Regarding all nitropads and intel me

I have asked this many times, but no response, are any of the devices with tenth gen processors or newer have any network stack still active underneath the bios?

Basically, are all backdoors offline on it?

Also, one other thing, can those devices be used with no proprietary blobs for graphics or sound, etc… if they don’t have nvidia? With ath9k wifi too I might add

I wanted to confirm if you know the answer to this.

Although, your devices are mega expensive and I am out of money for that at the moment anyhow.

Curious!

Adding to this:

The newly Qubes certified NitroPC pro - the big desktop with either i5 12600K or i9 12900K.

The sales page says, ’ Deactivatable Intel Management Engine’, it doesn’t say, ‘Deactivated’. Will there be a version where you have deactivated it yourselves?

Because that’s quite tricky and I’d hesitate to mess with that but if there was an, ‘already deactivated’ option . . . that would be good.

Thanks.

I own an older nitropad (x230), the dmesg output on boot is


[ 19.120401] mei_me 0000:00:16.0: reset: reached maximal consecutive resets: disabling the device
[ 19.120407] mei_me 0000:00:16.0: reset failed ret = -19
[ 19.120410] mei_me 0000:00:16.0: link layer initialization failed.
[ 19.120413] mei_me 0000:00:16.0: init hw failure.
[ 19.120523] mei_me 0000:00:16.0: initialization failed.

I can’t comment on the newer 10thGen/NV models, but assume it is similar and they also feature the Nitrokey’s coreboot-heads firmware. I did, however, look up the bios for the new Nitro PC Pro with the dasharo firmware. This gives you options to deactivate ME without flashing. Dasharo has documentation, that explain bios options and wikipedia explains the differences of the options.

2 Likes

I would think they would be auto deactivated just from that alone…

It seems since then I learned, if you don’t activate it, it stays off. OEMs have way more control over this than regular users. Thus, if the OEM you buy it from doesn’t enable it, its possible to keep it disabled for good. I think me cleaner can make sure it stays dead at that point. :smiley:

By this I mean, not intel, but the vendor who sells the computer using that processor. Which means, nitrokey can in fact do this!

1 Like
  1. ME_Cleaner doesn’t remove the Intel ME on 10th Gen Intel chips afaik.
  2. “Deactivated” != “Disabled” != “Neuterized”
  3. Even a via HAP Bit disabled Intel ME is active when the device is powered off.
  4. There is really no laptop out there that you can productively us “with no proprietary blobs for graphics or sound, etc”.
  5. Don’t use ancient laptops (e.g. an X230) with a bunch of unpatched CPU microcode vulnerabilities for anything really.

Depends on your idea of blob, if you mean hardware that requires blobs on the software end that is mystery like, then no.

Btw, coreboot makes X230 thinkpad like devices have way better security than some newer devices without coreboot.

If intel me’s network stack is disabled, then its not blobbed in a problematic way. I don’t expect unrealistic fsf level freedom where everything can be used without blobs… that is absurd and impossible. Also, their criteria is so rigid that only sandy bridge and other old hardware is usable. I do however want all problematic backdoors off or non-functional on a network level.

We would have to ask nitrokey how much of this is true already. I am pretty sure this is possible though.

1 Like

That is in huge part incomprehensible to me.

Btw, coreboot makes X230 thinkpad like devices have way better security than some newer devices without coreboot.

That’s broadly overgeneralising. You are dismissing the huge attack surface coming from unpatched CPU microcode against which Coreboot doesn’t really help.

Again: if your device is powered off the Intel ME is fully functional if some modules of it were not actually removed (which is rarely the case anyway - the best you can get is usually HAP Bit disabled).

When you say this, are you including even if the network stack to the intel me is disabled via hapbit or me cleaner?
The github me cleaner I mean…

Sure, microcode updates are needed for most usecases, however, that applies for all x64 CPUs, “ancient” or not. Of course it makes a difference, whether Intel still supports updates, but your plain statement also creates FUD. For example, one can argue that older CPU generations are always better researched for vulnerabilites than the latest and greatest.

Note the dmesg excerpt I pasted above from the x230 is after loading the latest microcode Intel provides. And it’s no secret what bugs have been found for the CPU, for example:

$ cat /proc/cpuinfo |grep bugs
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_unknown

and which of these are unpatched:

# dmesg |grep microcode
[    0.096141] SRBDS: Vulnerable: No microcode

Now, SRBDS relates to the RDRAND cpu feature. I regard this fully mitigated by the Linux kernel, so it is a non-issue for the machine in my case.

Hence, as of today, the rest of said CPU bugs is covered by a combination of microcode updates and the Linux kernel being in control with its own issue mitigation. So, no, I won’t sell you the x230 - get your own if you want a proper trackpoint :slight_smile:

2 Likes

I agree there, as for trackpoint, I wish newer devices would have this as an option on their keyboards. Its so much more easy to deal with for me than the touchpad.