Insurgo PrivacyBeast X230

Danger

Warning: The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.

The Insurgo PrivacyBeast X230 is officially certified for Qubes OS Release 4.

The Insurgo PrivacyBeast X230 is a custom refurbished ThinkPad X230 that includes the following features:

• coreboot initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the Heads payload, it delivers an Anti Evil Maid (AEM)-like solution built into the firmware. (Even though our requirements provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)

• Intel ME is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been deleted.

• A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesn’t know it.

• Heads provisioned pre-delivery to protect against malicious interdiction.