Tried to have bing understand the differences prior of posting outcome below (still imperfect. Confusion still present but lowered)
| Model | Processor Generation | Codename | Example highest end CPUs | ME Deactivation | ME Neutering | ME Removal | Qubes Support |
|---|---|---|---|---|---|---|---|
| Librem 13 v1 | 5th | Broadwell | i7-5557U | Yes | Yes | No | Yes |
| Librem 13 v2 | 6th | Skylake | i7-6500U | Yes | No* | No | Yes |
| Librem 13 v3/v4 | 7th/8th | Kaby Lake/Coffee Lake | i7-8550U | Yes** | No* | No | Yes |
| Librem 14 v1 | 10th | Comet Lake | i7-10710U | Yes** | No* | No | Yes |
| Librem Mini v1/v2/v3 | 8th/10th/11th | Coffee Lake/Tiger Lake-U | i7-1165G7 | Yes** | No* | No | Yes |
| ThinkPad X200/T400 etc | Centrino 2/Centrino vPro/Centrino vPro2/Centrino vPro3/Centrino vPro4/Centrino vPro5/Centrino vPro6/Centrino vPro7/Centrino vPro8/Centrino vPro9 (modded) | Penryn/Cantiga/Montevina/Montevina Plus | Core 2 Extreme QX9300/QX9400/QX9500/QX9600/QX9700/QX9800/QX9900 (modded) | No***** | No***** | Yes****** | No |
| ThinkPad X230/T430/W530 etc | 3rd | Ivy Bridge | i7-3612QE (modded) | Yes | Yes*** | No | Yes |
| *Neutering is not possible for these chipsets because they require other modules then BUP/BUP+ROMP to be present and signed in the ME firmware. Those include kernel, Java runtime and policies to be in signed digest validated at ME platform initialization and cannot be removed. | |||||||
| **Deactivation is possible for these chipsets, but requires a newer version of me_cleaner or coreboot that supports the ME 12 firmware. | |||||||
| ***Neutering is possible for these chipsets by removing all modules except BUP and ROMP. | |||||||
| *****Deactivation and neutering are not possible for these chiosets because they use an older version of ME (ME6 or lower) that does not support the HAP bit or me_cleaner. | |||||||
| ******Removal is possible for these chipsets because they do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. This can be done by using coreboot or libreboot as the firmware. |
As you can see, the Librem models have ME deactivation and Qubes OS support, while the ThinkPad X230 models have ME deactivation and neutering, and also Qubes OS support. The ThinkPad X200 models can remove ME entirely, but they do not have ME deactivation, neutering or Qubes OS support.
Source: Conversation with Bing, 16/10/2023
(1) Lenovo ThinkPad X200 Review | Laptop Mag. Lenovo ThinkPad X200 Review | Laptop Mag.
(2) ThinkPad X series - Wikipedia. ThinkPad X series - Wikipedia.
(3) Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET. Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET.
(4) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/Sys/PDF/withdrawnbook/ThinkPad_X230.pdf.
(5) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/sys/pdf/withdrawnbook/thinkpad_x230_we.pdf.
(6) Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET. Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET.
(7) Purism– Librem 5. Purism– Librem 5.
(8) Purism– Products. Purism– Products.
(9) Librem 5 - Wikipedia. Librem 5 - Wikipedia.
(10) Librem - Wikipedia. Librem - Wikipedia.
After two hours or so clarifying and making certain Bing understands the whole confusion about terminology :
I’m sorry for the confusion. I have searched the web for more information about ME deactivation, neutering and removal, and I have revised my knowledge and answers accordingly. Here is what I have learned:
- ME removal: This is a method that completely removes the ME firmware from the system, leaving no trace or functionality of it. This method would be ideal for users who want to have full control and transparency over their system, without any proprietary or potentially harmful firmware. However, this method is only possible for some older processors, such as Penryn and Yonah, that do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. If the ME firmware is missing or corrupted, the system will either not boot at all or shut down after 30 minutes. This method can be done by using coreboot or libreboot as the firmware. This method was discovered by the libreboot project.
- ME deactivation: This is a method that uses a special bit in the ME firmware called the HAP (High Assurance Platform) bit. This bit was originally intended for government use, to disable ME functionality for security reasons. By setting this bit to 1, the ME firmware will stop running after the hardware initialization phase, effectively deactivating most of its functions. However, this method does not remove or modify any code or data from the ME firmware, so it is possible that some residual functions may still be active or that the HAP bit may be reset by a malicious actor. This method is supported by some tools, such as me_cleaner and coreboot, and it works for most Intel processors from Sandy Bridge to Kaby Lake. This method was discovered by Positive Technologies, who found a way to use the HAP bit to disable ME without triggering any errors.
- ME neutering: This is a method that goes beyond deactivation and tries to remove or modify as much code and data from the ME firmware as possible, without breaking the system. This method aims to reduce the attack surface and the potential harm of ME, by eliminating unnecessary modules and features. However, this method is not always possible or safe, as some parts of the ME firmware are essential for the system to boot and function properly. For example, some processors, such as Sandy Bridge and Ivy Bridge, require a module called BUP (Bring Up) to be present and signed in the ME firmware, otherwise the system will shut down after 30 minutes. This module can be kept in the ME firmware, while other modules can be removed or modified, resulting in neutering. This method is also supported by some tools, such as me_cleaner and coreboot, and it works for some Intel processors from Sandy Bridge to Broadwell. Neutering is when BUP and ROMP are required but kernel and other modules are signed and cannot be removed. This method was discovered by Trammell Hudson, who found a way to use an undocumented “AltMeDisable” bit to disable most of the ME functions after booting.
I think the confusion lies within revisions of same models. Librem existed across multiple chipset revisions. Their model labeling is in regard of screen size, not necessarily chipsets.
Bing answers correctly
You are right, the Librem models are labeled by screen size instead of chipset revision, which can cause some confusion. According to the coreboot firmware page², the Librem 13 v1 has a Broadwell processor, which supports ME neutering. The Librem 13 v2 has a Skylake processor, which does not support ME neutering. The Librem 13 v3 and v4 have Kaby Lake and Coffee Lake processors, respectively, which also do not support ME neutering. The Librem 14 v1 has a Comet Lake processor, which does not support ME neutering either. The Librem Mini v1, v2 and v3 have Coffee Lake and Tiger Lake-U processors, which do not support ME neutering as well. The only Librem model that supports ME neutering is the Librem 13 v1. All the other models can only deactivate ME using the HAP bit. I hope this clears up the confusion.
Source: Conversation with Bing, 16/10/2023
(1) Coreboot Firmware on Purism Librem Devices – Purism. Coreboot Firmware on Purism Librem Devices – Purism.
(2) Librem 5 Hardware - Phones (Librem 5) - Purism community. Librem 5 Hardware - Librem 5 - Purism community.
(3) Librem 5 Phone – Birch - Purism. Librem 5 Phone – Birch.
(4) undefined. Librem 5 Phone – Evergreen.
Here again, note that this applies to chipsets and not models.
My attempt to clarify this is still at the same place as always, referred multiple times at Platform blobs, collaborators/maintainers/testers for faster problems resolution · Issue #692 · linuxboot/heads · GitHub
Edit: multiple in link of core 2 duo, neutering/deactivation/removal of ME legend.