The NitroPC Pro 2 is Qubes-certified!

system · February 29, 2024, 11:21pm

It is our pleasure to announce that the NitroPC Pro 2 is officially certified for Qubes OS Release 4!

The NitroPC Pro 2: a secure, powerful workstation

The NitroPC Pro 2 is a workstation for high security and performance requirements. The open-source Dasharo coreboot firmware ensures high transparency and security while avoiding backdoors and security holes in the firmware. The device is certified for compatibility with Qubes OS 4 by the Qubes developers. Carefully selected components ensure high performance, stability, and durability. The Dasharo Entry Subscription guarantees continuous firmware development and fast firmware updates.

Here’s a summary of the main component options available for this mid-tower desktop PC:

Component	Options
Motherboard	MSI PRO Z790-P DDR5 (Wi-Fi optional)
Processor	14th Generation Intel Core i5-14600K or i9-14900K
Memory	16 GB to 128 GB DDR5
NVMe storage (optional)	Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each
SATA storage (optional)	Up to two SATA SSDs, up to 7.68 TB each
Wireless (optional)	Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2
Operating system (optional)	Qubes OS 4.2 or Ubuntu 22.04 LTS

Of special note for Qubes users, the NitroPC Pro 2 features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro 2 will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.

Important note: When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are not Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain only integrated graphics.

The NitroPC Pro 2 also comes with a “Dasharo Entry Subscription,” which includes the following:

Accesses to the latest firmware releases
Exclusive newsletter
Special updates, including early access to updates enhancing privacy, security, performance, and compatibility
Early access to new firmware releases for newly-supported desktop platforms (please see the roadmap)
Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
Insider’s view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
Dasharo Tools Suite Entry Subscription keys

For further product details, please see the official NitroPC Pro 2 page.

Special note regarding the need for `kernel-latest` on Qubes 4.1

Beginning with Qubes OS 4.1.2, the Qubes installer includes the kernel-latest package and allows users to select this kernel option from the GRUB menu when booting the installer. At the time of this announcement, kernel-latest is required for the NitroPC Pro’s graphics drivers to function properly on Qubes OS 4.1. It is not required on Qubes OS 4.2. Therefore, potential purchasers and users of this model who intend to run Qubes 4.1 should be aware that they will have to select a non-default option (Install Qubes OS RX using kernel-latest) from the GRUB menu when booting the installer. However, since Linux 6.1 has officially been promoted to being a long-term support (LTS) kernel, it will become the default kernel at some point, which means that the need for this non-default selection is only temporary.

About Nitrokey

Nitrokey is a world-leading company in open-source security hardware. Nitrokey develops IT security hardware for data encryption, key management and user authentication, as well as secure network devices, PCs, laptops, and smartphones. The company was founded in Berlin, Germany in 2015 and already counts tens of thousands of users from more than 120 countries, including numerous well-known international enterprises from various industries, among its customers. Learn more.

About Dasharo

“Dasharo is an open-source firmware distribution focusing on seamless deployment, clean and simple code, long-term maintenance, professional support, transparent validation, superior documentation, privacy-respecting implementation, liberty for the owners and trustworthiness for all.” —the Dasharo documentation

Dasharo is a registered trademark of and a product developed by 3mdeb.

What is Qubes-certified hardware?

Qubes-certified hardware is hardware that has been certified by the Qubes developers as compatible with a specific major release of Qubes OS. All Qubes-certified devices are available for purchase with Qubes OS preinstalled. Beginning with Qubes 4.0, in order to achieve certification, the hardware must satisfy a rigorous set of [requirements], and the vendor must commit to offering customers the very same configuration (same motherboard, same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.

Qubes-certified computers are specific models that are regularly tested by the Qubes developers to ensure compatibility with all of Qubes’ features. The developers test all new major versions and updates to ensure that no regressions are introduced.

It is important to note, however, that Qubes hardware certification certifies only that a particular hardware configuration is supported by Qubes. The Qubes OS Project takes no responsibility for any vendor’s manufacturing, shipping, payment, or other practices, nor can we control whether physical hardware is modified (whether maliciously or otherwise) en route to the user.

