Why Libreboot BIOS cant fit Qubes needs out of the box:
I have spoken to Leah Rowe (the developer of Libreboot) through email and he answered:
Does your hardware support Qubes security check list?
HVM: yes, but only with microcode updates which are non-free.
libreboot doesn’t include them, but I can flash a coreboot ROM (latest
coreboot) with microcode. the microcode would be the only non-free
what is microcode? answer: the CPU instruction set is implemented by
software that reconfigures the logic gates inside the CPU. the gates
are designed to be configurable, unlike some other CPU architectures
(e.g. ARM) where it’s hardcoded in the circuitry
microcode is the most common way to implement an ISA because it allows
flexibility and also permits mistakes to be corrected: these
corrections are provided via updates.
the microcode built into the CPU is read-only. the “updates” are
applied at each boot, and have to be re-applied again on each
when libreboot is installed, there is no microcode update applied by
default due to the fact that libreboot’s goal is to be 100% free
software. however, the coreboot project does distribute them. NOTE: if
you choose to have microcode, the laptop that you receive will not be
RYF-endorsed anymore, but it’ll still be otherwise free software
IOMMU: partial. GPU is not fully isolated
TPM: no (hardware supports it, but it’s not supported in libreboot)
Qubes should boot, but it would have to be modified to do so.
i see , that sad it doesnt support it out of the box.
when do you think libreboot will fully support Qubes needs?
(TPM,IOMMU…etc). (ofcourse exception would be HVM since it need non-free software)
well never. libreboot can’t support qubes on x200/t400, due to
unstable virtualization without microcode updates
if you want something that works well with qubes and is libreboot, get a workstation with the asus kgpe-d16 board and a 16-core (or 2 16-core!) opteron CPUs in it. it’s plenty fast, supports huge amounts of RAMand supports everything that qubes requires.
opteron 62xx series is stable without microcode updates. avoid older ones and avoid 63xx series