Coreboot is missing as alternate firmware option.

[zaolin]

Hi,

coreboot is an alternate firmware for different platforms. See www.coreboot.org .
It also possible with coreboot to build a secure boot based on GRUB2. On chromebooks you can use chrome os firmware which is based on coreboot.
See https://chromium.googlesource.com/chromiumos/third_party/coreboot/ .
Google provides all firmware as open source even the embedded controller firmware is open.
See https://chromium.googlesource.com/chromiumos/platform/ec/ .
I guess the chromebooks are the most secure and open solution for firmware security...
Maybe this should be listed as alternative option for running a safe linux workstation

For more information about the chromebook boot process take a look at:
https://www.chromium.org/chromium-os/chromiumos-design-docs/firmware-boot-and-recovery

Regards Zaolin

[mricon]

I agree with you about ChromeBooks, but unfortunately they are not suitable for sysadmin work unless you enable developer mode and thus nullify a lot of protections. :(

[zaolin]

You can easily rebuild your chromebook's bios and ec firmeware and reflash them with a different configuration, payloads and cryptographic keys. It's a lot of work but how you can gain more security. You can also try to adapt some features of chromium os. Take a look at:

https://www.chromium.org/chromium-os/chromiumos-design-docs/system-hardening

for more impressions.

[unixbhaskar]

@zaolin @mricon And it's certainly not child's play to reflash bios and ec. One has to have the understanding what they are doing. One misstep and you brick the device.

I think a much better option would be "owning" your own device and platform. You should probably follow Greg or James blogs about it .Very descriptive and well written. So, you can be sure, what you have and what you run.YMMV