Why You Don't See Coreboot Supported By Many Modern Intel Systems

While Coreboot has been ported to a number of older ThinkPads and other outdated Intel motherboards and laptops, you don't see many modern Intel systems supporting Coreboot. The reason for the lack of Coreboot support is due to a "feature" introduced with Haswell.

When a potential user asked about Coreboot support for the new Intel Broadwell-based ThinkPads, the explanation came down to, "new thinkpad's can't be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won't be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge. For more details take a look at Intel Boot Guard architecture. It could be also confirmed by Secunet AG and Google."

Intel Boot Guard was added to fourth-generation Intel Core (Haswell) processors and is still present with the new Broadwell designs. Intel explains Boot Guard as "Hardware-based boot integrity protection that prevents unauthorized software and malware takeover of boot blocks critical to a system’s function, thus providing added level of platform security based on hardware."

While Boot Guard may be beneficial to those wanting to ensure that no malware takes over the system's boot blocks, it thwarts Coreboot from being supported. Sadly, Intel doesn't take much of an interest in Coreboot. Those looking to use Coreboot on modern hardware are best off with Google's Chromebooks for x86 and ARM that rely upon this open-source alternative to proprietary UEFI/BIOS. Google likes Coreboot for its faster boot times, open-source nature, etc.