NitroPC - Powerful and Secure Mini PC

We are excited to publish our new NitroPC - A secure mini PC with latest Intel i7 CPU (10th generation) and fully open source firmware and software.

Powerful, Up-to-Date Hardware
The NitroPC has a current 10th generation Intel Core i7-10510U processor with up to 4.9 GHz and an m.2 SSD with 6 Gb/s, and can thus be used for performance-hungry applications such as programming/compiling and graphics applications. Of course, this also makes it sufficiently equipped for office and web applications.

Open Source Firmware/BIOS
The firmware ("BIOS") consists of the open source systems Coreboot and Tianocore UEFI. This enables independent security audits of the firmware and prevents undetected backdoors. In addition, the PC boots quickly and future enhancements are possible. All PC operating systems including Windows can be used.

Disabled Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is a type of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has extensive access to your computer (system memory, display, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have already been found in the ME that allow local and remote attacks. Therefore, ME can be considered a backdoor and is disabled in NitroPC.

Preinstalled Ubuntu Linux With Disk Encryption
NitroPC ships with a pre-installed Ubuntu Linux 20.04 LTS with full disk encryption. Ubuntu is one of the most popular, stable and easy-to-use Linux distributions. Switching from Windows to Linux has never been easier.

Optional: Pre-Installed Qubes OS for Highest Security Requirements
Instead of Ubuntu Linux, you can get your NitroPC pre-installed with Qubes OS 4.0 and full disk encryption.
Qubes OS enables highly isolated working by means of virtual machines (VM). A separate VM is started for each application or workspace. This approach isolates applications and processes much more than conventional operating systems. Qubes OS keeps your system secure, even if a vulnerability has been exploited in one of the software applications used. Example: If your PDF viewer or web browser has been successfully attacked, the attacker cannot compromise the rest of the system and will be locked out once the VM is closed.
In addition, separate virtual workspaces can be used, such as an offline workspace for secret data and an online workspace for communication. NitroPC with Qubes OS is technically similar to SINA clients (for governments), but remains transparent thanks to open source. Qubes OS is for users who want maximum security.

Sealed Enclosure
To make it difficult to tamper with your NitroPC, the case screws are individually sealed. We will send you photos of the seals, which you can use to verify if the case has been opened without authorization during transport or at a later time.

Use Cases

For everyone
With NitroPC, you don't have to rely on the security of proprietary BIOS firmware or the backdoor Intel Management Engine. Instead, the secure NitroPC is based entirely on open source software. NitroPC comes with hard disk encryption pre-installed and - if desired - the highly secure Qubes OS. Since it has a powerful 10th generation Intel i7 processor, the NitroPC is also suitable for power-hungry applications.

For Enterprises
The NitroPC can serve as a hardened workstation for Certificate Authorities and other use cases that require high-security computing.

For Government
Government agencies can use the NitroPC to protect against Advanced Persistent Threats (APT) without relying on third-party proprietary technologies.

For Journalists
If you're an investigative journalist serious about protecting your confidential sources, NitroPC can help.

As a Mini Server

The NitroPC is suitable as a small server for home and office.
 

NitroPC at Shop

16.2.2021

Comments

Does it support the measured boot like the thinkpads?
No, that's not possible because the PC doesn't contain a TPM.
OK, no TPM, that's a bummer. The other thing I was expecting was an included Nitrokey, used as a token to decrypt the hard drive (with or without PIN). Obviously with an optional passphrase as alternative, in case the key is damaged or lost. Why not propose this as an option, or is it a bad idea to set up a system like that?
It's actually a very good suggestion! We didn't find the time yet to prepare an OEM installation like that. But we have it on our roadmap.
Is it possible to operate the PC only with Coreboot, or is the combination Coreboot AND Tianocore prerequisite?
Always a combination of Coreboot with a payload (such as Tianocore in this case) is required.
Thanks for your quick reply. Ok, sounds pretty plausible. Now I got it:) So replacing the payload with grub or seabios would also work? PS: Thanks for bringing out such great devices.
Yes. Thanks to the beauty of open source, you could easily compile such firmware yourself.
First of all congrats for this product, I have been unsuccssfully looking for sth like this quite a while! I'm missing details what kind of RAM and even more important M2 SSDs are shipped. With which RAM options are only one or both RAM slots occupied (looking at the 32GB option). Is there any option to buy it barebone (without RAM/M2), in case I have both components already ? Thanks !
It's SO-DIMM DDR4 2666 MHz RAM and (except for 8 GB) both RAM slots are used. We use various SSD brands, mostly Intenso, Kingston, and WD. We don't offer a barebone.
curious, seems your firmware build script is applying me_cleaner to a ME firmware image which already has the HAP bit set, so it's effectively a no-op. Or is there something else I'm missing?
According to me_cleaner the HAP bit is not set in the initial image. Where do you see it is set already?
sorry, should have been more clear, since the HAP bit is set in the flash descriptor. But for CML-U Premium SKU, the HAP bit is at offset 0x172 of the IFD. Not sure the PR for me_cleaner handles all the various SKUs for CML-U/H, so it might be setting the wrong bit.
This is not the final code yet and we will push the release tag next week. That should clarify.
yeah upon further examination the PR as-is doesn't work for CML-U. See dt-zero's comment on 2019-12-18
This is the same Librem Mini from Purism, isn't it?
Yes, both have the same hardware.

Add new comment

Fill in the blank.