Hi! I’m thinking about preordering the Framework Laptop 12 and which CPU, i3-1315U or i5-1334U, I would go with. Security is a major concern for me, and I noticed that the i5 has some capabilities that the i3 seemingly lacks:
Intel vPro Eligibility (Essentials)
Intel Hardware Shield
Intel Standard Manageability (ISM)
Intel Trusted Execution Technology
I’m trying to understand how big the difference between having or not having these would be. Specifically, I’d like to know what HSI level the framework laptop 12 achieves with the i3 and i5 respectively.
For most things, its fine. I wouldn’t recommend it if you’re doing things that are extremely security intensive, but you’d never notice the difference at least from my experience.
Discussion on the merits of the features mentioned in the post is completely irrelevant to the question that was asked. HSI is a standard measurement of overall hardware security for a system developed by the Linux community. As there are some security-related features that Framework only advertises for the i5 model, the poster wanted to know if the i5 model achieves a higher HSI score. This question is not related to the specific features Framework only advertises on the i5, much less whether those features are desirable.
I don’t trust the “standard” measurement, my other machine has HSI-2 instead of 3 because the “suspend-to-ram” is enabled. Even if you choose suspend-to-idle manually in kernel parameters as long as the options is there the Enabled will be marked red. Whoever wrote the HSI are following Microsoft’s step, trying to eliminate the superior S3 sleep in the firmware level. Here’s an example of believing HSI blindly.
I’m aware that not all the listed features are generally understood to be “security features”. I just listed all missing features from the “Security and Reliability” section of the official Intel specs site for the sake of completeness.
Also, in case it wasn’t clear: I’m looking for a concrete answer because only on this basis will I really be able to evaluate the difference it makes for me. Your situation and threat model might be different from mine. So answers akin to “it does/doesn’t matter much”, without at least elaborating or sharing factual info this is based upon, isn’t that helpful.
Suspend-to-RAM provides inferior protection against cold boot attacks. While this is unlikely to be a concern for many, it’s only required for HSI-3, and HSI-2 is already defined as “where any exploit would be difficult or impractical to use”.
