Hello Nitrofans,
I am new to this forum.
I am much interested in this new 17" laptop NitroPad NS70. Looks nice, advanced features too. Not even so outrageously expensive for this type of specialized hardware!
But unfortunately, there is no documentation published; but perhaps the reason for this is that it is very new in the products’ line.
I’d be pleased if anyone could give me a link I might have missed, with more technical docs and specs.
I searched this forum, but could only find one topic about this new laptop.
Otherwise, may I perhaps ask/discuss more technical stuff and common issues associated with this type of hardware directly on this forum?
Cheers
Hi, yes, interesting new hardware. I’m not aware there is more detailed device documentation yet. I guess the platform is similar to the NS50, which was introduced before.
Just ask your specific questions freely, it’s what Nitrokey provides this forum is for.
Thank you very much!
Here goes:
-
It’s hard to tell from pictures what material the case is made of - it is metal or plastic?
-
On the nice pictures showing the frame from all angles, I couldn’t see anything resembling a killswitch (hardware) for radios. Is there none?
-
Webcam and microphone: I noticed that if one does not want those, they have to pay a small extra fee. Does this mean that the laptop comes with functional cam and mic from manufacture, and that you have to actually open the case and remove or severe this hardware?
-
DRAM: It seems we can only order DDR4 3200 for now. But the chipset, to my knowledge, does support DDR5. Is this a limitation of the motherboard, your own implementation, or can one eventually replace the DDR4 with faster DDR5 (and which speeds would be supported)?
-
TPM: What brand is it? Soldered onto the MBD (meaning not easily removable)?
-
Can the SPI Flash chip be internally Write-Protected?
-
Please explain this unclear sentence appearing in the section about IntelME/CSME : “For the time being, orders can only be placed until April 30.processors (CPU)”
-
Binary Blobs: could you please list all proprietary closed-source blobs that have to execute in order to bring up the platform and the processor, before launching the Heads payload runtime (e.g. fsp-m, fsp-s, …)
-
Qubes+S3: what exactly is the problem? Is it Qubes problem or your hardware? Will this be fixed in the future or not?
-
Gigabit ethernet: since the laptop has this, it means there must be a GbE region for it in the SPI Flash. Is it an open-source implementation? But anyway network boot would not be permitted, at least not with Coreboot/Heads firmware (but possibly with the Tianocore payload?)
-
EC: is it an Open-Source implementation? Does it have firmware of its own?
-
For this new Alder Lake 12th Gen and regarding the persistent problems the manufacturer has had in the past with its implementation of speculative execution channels causing side/covert attacks PoCs and subsequent CVEs, are there new problems of this nature discovered on this architecture? Or maybe older ones from previous generation that were left unresolved?
More specifically, I would like to know if we can now finally run Qubes at full speed with HyperThreading on - and not have to “smt=off” because of new speculative execution problems that would render co-threads execution on the same core possibly dangerous.
See, this is an important matter since HT off means 50% performance drop!
As you can see, there are many questions, and some of them very technical. Sorry about that. Better to ask now and not be disappointed after.
1 Like
Yes, many interesting questions, very good to learn about the platform! I can only give you input on a few myself (later).
First, one suggestion: If you change the bulleted list to a numbered one, it is easier to reply to the questions. You only have to edit your post, select the bulleted text and change to the numbered list for it. For example:
- Question
- subquestion to one (sequential numbering works, more complex formatting in the interface is tedious)
- Question
oh my 
many many questions, try to answer them from the top of my head as good as I can. But generally the NS70 is identical in terms of the motherboard, or let’s say “hardware platform” - despite the screen size of course…
numbers would have been great, I try to go from top to bottom:
- case: mostly metal i.e., aluminum
- kill-switch: nope
- mic&webcam: yes, we physically open the device and remove mic and webcam
- ram: whether DDR4 or DDR5 can be used is defined by the hardware-platform, so far I remember there is even a mechanical difference, so DDR5 components do not even fit mechanically into a DDR4 slot
- tpm: it’s a soldered TPM2.0 device from (I have no idea, need to check)
- spi flash: no this is not possible as far as I know. HEADS is a countermeasure for this kind of manipulation (e.g., evil maid) by introducing measured boot
- intel me: oopsie, good catch, thank you - this is just a copy&paste fail, we’ll fix that asap
- binary blobs: essentially 4, which are there and mandatory to start/init the platform:
- Intel ME: required, but (soft) disabled using the “HAP bit” (HEADS), configurable for EDK2/Tianocore
- CPU Microcode: required for the cpu
- fspm.bin & fsps.bin: required, Intel firmware support packages, see here for more details
- Qubes+S3: hardware issue, to the best of my knowledge this is a won’t fix. Qubes will surely introduce S0 sleep at some point, but this might take a while (see this issue) as many parties are involved. There is a first PR on this. (Ubuntu uses S0ix and suspend works as intended)
- gb-ethernet: nope, there is no GbE region on the flash - this is obsolete since 5 gens or something. generally there is no network boot in HEADS, but indeed in EDK2/Tianocore through iPXE
- EC: yes, it’s an ITE EC, firmware repo - we flash it as part of our production process
- alder lake: generally it’s an alder lake platform and as nearly all recent platforms they come with this kind of issues - please don’t force me into this discussion if
smt=offmeans half of the performance, or if you really need this for a single-user-host like a laptop. If this is important for you, please make sure you are aware of the possible mitigations for this particular cpu and decide based on your threat-model
phew, hope this helps … oh and for the sake of documentation of all this: this all also applies for NS50 and excluding the QubesOS+S3 thing also for the NV41.
