This-a-way: https://review.coreboot.org/plugins/.../src/security/

coreboot supports TPM 1.2 and 2.0. It also supports TXT as well as Converged Bootguard and TXT (CBnT), which is validated using 9elements' open-source security test suite.

Coreboot is in fact a moderate success. Its used by chromebooks and botique supplies like System 76. Its development also drove the further development of tools like the ch431a chip flasher, flashrom, mecleaner, and a whole host of tools for hacking on and developing firmware. Its also help demystify the world of firmware.

It also gives the ability of small boutique vendors, crowd sourced projects and oddities a chance to function with a complete working, no cost, easy to modify for whatever custom stuff they have firmware to run projects with.

I am going to guess paying for firmware you probably get access to stuff that that coreboot doesn't have, or can't have. I am going to also guess that AMI or Award will sell you a full, turnkey solution, with mouse enabled GUI, and other features you'd have to re-implement yourself if you wanted them. If you look at some of the flashier GUI bioses, especially at shit targeted at gamers, you'll see why. What is coreboot going to do to support the 5 RGB LED controllers, with "high tech" battle video game looking GUI, and the auto-fan temp/speed curves for the 6 supported fans. Is it going to support overclocking of any sort, is there going to be an overclocking menu? Someone has to write all that, to be frank. What about TPM support? What about any other security modules?

coreboot's config menu is rather spartan, and doesn't even have password protection.

The linux kernel can be booted directly as an EFI executable.

Then again, if you're going through all the trouble of replacing your out-of-the-box bios with coreboot you might as well use LinuxBoot rather than an UEFI implementation.

I sometimes wonder why coreboot hasn't been a huge success. Sure, there is little incentive for board makers to support replacing their firmware with another one, volunteer support will always be late, people are apprehensive about bricking their systems etc., so in this space I wouldn't expect much. But why are MB makers happy to fork over a chunk of their razor-thin margins to AMI/Award/whoever rather than just slapping coreboot on their boards?

There was a small 'my feels' conflict "Libreboot vs GNU/FSF", but it got resolved so everything is fine. In any case, for me it seems a libreboot is mostly a way to highlight the coreboot boards which could run without blobs - just like LibreCMC vs OpenWRT for the routers. In example, if you'd build coreboot for a libreboot-supported board, it will be still blobless.

You can get nice things, just need to pick the right hardware. I.e. instead of a "mythical 100 Gbit WiFi 9" adapter, which works on a glitchy binary blobs, you pick an old good trusty Atheros ath9k based WiFi adapter like AR9462 - which may be just "300 Mbps 2.4GHz + 5GHz", but still may be more than enough for you if your internet is <=100 Mbps. These Atheros ath9k adapters have 100% opensource software & firmware, work without any blobs - so work even in the FSF/Stallman-endorsed Linux distros - and are doing it flawlessly. AR9462 minipcie is just ~$8 from AliExpress/China ; just need to make sure that your crapware proprietary UEFI doesn't have a WiFi whitelist (or it's possible to hack it) , or switch to libreboot/coreboot BIOS without stupid whitelists

Are there any worthy EFI executables at all (except the "NSA backdoor" ones? ;-) ) Meanwhile, SeaBIOS supports booting the virtual floppies embedded right into the BIOS image (you see them as a boot entry) of which there are many useful: KolibriOS, FreeDOS, MichalOS, Snowdrop, Fiwix, Memtest, Tatos, Plop, FloppyBird, etc. I got a great collection there - https://review.coreboot.org/c/coreboot/+/33509

SeaBIOS has about just 50k lines of code total, of which just a few thousands could be active depending on a specific configuration. And its' very easy to add the new features there, i.e. I've added the multiple ramdisk support. I'm not sure any possible alternatives could be this small and beautiful. In comparison, Tianocore is a horrible bloat: UEFI is a "SystemD of a BIOS world", even the opensource one.

Libreboot hasn't been relevant for a long, long time. It's nothing but a subset of coreboot. Just pick a board in coreboot that doesn't require blobs if you're so adamant about it. It's been very ironic to see libreboot's maintainer meanwhile pick up support for the Management-Engine-laden X230 and promote it.

Not to mention, but the RYF policies they split off over are just dumb. Blobs get a free pass so long as they're out of sight and immutable, as if that makes them "safe" or less icky.

Marcan wasn't off-base when he asserted that the rules actually *decrease* user freedom: https://twitter.com/marcan42/status/1040626210999431168
(In fact, while we're here: https://twitter.com/marcan42/status/1377899929209774081)

The most sensible policy on blobs I've ever seen flies directly in the face of the FSF's preaching: https://twitter.com/XMPPwocky/status...42775093010434
Embrace the blob. Trace the blob. Understand the blob. Replace the blob. Modify the blob. Bend it to your will. Make it easier for others to do the same. This is what brings real freedom, not imaginary safety from taint.

Meanwhile, the FSF say "run and hide from the blob, and stick your head in the sand for those you can't get rid of." I'm not kidding when I say there's more proprietary code in Stallman's laptop than there is Linux kernel, but you'd never hear anyone admit that.

My “woke” knowledge is failing me. Isn’t Libreboot the one we’re meant to be boycotting? I can’t remember why, though.

Tiano as a Libreboot payload... hmm.

You re-compile in the Tianocore support, or use Coreboot