NitroPC - Powerful and Secure Mini PC

We are excited to publish our new NitroPC - A secure mini PC with latest Intel i7 CPU (10th generation) and fully open source firmware and software.

Powerful, Up-to-Date Hardware
The NitroPC has a current 10th generation Intel Core i7-10510U processor with up to 4.9 GHz and an m.2 SSD with 6 Gb/s, and can thus be used for performance-hungry applications such as programming/compiling and graphics applications. Of course, this also makes it sufficiently equipped for office and web applications.

Open Source Firmware/BIOS
The firmware ("BIOS") consists of the open source systems Coreboot and Tianocore UEFI. This enables independent security audits of the firmware and prevents undetected backdoors. In addition, the PC boots quickly and future enhancements are possible. All PC operating systems including Windows can be used.

Disabled Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is a type of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has extensive access to your computer (system memory, display, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have already been found in the ME that allow local and remote attacks. Therefore, ME can be considered a backdoor and is disabled in NitroPC.

Preinstalled Ubuntu Linux With Disk Encryption
NitroPC ships with a pre-installed Ubuntu Linux 20.04 LTS with full disk encryption. Ubuntu is one of the most popular, stable and easy-to-use Linux distributions. Switching from Windows to Linux has never been easier.

Optional: Pre-Installed Qubes OS for Highest Security Requirements
Instead of Ubuntu Linux, you can get your NitroPC pre-installed with Qubes OS 4.0 and full disk encryption.
Qubes OS enables highly isolated working by means of virtual machines (VM). A separate VM is started for each application or workspace. This approach isolates applications and processes much more than conventional operating systems. Qubes OS keeps your system secure, even if a vulnerability has been exploited in one of the software applications used. Example: If your PDF viewer or web browser has been successfully attacked, the attacker cannot compromise the rest of the system and will be locked out once the VM is closed.
In addition, separate virtual workspaces can be used, such as an offline workspace for secret data and an online workspace for communication. NitroPC with Qubes OS is technically similar to SINA clients (for governments), but remains transparent thanks to open source. Qubes OS is for users who want maximum security.

Sealed Enclosure
To make it difficult to tamper with your NitroPC, the case screws are individually sealed. We will send you photos of the seals, which you can use to verify if the case has been opened without authorization during transport or at a later time.

Use Cases

For everyone
With NitroPC, you don't have to rely on the security of proprietary BIOS firmware or the backdoor Intel Management Engine. Instead, the secure NitroPC is based entirely on open source software. NitroPC comes with hard disk encryption pre-installed and - if desired - the highly secure Qubes OS. Since it has a powerful 10th generation Intel i7 processor, the NitroPC is also suitable for power-hungry applications.

For Enterprises
The NitroPC can serve as a hardened workstation for Certificate Authorities and other use cases that require high-security computing.

For Government
Government agencies can use the NitroPC to protect against Advanced Persistent Threats (APT) without relying on third-party proprietary technologies.

For Journalists
If you're an investigative journalist serious about protecting your confidential sources, NitroPC can help.

As a Mini Server

The NitroPC is suitable as a small server for home and office.
 