This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2024/02/29/nitropc-pro-2-qubes-certified/

balko · March 1, 2024, 5:28am

Thank you.
Can you please post HCL report and extended HCL report for the devices you claim should work good enough (considering being certified) with Qubes OS?

scallyob · March 21, 2025, 1:32am

A couple notes to help save others a bunch of time and money.

PS/2 does not work with Heads - despite being the default configuration on this Qubes Certified machine (with an additional charge for a nitrokey).
RAID does not work with Heads because mdadm is not currently included for size concerns

When contacting Nitrokey for assistance, neither of these facts seemed to be fully recognized by them at first so I spent a bunch of time trying to figure both out. This is a fork of the main Heads project, and it seems there is no plan to address them. And now I am looking at how to build and flash my own firmware to get them working after having paid a premium for a pre-configured machine.

Wasn’t able to find info from other users before purchasing, so hope this is helpful to others.

absent · March 21, 2025, 5:00am

github.com/Dasharo/dasharo-issues

PS/2 keyboard for dasharo/heads

opened 08:05PM - 06 Jan 25 UTC

notgivenby

enhancement

### The problem you're addressing (if any) At the moment, the PS/2 keyboard is …disabled under the dasharo/heads. This force users to use unsafe usb-keyboard set up, thereby increasing a surface attack. msi_z690a_ddr4.config file, line 33: export CONFIG_USB_KEYBOARD=y. coreboot-msi_z690a_ddr4.config file, line 639: # CONFIG_DRIVERS_PS2_KEYBOARD is not set ### Describe the solution you'd like Please enable the PS/2 keyboard as it is most likely the case for dasharo/coreboot. ### Where is the value to a user, and who might that user be? 1. For users under Qubes it will mitigate significant security risks coming from USB input devices. 2. Also some users enjoying gaming may have slightly faster a mouse/keyboard response because of 'polling' when USB-keyboard is used. ### Describe alternatives you've considered Alternative strategy is to develop a package and install it into dom0 (which is not best option) that would limit the input speed for hid/USB input devices. It will perhaps reduce but not mitigate the risk of badusb attacks. ### Additional context _No response_

Maybe this can help too.

adw · March 25, 2025, 6:19pm

I’m very sorry to hear that you had this experience, @scallyob. I know it’s too late to be of much help to you now, but for what it’s worth, your report has prompted us to improve the certified hardware page, which now links to a separate page for each certified model. In particular, I have added a warning to the NitroPC Pro 2 page noting that the Heads firmware option is not certified.

scallyob · March 25, 2025, 7:21pm

There is a lot more to this than the PS/2 issue. Nitrokey seems to be selling (currently) unsupported boards with outdated firmware.

I have not been able to get my Nitrokey to work properly as a result. And the boards are vulnerable to damage from high voltages: Intel confirms 0x12B microcode fixes 13th and 14th Gen issues

renehoj · March 25, 2025, 7:27pm

There is no reason for them not to include updated microcode, but Qubes OS provides the updated microcode at boot time, your system shouldn’t be vulnerable to the high voltage bug.

scallyob · March 25, 2025, 7:29pm

Oh really? I didn’t know that was possible.

renehoj · March 25, 2025, 7:38pm

Both the UEFI and OS can load microcode, you are not forced to update the firmware to get the latest microcode security updates, they are deployed through standard updates.

The packages intel-ucode-firmware and amd-ucode-firmware is the CPU microcode.

adw · March 26, 2025, 5:45pm

Note, however, that there’s a difference between Intel and AMD in this regard. Quoting from https://www.qubes-os.org/doc/system-requirements/#important-notes:

Intel and AMD handle microcode updates differently, which has significant security implications. On Intel platforms, microcode updates can typically be loaded from the operating system. This allows the Qubes security team to respond rapidly to new vulnerabilities by shipping microcode updates alongside other security updates directly to users. By contrast, on AMD client (as opposed to server) platforms, microcode updates are typically shipped only as part of system firmware and generally cannot be loaded from the operating system. This means that AMD users typically must wait for:

AMD to distribute microcode updates to original equipment manufacturers (OEMs), original design manufacturers (ODMs), and motherboard manufacturers (MB); and

The user’s OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for the user’s system.

