The Librem Mini v2 (just like the Librem 13/14/15) has the following proprietary blobs:
Between 8% and 10% of the Intel Management Engine still exists (i.e., the part which is required for booting has not been replaced with zeros)
Intel microcode
Intel Firmware Support Package (FSP)
The only way to get rid of these is to switch to a different type of processor such as the POWER9 or i.MX 8M Quad, The former sucks a huge amount of power and is very expensive. The latter isn’t powerful enough. The RK3399 is still underpowered but better and can now boot without any blobs, but it still lacks things.
Between 8% and 10% of the Intel Management Engine still exists (i.e., the part which is required for booting has not been replaced with zeros)
I apologise in advance for what may be a ‘stupid’ question, but why does Librem Mini require 8-10% of Intel ME “for booting” while NitroPad claims that Intel ME “has been deactivated” in their NitroPad X230?
" Deactivated Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is some kind of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has broad access to your computer (system memory, screen, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have been found in the ME enabling local and remote attacks. Therefore ME can be considered as a backdoor and has been deactivated in NitroPad."
I was just about to click ‘Add to Cart’ on a Librem Mini v2 @ $1,850 but this gives me some concern - because I don’t understand enough to know by how much the “8-10%” will reduce the security of Qubes OS.
Thanks for any light you or @Kyle_Rankin can shed on this.
Because in Purism’s (Intel-based) products, the Intel ME has been both butchered (code cut down by 90% approx) and disabled.
I don’t know anything about NitroPad products but perhaps their “deactivated” is Purism’s “disabled”. The official name for disabling the Intel ME is High Assurance Platform (HAP) mode.
Seems to be a refurbished ThinkPad x230. Which means the Intel ME cannot be fully removed (laptop wouldn’t boot) but neutralized so it won’t work anymore. Same as on the purism laptops.
I guess that would mean that the CPU is a bit off the pace, not terrible, but maybe i7-3xxx, so 7 generations behind (or 8 if you want to be really current but I don’t think Purism is offering any 11th generation Intel CPUs).
All computers with an Intel x86 processor that were introduced after November 2008 (starting with the Nehalem architecture in the first generation i3/i5/i7) will not boot if the Intel Management Engine code is entirely removed. The last computers that could boot with the ME code removed were the Core 2 (Penryn), that was used in the Thinkpad X200, T400, T500 and W500 from 2008. See the list of LibreBoot compatible hardware.
What the NitroPad X230 does is change a setting which deactivates the ME, just like all the PCs sold by Purism, ThinkPenguin, TUXEDO Computers and System76 do, but all of them require the ME to boot. Purism goes an extra step of also replacing 90%-92% of the ME code with zeros. None of the others say that they do this. If you want to learn more, read the documentation at: https://github.com/corna/me_cleaner
The Librem 13/14/15/Mini are better than the NitroPad X230, because the Librem 13/14/15/Mini can use the WiFi/BT without a binary blob in the /lib/firmware directory. If you want to achieve that with the NitroPad X230, you will need to put an Atheros ath9k WiFi/BT card in it (like this one, but check if a full-sized card fits) or use USB WiFi/BT (like this one).
Also the Librem 14 will have a switch on the motherboard to prevent anyone from changing the firmware. The Librem 14 will also have free/open source firmware for the embedded controller (EC), but @MrChromebox recently posted on r/Purism that it probably won’t be ready for the initial release of the Librem 14, so you will have to wait for that.
But then the actual comparison was Librem Mini v2 v. NitroPad X230, which I don’t fully understand as a comparison, since the former is an ultra-compact, needing a monitor if the use case requires it, while the latter is a laptop. But, sure, the Librem 14 is a nice laptop.
Oh, yeah. I forgot that @purequbes was comparing the X230 to the Mini. Ok, I edited my post to compare the X230 to the Librem 14/15/Mini.
If paying that much for a fully loaded Mini, it’s probably worth considering the L14 since it has 2 extra cores, which would be helpful when running Qubes.
Thank you very much for your detailed responses, and to @kieran also for your helpful comments, for which I am most grateful.
