NitroPC firmware compilation and general questions

Hi,
I have just received my NitroPC with default Ubuntu installed. I have a few questions. The computer is delivered with Ubuntu, but it will be changed because I need BLOB free OS. It seemed to me the best option on market at the moment for 64 GB RAM open PC, because of quite recent generation of Intel Core processors with neutralized Management Engine. I have not found my answers in official FAQ so I have to ask. Unfortunately the list is quite long, however I hope that my questions are reasonable.

  1. When I open BIOS/UEFI I see a version of installed firmware as ‘4.13-dirty’. The keyword “dirty” sounds dangerous. Is it correct state and what does it mean? Is there any not dirty version and what is the difference? What is on your machines?
  2. It seems to me that it should be possible to use this computer with any Linux distribution even Qubes (that’s why I’ve chosen Intel(R) Core™ i7-10610U CPU @ 1.80GHz and 64 GB RAM, but will try it later). Started from fast trial of new hardware with Ubuntu Live CD and I expect that everything should work, however I need to use UEFI partition table instead of BIOS. The only advantage from using official NitroKey ISO images is that it will include NitroKey application. However, I can compile it from github source on any computer. Am I right? It seems to me that the only thing I need to use is to validate checksum of downloaded ISO (which will be flashed on USB). Even I might consider installing FreeBSD/OpenBSD if it supports well UEFI partition table, however I will receive no support.
  3. It seems to me that this hardware should be operational without installing non-free drivers even with Bluetooth and WLAN according to the Debian on Nitro documentation (link to the Atheros community driver). However I will not avoid using CPU microcode update BLOB.
  4. My key requirement for this machine is to have Management Engine neutralized as described in description (no backdoors). I heard that it cannot be completely disabled, because it doesn’t allow machine to start. I installed official Intel csme_version_detection_tool_linux.tar.gz and it provides feedback:

*** Host Computer Information ***
Name: mar-desktop
Manufacturer: Nitrokey
Model: NitroPC
Processor Name: Intel(R) Core™ i7-10610U CPU @ 1.80GHz
OS Version: Ubuntu 20.04.3 LTS (5.11.0-40-generic)

*** Risk Assessment ***
Detection Error: This system may be vulnerable,
either the Intel(R) MEI/TXEI driver is not installed
(available from your system manufacturer)
or the system manufacturer does not permit access
to the ME/TXE from the host driver.

For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
(removed because of link limit)

Is it a correct state?

Another coreboot hardware vendor says that I should use tool called cbmem.

The output says:
41 entries total:

0:1st timestamp 14,567
11:start of bootblock 20,912 (6,345)
12:end of bootblock 24,336 (3,423)
13:starting to load romstage 24,595 (259)
14:finished loading romstage 24,637 (41)
1:start of romstage 25,081 (443)
2:before RAM initialization 27,675 (2,594)
950:calling FspMemoryInit 29,282 (1,607)
951:returning from FspMemoryInit 70,545 (41,262)
3:after RAM initialization 72,860 (2,314)
4:end of romstage 77,319 (4,459)
100:start of postcar 78,379 (1,060)
101:end of postcar 78,380 (0)
8:starting to load ramstage 78,533 (153)
15:starting LZMA decompress (ignore for x86) 78,551 (17)
16:finished LZMA decompress (ignore for x86) 97,028 (18,476)
9:finished loading ramstage 97,121 (93)
10:start of ramstage 97,136 (15)
15:starting LZMA decompress (ignore for x86) 97,492 (356)
16:finished LZMA decompress (ignore for x86) 133,334 (35,842)
30:device enumeration 150,043 (16,708)
15:starting LZMA decompress (ignore for x86) 150,415 (372)
16:finished LZMA decompress (ignore for x86) 150,646 (231)
954:calling FspSiliconInit 164,234 (13,587)
955:returning from FspSiliconInit 765,082 (600,848)
40:device configuration 782,573 (17,491)
956:calling FspNotify(AfterPciEnumeration) 784,372 (1,798)
957:returning from FspNotify(AfterPciEnumeration) 784,575 (202)
50:device enable 784,576 (1)
60:device initialization 784,844 (267)
70:device setup done 791,365 (6,520)
75:cbmem post 791,370 (5)
80:write tables 791,377 (6)
85:finalize chips 793,303 (1,925)
90:starting to load payload 794,570 (1,267)
15:starting LZMA decompress (ignore for x86) 795,213 (642)
16:finished LZMA decompress (ignore for x86) 1,098,334 (303,121)
958:calling FspNotify(ReadyToBoot) 1,098,357 (22)
959:returning from FspNotify(ReadyToBoot) 1,098,866 (509)
960:calling FspNotify(EndOfFirmware) 1,098,866 (0)
961:returning from FspNotify(EndOfFirmware) 1,099,465 (598)
99:selfboot jump 1,099,559 (94)

