You should by the way consider Libreboot as Coreboot contains proprietary blobs (just like Linux).

Pretty sure Intel is aware of being called out on this, and Matthew's points make sense - this can be done via UEFI Secure boot. Has Intel responded to Matthew's comments on Boot Guard? They are known to listen to their customers. And they should particularly listen to this very important minority, because it is such minorities that create software and hardware and shape the worldview of the majority who only use it to their end. Piss off developers and hobbyists, and you've touched a raw nerve.... Let me quote what a wise man once said -♫ "developers developers developers developers developers developers developers developers".♫

If Coreboot contains blobs that protect the IP/lifeblood of a hardware manufacturer from getting knocked off by some Chinese company, then so be it. This is about installing a BIOS of your choice. Both can be had, security and choice - it's not an either/or proposition, as Matthew points out. Intel ought to make this right.

On the one hand things like Coreboot are really interesting, on the other... any objection here is more out of principle than practical effect. Unless you specifically purchase devices that have coreboot support, most of us here are likely to never run it, and in cases that we do it's more likely to come from vendors who are themselves installing coreboot as the firmware. In which case this won't matter anyway. So I don't know how I feel about this.

Linux itself can boot up just about any PC you try to put in on. If the same was true for coreboot it would be much more likely to have a wider userbase. It's sort of like a catch22.

Yeah... there's that, and there's this whole situation where the motherboard is bricked if coreboot doesn't work and you don't happen to have the right tools to reflash the EEPROM if things go wrong.

Of course, that could always be fixed via something like Megabyte's Dual-BIOS where you have a jumper on the mobo, a primary BIOS in EEPROM and a recovery BIOS in ROM that can be used to un-brick the primary BIOS.

I don't want to install coreboot myself because it voids warrenties. I want to use coreboot while keeping my warrenty. Also, every dollar is a vote and that vote only goes toward coreboot if it is preinstalled...preferably by the manufacturer.

Only the most absolutely sophisticated people would flash their motherboard anyways. Anyway, even if coreboot has binary blobs in it, it would still be an improvement. Once coreboot becomes mainstream and widespread, then we can work on dealing with the blobs. Rome wasn't built in a day and sometimes incremental improvements are the most effective path. Also, you gotta lay the foundations before building the rest of the structure.

Chromebooks do this already with a two part firmware, the first part resides on read-only flash memory. The problem is even with this, you can't get a secure/verified boot chain with this and boot guard because you can't add new keys into the verified first firmware. At best you can solder/cut closes/open the write protect circuit and use tamper evident seals on the hardware. The only way you could extend the protection of boot guard through to a user on a libre user-compiled stack is not to enable it until it gets to the user. That is the user can choose the install the manufacturer key on first boot, or not enable bootguard and write thier one key onto it later.

The chances of a mainstream manufacturer doing this though is effectively zero.

That and modern intel will never be supported by libreboot. The IME (intel management engine), a co-processor running a seperate and proprietary real-time embedded OS that is located on the northbridge chipset and therefore can spy on all of the I/O, and do unmanaged DMA to RAM. It's precisly the same issue you see in mobile phone BLObs where the baseband chip is integrated with the CPU. Our best chance at a reasonable functional secure system with current hardware right now is to finish reverse engineering the Lima driver and using a ARM platform that libreboot supports.