufacturers (MB); and
   The user’s OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for the user’s system.
2. Historically, AMD has often been slow to complete step (1), at least for its client (as opposed to server) platforms. In some cases, AMD has made fixes available for its server platforms very shortly after a security embargo was lifted, but it did not make fixes available for client platforms facing the same vulnerability until weeks or months later. (A “security embargo” is the practice of avoiding public disclosure of a security vulnerability prior to a designated date.) By contrast, Intel has consistently made fixes available for new CPU vulnerabilities across its supported platforms very shortly after security embargoes have been lifted.

Step (2) varies by vendor. Many vendors fail to complete step (2) at all, while some others take a very long time to complete it.

Is it still applicable? Looks like there are no Dell Precision/Latitude laptops with AMD processors, but there are ThinkPad ones.

[wj25czxj47bu6q]

@nihil-admirari:

AMD vs. Intel: https://www.qubes-os.org/doc/system-requirements/

<snip>

Is it still applicable? Looks like there are no Dell Precision/Latitude laptops with AMD processors, but there are ThinkPad ones.

No, this is not correct today. Both Intel and AMD support microcode updates through the OS, and both also have important firmware components that must be updated by the motherboard vendor.

[wj25czxj47bu6q]

@duck09:

Have the Microsoft Surface line of laptops been considered? Not the ARM ones (not sure if they they have memory encryption) but the Surface Laptop 6 for example. I'm pretty sure they meet all the requirements and the only downside would be Linux support but this is an article about general Laptop Hardware Security. Thoughts?

We are aware of their existence of course. But the Surface line suffers from a serious lack of technical documentation, and I'm not aware of anyone with access to a modern Surface device who is willing and able to evaluate it against our standards.

Here is some technical documentation from Lenovo for comparison (Dell is also much worse than Lenovo in this regard):

• Lenovo CDRT Docs Site: ThinkPad BIOS Settings Dictionary
• Lenovo BIOS Simulator Center
• Lenovo Product Security Advisories and Announcements

It is possible to get a very detailed idea of Lenovo security features without ever touching a Lenovo laptop (though obviously hands-on time is necessary for a truly complete picture). Dell's business lines are so widely deployed that it is easy to get answers just by searching the internet as a supplement to the official documentation. Neither is true for Surface devices.

[jermanuts]

@wj25czxj47bu6q

No, this is not correct today. Both Intel and AMD support microcode updates through the OS, and both also have important firmware components that must be updated by the motherboard vendor.

https://github.com/QubesOS/qubes-doc/pull/1430/files to address QubesOS/qubes-issues#9485

There is an amd-ucode-firmware package, but it only contains microcode for servers and outdated microcode for Chromebooks. Also, the AMD security website only lists μcode as a mitigation for data center CPUs.

[nihil-admirari]

Some news from Dell:

Dell is also killing its Latitude, Inspiron, and Precision branding, it announced today.

Btw, does anybody know anything about the security of HP ProBooks? HP ProBook 450 G10 got HSI 3 (older models are much worse though).