Dell Special catalog for DOD, NSA, CIA

I recently read that Dell, accidentally, had several computers listed on their website with unusual hardware features for security. Dell removed those listings and explained that it was part of a Special Catalog for the certain organizations of the US Government. Not for the general public.

I read that one of the things on the high security computers was that the Intel ME had been neutralized.

I started a Chat with Dell sales, who I thought would not say anything. I suggested Journalists needed these options, and mentioned that thousands in Chinese Jail for trying to inform on the powers in their country. The individual I was on the Chat with said he would refer my question to his supervisor, and asked what options I was looking for.

Besides disabling the Intel ME I said ECC RAM. I did not know, but Dell already sells business laptops that offer ECC RAM as a more expensive option.

What I would have added is that Dell needs to use an Open Source Firmware and verification that the computer had not been tampered with. He said TPM. I asked, is that the TPM 2 that was broken in half an hour.

Still, if Dell has already engineered the options that are needed, I would hope enough requests might cause them to add something to the Dell public Line that might be useful, although, not completely trusted by me.

This all pretty much ended when he asked who I was, and where did I work that I would need such a computer. I am retired, on Social Security (In the US, that is old persons pension). Said they would send me Email. I have been inundated with Dell standard offerings. I am poor enough that I will not buy a another computer.

Anyone want to make a request to Dell for the Options that are needed for good implementation for Qubes?

Anyone want to write a generic letter with the options which are required?

Source?

If the ME is such a threat and backdoor, it is clear there must be a clean way of disabling it and every major manufacturer would offer product lines with ME disabled, exactly for government clients.

I think it would impossible to keep that scale of conspiracy hidden.

Not sure which is your question I should answer.

Implied question is:
Should a Qubes User be concerned with: the portion of Intel ME, which Intel can use, without my knowledge or ability to stop, a different Firmware for the Intel CPU. Changes which some suggest could be used to gain all the passwords I use. Copy all my personal hard drive. Watch all the things I do online.

That is a question of what the individuals personal threat Matrix is. If one must fear governments, then yes, might think about it. I say that because I do not believe Intel is the sole Possessor of the capability to alter that part of the Intel ME which can be used against the user. Let me say that differently; Given all the secrets which places like Red China and the Mother Russia have gotten. Given the amount of money they might pay an ex Intel Employee. Or given the threats such governments might make against the individuals at Intel who might get the knowledge. Or just a Janitor who knows enough to hide a pinhole camera at the right place when Intel Software Engineers are testing the Intel ME on new chip design. They probably have it. Whether Iran or North Korea do, I can’t guess. Saudis have a lot of money.

The use of the Intel ME takeover has not been reported in the ‘wild.’ (so I read) Then again, if it is only against specific targets, no one knows unless a computer expert gets their hands on the computer. (that is my hunch, I dunno)

If you are an ordinary person only concerned with slowing down the obnoxious flow of advertisements. “Surveillance Capitalism” Then, no. Don’t be concerned.

The last comment on this page relates:
https://www.dell.com/community/Laptops-General-Read-Only/Deactivating-Intel-ME/td-p/5188150

Qubes Developers are concerned with creating a Secure computer to get on Internet, so yes, they have an interest. I may not have said it well. Maybe someone can correct me on this.

How to disable Intel ME portion, well that is not for a Qubes related post. We have means for a few computers at this time. When I get the money to buy more parts, I will either disable it, or brick my Lenovo Laptop, using the Heads formula. I am going for using: https://osresearch.net/ Which is what is part of what is done on the Qubes Certified hardware, Insurgo, or Nitro Key computers.

Interesting reading; GitHub - merge/skulls: pre-built coreboot images and documentation on how to flash them for Thinkpad L

https://www.linuxjournal.com/content/tamper-evident-boot-heads

I was told some have bricked their computers with:

I used it once. Worked for me.

I am going for using: https://osresearch.net/

The other link you might want: GitHub - osresearch/heads: A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide

It would be great if Dell had made any moves towards the safety of their devices, in particular Qubes recommendations for computers.
I doubt that I could make a correct letter, but I would be glad if you or someone from the Qubes team.
I would be interested to see some documents before reading about the options of the conspiracy in the Intel office.
I have long deactivating Intel Me on my computers and install Coreboot on them, in principle, I always choose computers with the possibility of installing Coreboot, I do not consider other options.
As for Heads, as far as I know via 1vyrain, it is possible to install only Coreboot, Heads sufficiently weighs enough so it needs to be installed through a programmer. But I read the articles on the reddit that someone managed to collect Heads so that it weighed less than 4 MB. I think it is better to use the programmer or at least be ready to learn them to use in case of problems with 1vyrain.

Nitrokey, clearly states, that Intel Me is backdoor, in their product.

NitroPC

With NitroPC, you don’t have to rely on the security of proprietary BIOS firmware or the backdoor Intel Management Engine.

