Update hardware certification program for Qubes OS Release 5

[andrewdavidwong]

The following is a list of ideas and proposals for changes to the Qubes certified hardware program.

Note: Since hardware models are currently certified for a given major release of Qubes OS, I'm currently assuming that the hardware certification program will remain unchanged until Qubes OS Release 5.

General

• [ ] Strengthen the meaning of "Qubes certified" to provide some kind of security guarantee instead of merely a compatibility guarantee (see https://github.com/QubesOS/qubes-issues/issues/9782#issuecomment-2669725820).

System requirements

• [ ] Add the requirement that certified models must currently be receiving microcode updates, and there must be a reasonable expectation that they will continue to receive microcode updates for the life of the certified release (see https://github.com/QubesOS/qubes-issues/issues/9782#issuecomment-2668499838).

Vendor responsibilities

• [ ] Vendors must accurately reflect Qubes-certified configuration options (as determined by the Qubes OS Project) on their own website product pages.
  • To facilitate this, the Qubes OS Project now maintains an official record of certified configuration options for each model at https://www.qubes-os.org/doc/certified-hardware/. (We currently have certified config options for all models certified since mid-2024. See https://github.com/QubesOS/qubes-doc/pull/1461.)
• [ ] If a vendor changes the configuration of a certified model, that model does not automatically retain its certification. Rather, it will have to be recertified. However, if the change is minor, e.g., adding new options that are not intended to be certified, then we should be able to quickly and easily recertify it simply by declaring that the new options are not certified.