The Insurgo PrivacyBeast X230 is a custom refurbished ThinkPad X230 that not only meets all Qubes Hardware Certification requirements but also exceeds them thanks to its unique configuration, including:
Coreboot initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the Heads payload, it delivers an Anti Evil Maid (AEM)-like solution built into the firmware. (Even though our requirements provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)
Intel ME is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been deleted.
A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesn’t know it.
Heads provisioned pre-delivery to protect against malicious interdiction.