I was looking for flags:
ME: Current Working State : 5
ME: Current Operation State : 1
ME: Current Operation Mode : 0
ME: Error Code : 0
Which for disabled CoreBoot another vendor says should work like this:
ME: Current Working State : 4
ME: Current Operation State : 1
ME: Current Operation Mode : 3
ME: Error Code : 2
I expected ME lines to be present in error state. Is lack of lines related to ME in tool correct a correct output?

  1. Is fwupd useful while working in NitroPC or should I disable/avoid it?

  2. Will I receive information about BIOS update and security errata when I subscribed to your mailing list? Or GitHub tracking is the only reasonable solution? How may I find stable tags of firmware?

  3. Which repositories contain firmware for NitroPC? I would like to track a changelog.

I found coreboot-builder repository on your github.

As I understand I should get coreboot-version.rom as a result of build (it is simple and safe). How to install compiled result coreboot-version.rom in flash memory of running computer without destroying it?

  1. Is my current version ‘ 4.13-dirty’ the latest possible open version? Where can I find the list of available compiled images (build tags) together with checksums? When I read Makefile I see that a lot of purism codes are reused.

  2. Is it possible to dump current UEFI image to .rom file and compare it with compilation result or ftp official image? I will be grateful for info which tool to use.

  3. I heard that Intel HT is dangerous and should be deactivated and almost nobody uses it on servers / cloud VMs, however I cannot do it from UEFI. Do you disable it and how? Are HT bugs still relevant for Intel(R) Core™ i7-10610U CPU or this is no longer concert in that generation of core processors?

If there is a necessity to pay extra for support I will take it into a consideration, however I need to know how to flash the device without destroying it.

Best regards,
Marcin Górski

Hey @marcin.gorski

dirty only denotes the fact that the Coreboot installed is modified after it was checked out of the repository, this is done by us and in place for all NitroPCs as of now, nothing to worry about

Yes, you can do this. Mostly you are also right there is not much difference for the ISOs. Mainly they leave the machine in an OEM-state, which allows you to set things like user and password after the first boot. So far I remember there are fixes for QubesOS 4.0 to properly boot, because I believe the 4.0 stock iso image does not start without modifications.

No question here, but please be aware that we do our best to keep our products as clean as possible of proprietary software components, but as we cannot check every single package in all the distributions, we cannot give guarantees here.

For ME and related questions, please stick to your other thread, please try to not cross-post or duplicate questions to keep things organized and effort reasonably low for the supporters.

We do not provide fwupd functionality for firmware updates on NitroPC.

Yes, the mailing list will mention those, currently there is only one firmware release for the NitroPC.

  1. to 9. are answered by yourself and/or in the other thread.

generally, it’s a “i7-10510U CPU”, for which we did not disable HT. Please understand that I cannot comment about the severity of HT bugs on Intel CPUs in general. Obviously there are attacks, but how they affect you is something you have to determine on your own depending on your (personal/determined/defined) threat model.

best