Historically, AMD has often been slow to complete step (1), at least for its client (as opposed to server) platforms. In some cases, AMD has made fixes available for its server platforms very shortly after a security embargo was lifted, but it did not make fixes available for client platforms facing the same vulnerability until weeks or months later. (A “security embargo” is the practice of avoiding public disclosure of a security vulnerability prior to a designated date.) By contrast, Intel has consistently made fixes available for new CPU vulnerabilities across its supported platforms very shortly after security embargoes have been lifted.

Step (2) varies by vendor. Many vendors fail to complete step (2) at all, while some others take a very long time to complete it.

The bottom line is that Qubes OS can run on AMD systems, and the Qubes and Xen security teams do their best to provide security support for AMD systems. However, without the ability to ship microcode updates, there is only so much they can do.

renehoj · March 26, 2025, 6:36pm

I believe this issue is correct, and that the documentation is inaccurate
https://github.com/QubesOS/qubes-issues/issues/9485

This is the AMD microcode package provided by Fedora
https://packages.fedoraproject.org/pkgs/linux-firmware/amd-ucode-firmware/index.html

It currently includes microcode for fam15h, fam16h, fam17h, fam19h
https://packages.fedoraproject.org/pkgs/linux-firmware/amd-ucode-firmware/fedora-42.html
Here is a list of the microarchitectures
https://en.wikipedia.org/wiki/List_of_AMD_CPU_microarchitectures

I don’t know how fast or slow AMD is to ship microcode updates, but AMD microcode can be loaded from the operating system, and Qubes OS includes the amd-ucode-firmware package.

adw · March 27, 2025, 5:27pm

I noticed that @Demi opened this PR, which is set to close that issue if/when merged:

Were you already aware of this PR? Does it persuade you at all?

(CC: @marmarek)

renehoj · March 27, 2025, 7:17pm

I did see it, but I thought that only confirmed there is evidence to support the claim about AMD being slow to deploy patches.

I was agreeing with the original issue, saying this part is wrong

By contrast, on AMD client (as opposed to server) platforms, microcode updates are typically shipped only as part of system firmware and generally cannot be loaded from the operating system.

The amd-ucode lists the models for fam19h
https://gitlab.com/kernel-firmware/linux-firmware/-/tree/main/amd-ucode?ref_type=heads

I’m not sure how to read the model numbers, and compare them to the CPUID.
https://en.wikichip.org/wiki/amd/cpuid

The number of models in the amd-ucode-firmware, seem to match the number of models when looking at the CPUID list.

I could be completely wrong, but if amd-ucode-firmware contains the microcode for the Ryzen 5000 and 7000 series, then most AMD users are able to get microcode security updates loaded by the operating system.

OvalZero · March 27, 2025, 7:43pm

Generally speaking: yes. Considering the frequency … well … maybe.

https://wiki.gentoo.org/wiki/AMD_microcode#Microcode_firmware_files

Concerning early and late updates:

https://wiki.archlinux.org/title/Microcode

adw · March 27, 2025, 8:02pm

Could you take another look at @Demi’s PR and see what you think? It adds a footnote for this exact sentence.

renehoj · March 27, 2025, 9:52pm

Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209 Length=5568 bytes
https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=81089

Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011 Length=5568 bytes
https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=83147

As fare as I can tell, model 0x61 stepping 0x02 is the AMD Ryzen 7000 series, and 0x50 stepping 0x00 is the AMD Ryzen 5000 series, this is the main AMD desktop CPUs from the previous generations.

There is an amd-ucode-firmware package, but it only contains microcode for servers and outdated microcode for Chromebooks.

The models listed in the amd-ucode repository seems to be more than just servers and old Chrombooks.

That said, I don’t know what the blobs contain. The description in the repo could just be a type of placeholder for the entire 19h family, and it doesn’t actually have microcode for all the listed models.

marmarek · March 28, 2025, 12:51am

There is indeed a single microcode drop for selected client systems, here: linux-firmware: Update AMD cpu microcode (48bb90cc) · Commits · kernel-firmware / Linux Firmware · GitLab (which BTW note is after that PR date). It doesn’t come with any kind of commitment it will be the rule now.

If that trend will continue, I would be happy. But it takes more than one commit to undo years (decades?) of negligence…