Skip to content
Mainframe

B2C — Data Protection & Linux

Coreboot Laptop Flash

Open-source firmware in place of proprietary BIOS — Coreboot, optionally with Heads for measured boot, on a supported laptop. More control, less black-box code between you and Linux.

The BIOS / UEFI is the layer that runs even before the bootloader — and on most laptops it is a fully proprietary chunk of code with sweeping access to your hardware. Coreboot is the open-source alternative: a minimalist firmware framework that does only what’s needed to launch the bootloader, and stays auditable while doing it.

What’s included

  • Compatibility check of your device (or recommendation of a suitable model)
  • Hardware flash of the SPI chip via CH341A programmer and Pomona clip — we open the device, save the original BIOS dump as recovery, and flash Coreboot
  • Choice of payload by use case: SeaBIOS (classic, lean), EDK2 / Tianocore (UEFI-compatible), or GRUB payload
  • Optional: Heads as the payload — measured boot with TPM, GPG-signed kernel verification, USB smartcard authentication (worth it for journalists, activists, security researchers)
  • Optional: me_cleaner to neuter Intel Management Engine (works on Sandy through Haswell generation)
  • Linux installation and hardening after the flash
  • Recovery documentation and original backup so the factory BIOS can be restored

Who it’s for

Individuals who want to free their firmware layer from proprietary code — whether for sovereignty reasons, because you need an attestable boot chain, or because you’d rather not have Intel ME running under your own OS.

Realistically flashable devices

  • Classic ThinkPads: T420 / T430 / T440p / T440s / T450 / T460 / T480, X220 / X230 / X240 / X250 / X260, T520 / T530, W520 / W530 — the most solid platform for retrofit flashing
  • System76 (Galago Pro, Lemur Pro, Darter Pro, etc.): ships with System76 Open Firmware (Coreboot-based) from the factory
  • Star Labs (StarBook, StarLite): Coreboot stock, no flashing needed
  • NovaCustom (V54, V56): Dasharo / Coreboot from the factory
  • Framework Laptop 13 / 16: Dasharo Coreboot image available
  • Purism Librem 14: PureBoot (Coreboot + Heads) from the factory

What’s not included

No hardware resale — you bring the device, or we help you source one. Modern consumer Intel with active Boot Guard (Lenovo since ~2014, Dell, HP) cannot be flashed without hardware modification — if your target device isn’t on the list above, we’ll honestly decline rather than promise something.

Realistic expectations

Coreboot is not magic. On modern Intel platforms a residual binary blob (FSP, microcode) is still required — but the attack surface and the auditable portion shift significantly in your favour. Hardware flashing carries residual risk: we create a fully saved BIOS dump before every flash, so if anything goes wrong the original state can almost always be restored.

Book a consultation ← Back to overview