True, they have their "5 minutes unsupervised" rule.

But it really goes hand in hand: The only way to reliably protect flash from being written is in hardware (no matter if the fault vector is persistent malware, a local attacker or local user stupidity). The only comfortable way to do so (that preserves freedom) is to use a jumper. And there we are...

Not trying to criticize, but you kinda make it sound like the screw is there to scare people who don't know what they're doing. That is not really the purpose. The real purpose is to increase the time it takes to unlock the boot process. The idea is that if an attacker gets physical access to your machine while you step away from it to get a cup of coffee, he or she won't be able to compromise it in the five minutes it takes for you to come back. For ideal security, you wouldn't be able to unlock the boot process at all. However, Google sees "hackability" as a selling point, and they want people to know they can hack the boot process and install something else on the machine ((hacker as in computing enthusiast, not hacker as in security penetrator). That's why they've come up with this security screw compromise.

Then again Lenovo itself seems capable of bricking its Thinkpads with bad BIOS updates (T430 Failed Bios Update. Five Beeps, Blank Screen.) . I have a Thinkpad that has been sitting in a drawer for a month, waiting for Lenovo to fix the BIOS. Maybe it is time I try Coreboot!

Pulling out the hard drive is just as much work (sometimes less) as turning a screw. Unless you're unlucky enough to have bought a laptop with a soldered drive.

Sounds about right. The image situation is partly because we relied on the VGABIOS for long. On some models, we could provide freely redistributable images since that changed for some chipsets where coreboot provides native graphics init. It's still not the ordinary end-user project. All the FUD about "don't install Linux, it might break your computer" that was popular in the late 90s certainly applies once you replace Linux with coreboot.

Maybe we'll get some vendor support in the future (since they could reduce the BOM costs by ~$5, or whatever BIOS vendors demand these days), but we have that hope for a number of years now. But there are now also some embedded teams at companies using coreboot, so maybe it's really starting now?

Developer Mode is ChromeOS developer mode, and so it's relatively inconvenient if you're actually want to use the system as an ordinary computer. If you want to break all ties to Google on a Chromebook, go the procedure documented by Google to tighten a screw and use the coreboot code provided and upstreamed by them to install an alternative firmware yourself.
No, it's not simple, but Chromebooks are primarily sold for ChromeOS - I'm still glad that there's a vendor that provides a hackable system in the first place. Apart from bugs, none of the proprietary BIOSes or UEFIs provide that level of access (eg. it's much harder to install coreboot on those lenovos, even if you have a premade image)

The "turn a screw" model (which is an adaptation of the old "use jumper to unlock write-protect") really gets a bad rap these days, even though it's the only way to keep the firmware safe from unintended modification (be it corruption or malware). As a vendor they don't want people to brick their systems in large numbers by using joe random's m0dding tool ("makes your computer 2% faster!!!11") found on some obscure website. And as the go-to guy for computer issues for people in my peer group, I agree...

You could have said this about that whole Linux thing not too long ago. Currently you need to shop for hardware that is coreboot compatible. This may or may not improve, as it did with Linux.

I don't think that these assertions are based in facts.

Did you ever try to install Linux on a fast boot enabled UEFI system? You can't even enter the UEFI setup menu, because fast boot will not even initialize the keyboard and mouse before the OS loads. You need to boot Windows and follow an 8-step procedure in order to make the setup appear on next boot. Entering developer mode and disabling verified boot on Chromebooks is usually two or three steps.

Coreboot is one of those projects thats always interesting. A project which is attractive from a security and FOSS standpoint. But also a project that seems to be perpetually in catch up and only seems to support a limited catalog of hardware and almost all of the time not the hardware you happen to have or fancy. Combine that with a fairly hands on approach, no ready to go images and a very real chance to bork your hardware and it simply isn't a project suitable to the casual end-user.

The only way to get your hands on a hassle free Coreboot machine is to get a Chromebook and anchor your fate to Google. I know you can futz about with developer mode on a Chromebook and install certain Linux distro's, but it doesn't have the same range of ease of use one of those evil proprietary BIOSes or UEFI's has.

Looks like the Lenovo X201 (2010 12" 1280x800 LCD, i5-540M CPU, 4G RAM) is starting to get some support.



The current flashing procedure will scare a lot of folk away though. Hopefully someone can figure out how to work around the bootblock lock so disassembly is no longer required. Further down the wiki page suggests some progress has been made in this direction already.

The e350m1 is a 2011 mobo and fairly well supported.

I think the answer to the first question is "maybe". Nobody really knows until it's tested, and nobody really wants to test because there's a fair chance of bricking the hardware. And I think the answer to the second question is "it depends", as some boards have certain features that makes it hard to flash them with Coreboot (but not all of them).