Interesting

I don't know which side of the fence to come down on here. Either you have the hardware to keep the system secure or you risk compromise. I suspect that somebody will come up with an open source solution but I really have to wonder if CoreBoot is really that important.

It's actually quite simple, use the third option: Boot Guard also has a "measured boot" mode in which the chipset sends a hash of the bootblock to the TPM before running it. The hash is stored in a register that isn't writable by the CPU.
That way, if you want to ensure integrity, you can "seal" a secret in the TPM against that hash, and the TPM will only hand it out if that register contains the right value.

If someone else want to take over the machine, they can simply overwrite the bootblock (and everything else in flash), but it won't go unnoticed.

Unfortunately there's hardly an incentive for Intel to promote that mode more, or for the hardware vendors to use it.

Who says we must choose between using "hardware to keep the system secure" and risking compromise? Isn't this the same bogus justification given by peddlers of DRM technology? I suspect this is going to get worse before it gets better, with more and more anti-consumer locked down hardware, forced on us in the name of "security".

I guess I will stick to my X220 now for a very very long time. No big problem anyway because I would only buy refurbished 1-2 year old modells anyway and because every successor of the x220 sucks really bad for different reasons the x260 + 1-2 years till it gets cheap refurbished are 3 years anyway at least. just to be clear what I think what I hate about the successors.

X230 no big difference except not so good keyboard its also a ok version
x240 no mouse buttons and only 1 ram slot max 8gb ram
x250 1 ram slot 8gb ram max.

and because I am no heavy mobile user I gain from the successors anyway nothing, and ahh ok a better gpu doesnt give me anything too. so this releases are just bad for me anyway. basicly expensive backsteps.

I would maybe like bigger resolution but the mobile keyboards even from lenovo are not good enough to work longer times anyway so fuck it, I put it onto the docking station anyway.

hope they release some time soon a version of libreboot coreboot is nice but only libreboot is the real deal.

Indeed. Why the hell can't I choose how much is my system exposed to security risks?

Boot Guard is a kick in the balls I didn't expect from Intel. Not even allowing us to opt out is really, really evil. Apple scale evil.

So, basically, Intel thinks it is okay to feed us with their UEFI blobs malware and then mumble something about "guards". Sure, jail needs some guards. The only prob is that it is user who is being guarded and Intel's crap is going to SHOOT user on doing "wrong things". And it is Intel who defines what is "wrong" to do. And escaping their jail obviously one of things which are "wrong".

Congrats, Intel. You're now #1 malware manufacturer in the world.

"Because they already decided. And they decided not to trust YOU".

Maybe someone forgot, but these who are going to give up essential liberty to obtain little temporary safety, deserve neither liberty nor safety. And that's how "trusted" computing treachery ends...

So once you hear about "trusted" computing, you can be pretty sure it is all about locking YOU outside of "your" system to prevent you from being able to control your hardware. In fact you can't even consider yourself owner since someone else decides how you're going to use that crap.

I wish Lenovo (or some company) would decide to officially support Coreboot.

I wish Google would make a successor to the Chromebook Pixel.
They should make a laptop that is what Nexus is to phones and tablets.

Does Intel Boot Guard hamper NSA?

LOL I reported this days ago in another coreboot thread and nobody cared.