Nitropad t430

Therefore ME can be considered as a backdoor and has been deactivated in NitroPad.

Purism Librem, also clearly state, that Intel Me is backdoor.

In practice, it is essentially a “backdoor”.

Insurgo privacy beast states that Intel Me is potential backdoor.

Its Intel ME has also been deactivated and neutered, preventing this potentially devastating low level backdoor to control your system.

It is also one of the last models permitting the neutering of Intel ME, Intel’s potential backdoor, leaving only BUP and ROMP modules intact.

Opinions may vary whether this is “a clean way of disabling it” but according to the research team at Positive Technologies in Aug 2017

“Intel allows motherboard manufacturers to set a small number of ME parameters.”

“One of the fields, called “reserve_hap”, drew our attention because there was a comment next to it: “High Assurance Platform (HAP) enable”.
Googling did not take long. The second search result said that the name belongs to a trusted platform program linked to the U.S. National Security Agency (NSA). A graphics-rich presentation describing the program can be found…”

Archived blog entry at https://web.archive.org/web/20210802184931/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

Of course they do.

Ok so this is the source? The presentation mentions Dell.

The HAP and “TVE workstation” (stands for Trusted Virtual Environment) resembles strangely close to Qubes OS, quote from this document:

The TVE Workstation is a Commercial-off-the-Shelf (COTS)-based computer built using High Assurance Platform® (HAP) technology. The HAP technology was developed under contract to the National Security Agency (NSA). Each TVE computer has the ability to simultaneously host multiple operating systems in different security domains. The TVE Workstation can host thick-client or thin-client operating systems, making it a true hybrid-client computer. The TVE Workstation offers affordable and easy-to-manage multi-level and cross-domain capabilities to end-users with the initial implementation in a desktop or console form-factor. It allows the end-user to have multiple operating systems, such as Microsoft® Windows® or Linux®, running in different security domains such as Secret, Secret Rel A and Unclassified or in different caveats within a single security level. Its advanced security features are provided both by hardware assistance using Trusted Execution Technology (TXT) from Intel® and by high robustness Hypervisor software from General Dynamics.

So what does this have to do with Dell? I buy that in the HAP project, there’s something to do with ME, but no document says Dell offered products with ME disabled. Instead, I can think of many features Dell could have provided for such virtualization product at the time. Note that during that time (2008-2009) all the required CPU virtualization features were not necessarily in the mainstream product lines, like today.

More info on TVE: TVE Trusted Multilevel Computing Solution - General Dynamics Mission Systems

I, too, would like to see @catacombs source.

something around these lines?: https://www.reddit.com/r/linuxhardware/comments/7grglm/how_to_buy_a_dell_laptop_with_the_intel_me/

ok, that’s interesting.

I have a feeling that this HAP/TVE stuff is not really relevant any more. At least all the material I’ve seen is really old, like RHEL 4/5 and Windows 2000 era.

I believe that means that the part of the Intel ME which I find objectionable, that they could change the basic programming of Intel CPU, and the rest of the computer, is not on the computers provided by Nitro Key.

They say it better, if one reads the complete statement:

" Disabled Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is a type of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has extensive access to your computer (system memory, display, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have already been found in the ME that allow local and remote attacks. Therefore, ME can be considered a backdoor and is disabled in NitroPC."

The word’ back door’ alone can be misinterpreted as to whether the objectionable part of ME is gone or enabled.

Computers will not boot up or run without the Intel Management Engine.

To anyone curious the “HA” in the GD product line is based around seL4. A few researchers who worked on that project back on the day started to port it over to Qubes and then I think GD acquired the tech. It’s basically QubesOS with a secure enclave - its like a very low level operating system mathematically proven to be error free and gives assurance that all the software and low level firmware running on the computer is theoretically proven to be in a known good / safe state. I am sure it is much more powerful now and does even more.

Are you referring to “TVE”? I read it’s based on vmware.

Really appreciate the info, thanks. Did not know about the connection with seL4. Can you elaborate at all on the hardware used in the (older) research?

Stumbled upon the CASE project as a result of your message. Maybe unrelated, but very interesting

I will post some links when I can find them in the archives. A quick google-dork r/e this topic for site:reddit.com will find them quicker than I can.

P.S:
Modern (D) Systems Now have three modes for the ME

https://www.dell.com/community/Laptops-General-Read-Only/Deactivating-Intel-ME/td-p/5188150

This is perhaps more accurate/up-to-date for many systems:
https://www.dell.com/community/Precision-Mobile-Workstations/Precision-5520-XPS-15-otherboard-replacement-enable-management/td-p/7376698

And:
https://www.coursehero.com/file/pg2p2f/b-WARNING-Technicians-must-key-in-the-correct-Service-Tag-on-the-first-and-only/