I am trying to select a new laptop for myself, before embarking on my Qubes OS journey. Having investigated the certified hardware page, I didn’t quite find a laptop option to my liking.
I came across the website of Tuxedo Computers, while it is not a certified hardware provider, I am wondering if this method of Intel Management Engine disabling they use is similar or same to that of your certified vendor. I could not quite understand the below text I found on their website, and I am hoping some of you understand its meaning:
UEFI firmware
With all our notebooks, you have the possibility to protect your privacy already on firmware level using the UEFI (Unified Extensible Firmware Interface).
For this purpose, the following functions can be completely deactivated:
Intel Management Engine (IntelME)
Webcam
Audio (Microphone & Sound)
WLAN & Bluetooth
In addition, our Premium UEFI firmware allows chipset-specific settings and definitions for hardware components in order to run adjust the device optimally to your use case.
Please note: All notebooks built in 2021 and later do not support switching the UEFI firmware to the outdated BIOS firmware standard.
I would like to understand if this is the same method as the one that is called “HAP bit disabling”, and if not, what are the differences in terms of security.
I have read somewhere that the HAP bit disabling is available thanks to some collaboration between Intel and Coreboot devs and the code which allows doing that is available only under NDA.
I called the vendor which is offering it via UEFI, but he didn’t know about HAP bit. I am still trying to figure out which method is superior in terms of security.
AFAIK, the HAP-bit method is the current and preferred one. Though, I question whether the HAP bit can be triggered later on (while the machine is already running), and so result in an active IME. I am not familiar enough.
The older way was crippling IME to a non-bootable state, thus practically disabling it forever.
I don’t know of any other methods. Perhaps experts can share more.
Thank you for your reply. I am not sure what my threat model is, is it needed to know which is the most secure one? I want to protect myself from remote surveillance and such. I did not notice Purism laptops on the list of certified qubes hardware, is that something that may change in the future?
Your threat model defines what assets you are protecting against adversaries and their capabilities, so what may be secure for one individual may not be secure for another. I cannot authoritatively answer the second question, so I suggest contacting Purism with your inquiry:
It’s an AMD system, it doesn’t have Intel Management Engine.
Don’t know if that is what they mean by completely deactivated IntelME, or if they just use the same UEFI text on all models, even if the IME paragraph only is relevant for Intel base models.
As for disabling IME, on systems with an 9/10th Gen or newer Intel CPU, you can only use HAP to disable ME. So any laptop to sold after ~2019, with ME disabled, is using HAP.
UEFI firmware
(sarcasm)