This suggests buying USED and stockpiling known good hardware

This kind of shit means the best laptop to buy may be a USED one, if not right now it soon will be. Never throw away an operable laptop capable of running either Coreboot or an old style BIOS, hell I am still sitting on an old Pentium II laptop that runs Ubuntu Jaunty just fine.

There is a historical precedent for this: The magazine restrictions in the long-expired 1994 US "assault weapon" ban, which limited capacity of newly produced and sold gun magazines to ten rounds. Like OEM's pushing locked computers, this law ignored previously existing high capacity magazines. As a result, "pre-ban" magazines instantly shot up in price, they were carefully hoarded and never discarded. The supply of pre-ban magazines outlasted the law, and there was never a time when a US gun owner could not obtain a high capacity magazine, though prices went up and up.

I do not discard any operable hardware capable of playing video at the small 360x640 resolution while running Linux. I have suspected since the dawn of Secure Boot that a time would come when old hardware that predates a "linux ban" imposed by OEMs would become as precious as those pre-ban magazines one were to gun owners. With what I do in politics the analogy is apt: politics and warfare differ only in the tools used, computers are to politics as guns are to warfare these days;

I started collecting old hardware since TPM / TCPA emerged the first time. Basically it is all vendor lock down, forcing the user into "markets" and "eco-systems" of their own. It is controlling the user, marking the user as trustworthy or not, digital restrictions management and so on. It has only so far to do with security as it affects corporation's profits.
The sad thing is that there are some folks even in the "Linux" community that still think it could be good for something or that even advertise this crap. Maybe today you can implement your own boot keys into this blobish environment, but tomorrow? And who tells you security won't be compromised by the ever growing complexity of firmware?

Personally I don't think a Linux ban will ever happen for several reasons.

I don't think there will be a ban. My crystal ball says it will be pure "market forces", and Linux will simply be locked out of the most popular consumer computers, with niche producers as well as server producers continuing to cater to us. I won't claim to know the mechanism, but MS being involved isn't that far-fetched.

/you'll pry my linux-running computers from the EMP-protected torture dungeon

I don't think that will happen either. That being said, remember http://mjg59.dreamwidth.org/20187.html? I dug up the BIOS update history for this machine (http://download.lenovo.com/ibmdl/pub.../9sjy81usa.txt) and notice the reference to "redhat 6.3" (yes they even used the wrong name!). It has nothing to do with secure boot though.

Intel is NOT locking out coreboot

We at Sage Electronic Engineering are great fans of Michael Larabel?s Phoronix.com blog, so it was with some dismay that read the post this week.

Larabel is correct in asserting that Intel?s Boot Guard, enabled by the OEM, will prevent installing coreboot? on a newer ThinkPad. However, he seems to go well beyond that in asserting this is Intel?s way of preventing the use of coreboot.

As a company immersed in coreboot and working intimately with Intel for coreboot/FSP integration on new processors, we would maintain that Larabel?s assertion is very poorly supported. Because Lenovo wants to lock down its boot firmware for security purposes in no way implies that Intel wants to lock out coreboot.

In fact, the timing of these comments is very interesting, coming on the heels of Intel publishing its book, Embedded Firmware Solutions, that details how to integrate coreboot solutions. Intel paid for publication (downloads are free) and it is co-authored by Intel engineers Vincent Zimmer and Jiming Sun, Google's Stefan Reinauer and Sage?s coreboot expert, Marc Jones.

Sage has a coreboot-based Board Support Package for Haswell, and most of that code has already been pushed to the coreboot community, meaning its right there for Larabel and anyone else to use. We will soon be pushing Broadwell code to the community, as well.

We do agree with Larabel that it is a drag that coreboot can?t be installed on many new OEM systems, because more hackers using coreboot means more potential coders in the coreboot community ? something Sage very much desires. But we can hardly, in this day and age, expect that an OEM will sacrifice security in return for enabling a few of us to hack our devices.

There are some obvious alternatives, including buying a computer designed for open source, though we agree they tend to be a difficult investment and often are built on older hardware. Chromebooks, which are now required to boot with coreboot, are an option, as Larabel notes, as well.

Interesting though, is the fact that if you install your own coreboot solution into a Chromebook, you would not have access to Google?s Chrome OS, because your coreboot version would be unsigned. So while Google has allowed their hardware to be open they too have made security decisions.

Of course, you could also build your own Chrome, but then you wouldn?t have access to Google Chrome infrastructure for updates, etc.

All of which just goes to show that this security stuff has gotten to be pretty tricky business.

Do you know if Intel can support a OEM putting a jumper to disable it?

Thinking about it, it should be possible to flash UEFI firmware on eg Chromebooks that have Boot Guard disabled if the hardware is exactly the same, right? Though a better option would be using a UEFI payload on top of coreboot, which pgeorgi has been working on.

Google isn't really about freedom. It's about getting hold of your data and making money from it. So: No.

While it is nice to hear a view that could be from Sage, what are you talking about? Sacrificing security? WTF? Secure Boot is all about vendor lock in and not about security. Or let's say the security of Microsoft's fat wallet's growth but it is not meant to support the customer and user.
Still good to know that one is now to avoid Lenovo, too.

You don't have to use Chrome OS, as mentioned above.