System verification

Apologies if this question sounds paranoid, but that is kind of the point of buying these systems :wink:

Purely hypothetical, but suppose I am concerned that NitroKey has been compelled by some law enforcement agency to compromise a system being sold to a customer who is under surveillance.

This is not entriely far-fetched. For example, it has been documented where NSA has intercepted and modified computers ordered by specific individuals.

Is there any way, without relying on already having a second uncompromised system, of verifying the system? For example, that the BIOS has been flashed with the correct code and the ME has been properly disabled?

Nitrokey is a company registered in and operating from Germany. German laws apply in this case. Foreign agencies cannot force Nitrokey to do this sort of thing.

So-called “NSA rework factory”. This is a problem with shipping - and I believe Nitrokey has sophisticated optional services provided for your case, if this is included in your threat model.

Firmware can be verified by way of a boot chain measurement which is then remote-attested by the Tokey. If the computer and the Nitrokey are paired at manufacturing and they are sent separately, any in-transit tampering will be detected when you have both the tokey and the laptop in your possession.
For the ME, unfortunately there is no way to be absolutely certain that it is really entirely disabled (after its initial bring-up, that is) All that can be verified is that the HAP strap in the PCH has been set. But there is no documentation from Intel about this HAP option - this is secret. The only thing that can be said, is that those who requested this feature (High Assurance Platform) feared the ME was a very bad security idea and an ideal rootkitting infrastructure for total compromise in Ring -3. Since they needed this “extra” feature, we can hope that it has been correctly implemented and does the job.