3 Likes
I think the case is mostly plastic on the NV41, though, right? It doesn’t feel like metal and mine’s already got a little scratch on the white part below the touchpad and it looks dark underneath, while the bottom is definitely black plastic. Looks good enough, though, and overall I’m satisfied.
Well, Thank You very much. You did a really good job at answering this bombardment of mine!
A bit of a disappointment for the missing radios hardware killswitch. I guess the only way this can be mitigated is by having no internal NIC and using only wired connections. I will have to reflect on this and if I really need WiFi/BT.
Didn’t know about this. DDR4 3200 will have to do, then.
But all in all, many good news!
Remark: I would say chances are it’s an Infineon Technologies chip, another German manufacturer with an excellent reputation. That would be the preferred choice for a company like yours. But if you sometimes get a chance to look at a motherboard…
A good thing IMO
More comments:
I guess if I wanted to do it by myself, this would most certainly void the warranty. So I will have to pay the small extra.
Ok. I would not consider this a no-go. It only implies a more strict opsec policy of never leaving the machine in suspend-to-ram while unattended, and having to reboot it each time. But we could expect that these 12th gen CPUs make this lengthy Qubes launch time fare better…
Ok, I won’t. I will research by myself what speculative execution flaws - if any - would prevent the use of HT due to co-threads executing in adjacent pipelines. After all, not ALL discovered such implementation bugs present side/covert channel issues. I just hope this new architecture would have “cured” most or all of the disastrous former implementations.
yes, it’s mostly plastic
1 Like
A dozen of questions returned with 12 answers served like bullets, great tennis. 
For future reference: I now realize quoting a paragraph from a numbered list, removes the number. So, my suggestion to use a numbered list did not make practical sense after all, sorry @PDP1.
As daringer’s reply already states there are mechanical differences of the modules. I’ve looked into this too: The laptops will all use not regular but SO-DIMM modules. SO-DIMM DDR4 and 5 have the same physical outline, but DDR5 has two more pins (262). Other than SO-DIMM DDR4, the SO-DIMM DDR5 have the 12V on the board (2 pins probably…). So, the chipset itself may be suitable to support both per se, but this should make it clear mainboard layout and ram pinout is different. Since DDR5 is known to produce much more heat and SO-DIMMs don’t have passive cooling, it would be problematic to even produce an up-gradable hybrid laptop design to my understanding.
The following is output from a regular (not mobile) Alder-Lake without smt relevant kernel (6.7.2) config and latest microcode:
$ cat /proc/cpuinfo |grep bugs
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs eibrs_pbrsb
$ dmesg |grep mitig
[ 0.112677] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 0.112679] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
I can understand you are interested in it performance-wise. My 2c: I think it is safe to say QubesOS can make particular good use of HT for all the different VMs (so it does make a difference, yes) but particularly with a laptop you won’t use the VMs as much simultaneously as a server would use HT. To my understanding single-thread tasks show no significant performance penalty with smt fully disabled, hence it depends what you usually run at the same time. Aside, there are mitigations to partially enable/disable HT at runtime, if you need to dive into that. For Qubes performance one spec matters most: available ram.
3 Likes
Thank you for all this detailed information about DDR4/DDR5 SO-DIMM and incompatibilities. I fully understand your choice not to implement DDR5 if they procude more heat - cooling is indeed an important design factor with those slim laptops.
Thank you for this too. I am pleased to see that the list of bugs has somewhat shrunk! Many of the former ones from previous generations don’t show up anymore (I guess this would mean they are not relevant anymore because of architectural corrections or new design)
And some new one like eibrs_pbrsb appeared. I am surprised that swapgs was not resolved.
Your “dmesg |grep mitig” command did not give a complete picture, because you would need to add “Mitig” and also “Vuln” to see them all. A better way to assess the smt situation can be seen via lscpu, which will output the dreaded “SMT vulnerable” comment.
As for performance, it is a very subjective perception and in the end, you can only judge this when running Qubes on your brand new 12th gen laptop - and whether you feel things are adequately responsive or otherwise lagging behind.
Ah yes, the list via # lscpu is more comprehensive, very good. Let me add that:
# lscpu
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Retbleed: Not affected
Spec rstack overflow: Not affected
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Enhanced / Automatic IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence
Srbds: Not affected
Tsx async abort: Not affected
# cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
# lscpu |grep smt
#
# cat /sys/devices/system/cpu/vulnerabilities/mds
Not affected
swapgs has a CVE from 2019, i.e. later than Spectre-1 (2017) which it is grouped under, the kernel may have more flexible mitigations. (kernel doc)
1 Like
Geat display! Thank you!
I am surprised: the situation looks much better with this recent 12th gen architecture.
I can see nothing that would prevent smt=on from being passed on as boot parameter and have Qubes running HT mode.
But I think the standard install iso would probably default to smt=off, and maybe pre-installed QubesOS laptops should be checked for this.