I was considering the Librem Mini v2 because it’s a ‘desktop’ computer and I thought it would therefore cope better than a laptop with being switched on 24/7 and being used for 12+ hours per day. (I spend too much time in front of computer monitors )
The only reason to compare it with the X230 is because Qubes lists it as ‘Certified Hardware’ so it made sense to me that NitroPad must therefore have done all that was possible / necessary (Intel ME-wise) to remove the Intel risk from the security equation.
I’m delighted to hear that Purism actually goes further than the X230 (and ThinkPenguin, TUXEDO and System76) by replacing >90% of the ME code with zeros.
I had resisted buying the X230 because it’s so old and I was looking for a more modern machine that was able to run Qubes in a reliable manner for countless hours of daily use.
I’m moving from a 2018 MacBook Pro with 32GB RAM and it struggles being left on all the time (not to mention that Apple is now just as bad as Google in every respect and I have lost all trust in them as a company after 20 years of being the most ardent of supporters)
Your point about the Librem 14 having 2 extra cores is well made.
I had planned on starting off by buying the Librem Mini v2 because ‘desktop’, and buy a Librem 14 early next year in case I wanted a portable machine when on the move.
Perhaps this is an unfair question, but would you expect the Librem 14 to be able to cope with being used all day? I can’t afford downtime.
Thanks again for taking the time to read and reply to my questions. I really do appreciate it very much.
Purism is switching to a new ODM for the Librem 14, and it says that the new design will fix the known problems in the Librem 13/15 models:
Non-standard keyboard mapping,
Hinges mounted on plastic that tend to break over time,
Audio jack that breaks off the I/O daughter board over time, especially in the Librem 15.
However, with a new design and new ODM, new problems may arise, so it is probably best to wait and see what people report. Another issue is that Purism had trouble getting replacement parts for its laptops in the past, because it uses custom manufacturing for its laptops. The only Linux laptop manufacturers that do custom manufacturing are Purism, Star Labs and PinePhone. All the rest use rebadged Clevo laptops, which means that it is easier for them to get replacement parts.
It you are worried about reliability over time, the Mini is probably a better choice for you, because it isn’t custom manufactured for Purism like the L14, so it is less likely to have hardware bugs. If anything breaks, it will be much easier to fix with the Mini than the L14. Maybe I have bad luck, but on average I have to replace the power adapter on my laptops after 1.5 years and the keyboard after 2 years, and the cooling fan after 3 years, whereas I have much fewer hardware failures on desktop PCs.
MrChromebox said that Purism would have offered the same 6-core processor in the Mini v2 as the L14, but Intel currently has supply chain shortages, and the ODM couldn’t get the processors. The L14 will have a physical TPM chip, whereas the Mini v2 has to provide that in software.
Once again, thank you very much for your detailed response. I did not know any of the information you presented so it was both incredibly helpful and much appreciated.
I have a few things to consider before making a final decision, but you have really helped to clarify many points.
If you dish out rougher than usual handling to your computers then the Mini is probably better. With separate screen, keyboard and mouse - if you break one of those components then you can toss it away and get a replacement.
For my money though the decision would be based on the use case. Are you likely to need portability sometimes?(laptop) Are you likely to need a much bigger screen?(desktop but you could use a laptop with an external monitor) Do you need compactness?
As @amosbatto’s response implies however … comparing two computers is not always simple, with numerous attributes to rate, different weightings applied to different attributes by different users and one computer not necessarily dominating the other computer (in all attributes).
Comment on “I can’t afford downtime”: Why? What is the implied requirement? The point of the question is that neither of these is server class 99.9999% uptime hardware with redundant everything. If you are using a computer to earn money then it’s a straight cost-benefit analysis to decide what downtime will cost you and what it is going to cost you to avoid downtime.
if you buy a Librem-Server machine from Purism that’s going to be something between ~3k and ~6k USD (on the default configs as listed on the web-site). MORE if you go crazy
This may be an odd question and i am terribly sorry if it has been asked and answered, i perused the thread and did not see and think this would be for very specific niché use…
I own some External GPUs ,i think everyone knows what that is? Basically a little box with either a high powered gaming GPU or one more suited for CAD work,rendering etc (also more expensive but off topic). So its a box with a card and its own fan and you can connect it to your laptop or PC to provide additional GPU power with a separate cooling system so useful on ultra thin laptops or any situation where heat throttles the performance.