NitroPC at Shop

16.2.2021

Comments

Does it support the measured boot like the thinkpads?
No, that's not possible because the PC doesn't contain a TPM.
OK, no TPM, that's a bummer. The other thing I was expecting was an included Nitrokey, used as a token to decrypt the hard drive (with or without PIN). Obviously with an optional passphrase as alternative, in case the key is damaged or lost. Why not propose this as an option, or is it a bad idea to set up a system like that?
It's actually a very good suggestion! We didn't find the time yet to prepare an OEM installation like that. But we have it on our roadmap.
Is it possible to operate the PC only with Coreboot, or is the combination Coreboot AND Tianocore prerequisite?
Always a combination of Coreboot with a payload (such as Tianocore in this case) is required.
Thanks for your quick reply. Ok, sounds pretty plausible. Now I got it:) So replacing the payload with grub or seabios would also work? PS: Thanks for bringing out such great devices.
Yes. Thanks to the beauty of open source, you could easily compile such firmware yourself.
First of all congrats for this product, I have been unsuccssfully looking for sth like this quite a while! I'm missing details what kind of RAM and even more important M2 SSDs are shipped. With which RAM options are only one or both RAM slots occupied (looking at the 32GB option). Is there any option to buy it barebone (without RAM/M2), in case I have both components already ? Thanks !
It's SO-DIMM DDR4 2666 MHz RAM and (except for 8 GB) both RAM slots are used. We use various SSD brands, mostly Intenso, Kingston, and WD. We don't offer a barebone.
curious, seems your firmware build script is applying me_cleaner to a ME firmware image which already has the HAP bit set, so it's effectively a no-op. Or is there something else I'm missing?
According to me_cleaner the HAP bit is not set in the initial image. Where do you see it is set already?
sorry, should have been more clear, since the HAP bit is set in the flash descriptor. But for CML-U Premium SKU, the HAP bit is at offset 0x172 of the IFD. Not sure the PR for me_cleaner handles all the various SKUs for CML-U/H, so it might be setting the wrong bit.
This is not the final code yet and we will push the release tag next week. That should clarify.
yeah upon further examination the PR as-is doesn't work for CML-U. See dt-zero's comment on 2019-12-18
This is the same Librem Mini from Purism, isn't it?
Yes, both have the same hardware.
So whats the actual difference? More OS to choose from? Is it cheaper? Even though there is not much difference, it is great that you offer these devices to more people. I support your collaborations.
"latest i7 CPU" - Well, Tiger Lake was already released.
It would be better if you write users when buying a Nitro PC with Qubes OS: Enter Xfce Terminal. Sudo cryptsetup luksChangeKey /dev/nvme0nlp3 Then you can enter new password for the disk. I first had to find the name of the disk with Sudo fdisk -l I am happy with my Nitro PC.
Thank you for the pointer. Indeed we forgot to add this step to the documentation. Now it is mentioned here: https://docs.nitrokey.com/nitropc/qubes/index.html
Können 2 Bildschirme an dem NITROPC angeschlossen und betrieben werden? Can 2 screens be connected to the NITROPC and operated?
ja
Is it cooperation with purism company? Where it is made/assembled?
No cooperation with Purism. It's OEM hardware manufactured in Asia.
Thank you for offering devices with coreboot based firmware. Unfortunately, “Open Source Firmware/BIOS“ is a little misleading, as the Intel’s proprietary Firmware Support Package is included, doing most of the early initialization. So, some people call coreboot a wrapper around FSP in this case. It’d be great, if you clarified that. Also, it’d be great, if you upstreamed the coreboot port (probably as a variant of the Puri.sm Librem Mini).
I do agree that it's important to provide transparent information about our products. But at the same time “Open Source Firmware/BIOS“ is a heading in a marketing material which is explained in the subsequent text in more detail. How exactly should this be rephrased to be more clear?
So I presume that would mean PureOS would not run on the unit?
Without having looked deeper into it, I would assume there is no reason for PureOS to not run on the device. It simply has not been tested explicitly and there is currently no plan offer it as a preinstalled OS.
Height is 38mm - means less than 1U (1 3/4 inch). Do you provide mount brackets? Höhe ist 38mm und damit weniger als eine Höheneinheit (ca. 44mm). Bieten Sie auch Montagewinkel an?
Yes, the NitroPC includes mount brackets.
Hello, is there any chance that we could see the more powerful i7-10710U CPU in future NitroPCs? Purism offers a laptop with with the processor in question, so i'm wondering if it's at all possible for you to do the same?
Sooner or later, yes. But no specific plans as of now.
Why didn't you go with that processor in the first place?
When the NitroPC was developed Intel Core i7-10510U was the latest one.
Think of the ME as having 4 possible states: 1.Fully operational ME: the ME is running normally like it does on other manufacturers’ machines (note that this could be a consumer or corporate ME image, which vary widely in the features they ‘provide’) 2. Neutralized ME: the ME is neutralized/neutered by removing the most “mission-critical” components from it, such as the kernel and network stack. 3. Disabled ME: the ME is officially “disabled” and is known to be completely stopped and non-functional 4.Removed ME: the ME is completely removed and doesn’t execute anything at any time, at all. How much is IntelME destroyed on NitroPC (Is neutralized, disabled or removed)?
We neutralize and disable Intel ME by using me-cleaner.
wie lassen sich BIOS/Firmware-updates durchführen? gibt es ein git für downloads der Firmware?
Bisher haben wir noch keine Firmware-Aktualisierung erstellt. Wenn es so weit ist, werden wir das Update als Datei bereitstellen
Aber gerade bei open source software gibt es ja sicher eine quelle und eine anleitung, um auch die aktuelle Version selbst zu flashen, so wie z.B. github.com/Nitrokey/ubuntu-oem zur Erklärung, wie ubuntu vorbereitet wird. Gibt es auch die Möglichkeit, beim Start Optionen im Bios zu verändern (wie bei anderen Rechnern mit F2)?
https://github.com/Nitrokey/coreboot-builder Unser UEFI bietet nicht viele Einstellungsmöglichkeiten, aber die lassen sich mit ESC aufrufen.
vielen Dank für die superschnelle Antwort - läuft. wie kann ich nun firmware.rom nutzen, um das bisherige BIOS zu ersetzen? uefi shell, flash.sh? welche befehle?
Wenn wir ein erstes Firmware-Update bereit stellen, wird es auch eine entsprechende Anleitung geben. Bis dahin: Es geht in der EFI Shell und von Linux aus mittels "flashrom -p internal" wofür zuvor je nach kernel-version "iomem=relaxed" dem kernel übergeben werden muss.

Add new comment

Fill in the blank.