Lenovo Precision 7540 available without vPro OR with Intel ME Disabled
92 views
Skip to first unread message
Lambda
Nov 26, 2019, 4:05:09 PM11/26/19
to qubes-users
Lenovo's 2019 laptop is currently on sale and their CPU selection[1] includes:
- i7-9750H: no vPro, No Out-of-Band Systems Management
- i7-9850H: vPro, Intel ME Disabled
Strangely enough in Europe[2] they list it as:
- i7-9750H: no vPro, No Out-of-Band Systems Management (so no option to fully disable ME)
- i7-9850H: vPro, No Out-of-Band Systems Management
I don't know if it's a website bug or if they simply don't disable ME in the EU!
It's not clear what the implication of each option is.
For example vPro is an umbrella term for ME, SGX, TXT, Boot Guard, VT-x, VT-d.
So by choosing a CPU without vPro would that mean it would be impossible to use virtualization? Doubtful I would guess.
If I choose the non-vPro CPU without ME, SGX, TXT, Boot Guard; what exactly do I lose?
I'm aware that for AEM support I would need to have ME and TXT 1.2. But those CPUs have TPM 2.x
And it seems SGX is also a security hazard. Not sure if problems have been fixed with the latest CPUs.
It looks the only advantage of the the i7-9850H is that it has software and hardware patches for most of the security vulnerabilities [3]. While the i7-9750H does not.
Thank you.
[1] https://www.dell.com/en-us/work/shop/cty/pdp/spd/precision-15-7540-laptop/xctop754015us
[2] https://www.dell.com/en-uk/work/shop/workstations/precision-7540-build-your-own/spd/precision-15-7540-laptop/xctop7540emea
[3] https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html
- i7-9750H: no vPro, No Out-of-Band Systems Management
- i7-9850H: vPro, Intel ME Disabled
Strangely enough in Europe[2] they list it as:
- i7-9750H: no vPro, No Out-of-Band Systems Management (so no option to fully disable ME)
- i7-9850H: vPro, No Out-of-Band Systems Management
I don't know if it's a website bug or if they simply don't disable ME in the EU!
It's not clear what the implication of each option is.
For example vPro is an umbrella term for ME, SGX, TXT, Boot Guard, VT-x, VT-d.
So by choosing a CPU without vPro would that mean it would be impossible to use virtualization? Doubtful I would guess.
If I choose the non-vPro CPU without ME, SGX, TXT, Boot Guard; what exactly do I lose?
I'm aware that for AEM support I would need to have ME and TXT 1.2. But those CPUs have TPM 2.x
And it seems SGX is also a security hazard. Not sure if problems have been fixed with the latest CPUs.
It looks the only advantage of the the i7-9850H is that it has software and hardware patches for most of the security vulnerabilities [3]. While the i7-9750H does not.
Am I wrong in my analysis? Which CPU would you recommend?
Would that recommendation change if I was running Linux instead?
Thank you.
[1] https://www.dell.com/en-us/work/shop/cty/pdp/spd/precision-15-7540-laptop/xctop754015us
[2] https://www.dell.com/en-uk/work/shop/workstations/precision-7540-build-your-own/spd/precision-15-7540-laptop/xctop7540emea
[3] https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html
Steve Coleman
Nov 26, 2019, 5:11:20 PM11/26/19
to qubes-users
https://www.intel.com/content/www/us/en/products/compare-products.html/processors?productIds=191045,191047
Look at the "Advanced Technologies" and "Security & Reliability" drop downs.
They both have VT-x, VT-d, EPT, OS Guard, and SGX/ME
The i7-9850H adds on the vPro, TSX-NI, Trusted Execution, and SIPP, none
of which you need as far as I can tell.
> Am I wrong in my analysis? Which CPU would you recommend?
> Would that recommendation change if I was running Linux instead?
>
> Thank you.
>
> [1]
> https://www.dell.com/en-us/work/shop/cty/pdp/spd/precision-15-7540-laptop/xctop754015us
> [2]
> https://www.dell.com/en-uk/work/shop/workstations/precision-7540-build-your-own/spd/precision-15-7540-laptop/xctop7540emea
> [3]
> https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html
>
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/2973fa8f-f761-4520-b969-3dbbbd40a948%40googlegroups.com
> <https://groups.google.com/d/msgid/qubes-users/2973fa8f-f761-4520-b969-3dbbbd40a948%40googlegroups.com?utm_medium=email&utm_source=footer>.
tetra...@danwin1210.me
Nov 27, 2019, 6:08:14 AM11/27/19
to Lambda, qubes-users
On Tue, Nov 26, 2019 at 01:05:08PM -0800, Lambda wrote:
>Lenovo's 2019 laptop is currently on sale and their CPU selection[1]
>includes:
>- i7-9750H: no vPro, No Out-of-Band Systems Management
>- i7-9850H: vPro, Intel ME Disabled
[--]
>Lenovo's 2019 laptop is currently on sale and their CPU selection[1]
>includes:
>- i7-9750H: no vPro, No Out-of-Band Systems Management
>- i7-9850H: vPro, Intel ME Disabled
>I'm aware that for AEM support I would need to have ME and TXT 1.2. But
>those CPUs have TPM 2.x
using anti-evil-maid features?
The Lenovo X1 Carbon Gen 6 is "unofficially" the standard for Qubes
developers, but only the (much older) X230 supports the HEADS
Anti-Evil-Maid solution (which is different from Qubes AEM, and
apparently better).
(Coreboot is not supported on the Carbon Gen 6 as far as I know)
Similarly I've read that the X230 is the last laptop where it's
reasonable to disable Intel ME, but the above email suggests even much
newer laptops are available without ME.
For users who care about hardware security, do any modern laptops offer
the capabilities of the older ones, or is "an upgrade necessarily a
downgrade" in this case?
Reply all
Reply to author
Forward
0 new messages