Does any/all version of the Librem mini allow for the connection of an external GPU unit?
Thanks and sorry if i missed the answer somewhere in the thread or the product description!
Edit: reason why i ask because Purism products are custom and privacy focused and there may be reasons why ,at the hardware level, this would not work. I dont know enough to answer that question myself.
I think the answer would be “no” on the hardware front and quite possibly “no” on the software front (assuming that you won’t accept blobs and potentially anyway).
That said, you haven’t indicated, regarding the eGPUs that you own, what connector they want and what interface they want and whether you have the required software for the GPU.
Basically if there exists any configuration of hardware or software that works, i can get it and make it work, but if because of the design itself from the ground up it likely wouldnt or for certain wouldnt work regardless of type,software or connector than thats just good to know for me personally. I could still find good use for a librem Mini v2 aswell as looking with a slightly interesting eye at their server,waiting for a version 2 on that one though before i make any decisions.
I realize its an oddly specific question and maybe only the people at Purism can truly answer and maybe the answer is “Yes,but” meaning you would have to alter and potentially compromise the software to make it work or something else i rather not do. I was mainly asking because i have a ton of IT equipment and if i want something i can usually just get a sample/corporate sales demo copy of it for home use. So if there is a possibility that it could work,even if i had to get some very specific eGPU that would be no issue. Nor any associated software of any kind.
But if it does not support it,it is also not an issue. I was/am just curious. I like to tinker!
Edit: I am still learning alot simply by trial and lots of error untill i make something work or ask someone such as yourself and get great advice here and elsewhere. But in this case i dont have a Mini v2 ,since its just been announced,does anyone? So maybe its too soon to pose the question,since noone with actual knowledge and experience,unlike myself,has had a chance to tinker and test prior to me.
no, there is no issue “by design” why this doesn’t work, but
it probably won’t work because eGPUs would typically expect a Thunderbolt 3 or USB 4 port and this version of the Mini (and other Purism hardware) is just a little too early to have that support, and
depending on the actual GPU you may not get an open source driver for Linux, which means sort-of by design it won’t work with PureOS but if you are prepared to compromise on purity then you can probably make it work if there’s a blackbox driver for Linux at all.
As an eGPU is a relatively expensive option, it is possible that most participants in this forum don’t have one (I know I don’t) and trial-and-error may be the only way to get a definite answer.
since you’re probably after raw-horsepower-ish (i assume from what you wrote so far) wouldn’t it be best if you went for an itx class desktop/workstation with a full blown non-mobile CPU and all … have you looked at what’s available off-the-shelf from system76 ? if you’ve assembled a PC before and can take responsibility for the process then you can potentially pick and choose components that will work if you put Debian/Ubuntu on an SSD
i’m not one for half-measures but free-software graphics aren’t YET there if what you’re looking for is raw power.
if you insist on using the LMini-v2 (haven’t got mine yet) with an external dGPU black-box then that means you will have RAW-POWER on the graphics side but a mobile-class intel APU (CPU + GPU but not quite as powerfull as a modern AMD APU)
it’s up to you … but the sooner you drop your illusions the less time you will spend on improvisations …
No i have different dedicated desktops , standard intel and nvidia for gaming and things and another with a Xeon CPU and a less gaming friendly but much more workhorse task friendly GPU.
I just like tinkering so was wondering wether it would be possible (i know it certainly would not be a very useful thing or economical, as you mention system76,which im not too much of a fan of, or just custom building your own would both be cheaper with internal components ,better cooling etc and built to do whatever you specifically want it).
I just got so much shit laying around ,old server towers, various laptops , pfsense and other routers, eGPU’s etc i wondered if it would be possible. If i figure out a use and an excuse to spend the cash ill buy the librem mini v2 and report back my findings.
This is more a matter of curiosity and wether you could do it, not wether you should or wether it would be financialliy or performance wise,very logical or worth it.
Tinkering nerds gonna tinker like a nerd i guess. Thank you for the technical information and your reply Had i been unaware of some of the very true points you brought up ,i would surely have been very dissapointed even if it would work straight out the box with little to no tampering or trial and error.
)