We stand with Palestine ❤️ Free Palestine 🇵🇸

No to genocide in Gaza. No to the killing of civilians. No to targeting hospitals and schools. No to deception and double standards.

Ditch Proprietary BIOS/UEFI: Top 3 Open Source Boot Firmware

Today, it's widely known (at least within the security community) that proprietary firmware, such as BIOS and UEFI, often contains backdoors that compromise user privacy. I believe that hardware manufacturers intentionally integrate these backdoors into their closed-source firmware for obvious reasons. This presents a serious privacy issue, prompting the open-source community and privacy advocates to develop secure, open-source boot firmware. These alternatives prioritize user privacy and enhance hardware security. 

In this blog post, I highlight the top open-source boot firmware alternatives to proprietary firmware and showcase the best Linux hardware featuring these solutions.

This article is sponsored by TUXEDOComputers, a German company that produces Linux hardware, notebooks, computers, and more. Always and forever, all ideas and opinions on this website are wholly mine, as my values are not for sale. To learn more, read our Code of Ethics.{alertInfo}

{tocify} $title={Table of Contents}

The Boot Up Journey

The journey from pressing the power button to a fully functional computer involves a multi-stage process called booting. 

First, the firmware (BIOS or UEFI) on your motherboard acts like a hidden doctor, performing a series of diagnostic checks on the essential hardware components – ensuring everything is healthy.  

Once the hardware passes this checkup, the firmware takes center stage. It acts as an intermediary between the hardware and the operating system, ensuring they understand each other's language. 

During this stage, the firmware initializes basic system settings, configures hardware components, and locates a special program called the bootloader on your storage device. The boot loader then takes over, a small but crucial program with a specific task: to load the operating system kernel. 

Finally, after the kernel finishes loading, the operating system displays a login screen. This is your cue to enter your credentials and gain access. Upon successful login, the user interface loads, and background processes are initiated, allowing you to interact with the operating system and launch applications.

Open Source vs. Proprietary Boot Up

Here's where the difference comes in: traditionally, computers come with a proprietary BIOS/UEFI acting like a pre-programmed captain steering the ship (boot process). It gets the job done but offers limited control and visibility into its workings.

On the other hand, open-source boot firmware options function similarly, but with the code freely available for inspection and modification. This can potentially enhance security and offer more flexibility.

Top Open-Source Boot Firmware Alternatives

Now that you've learned how the boot process works on your computer, let's explore the top open-source alternatives for proprietary BIOS and UEFI firmware. We'll discuss their key features and benefits to help you decide if they're the right fit for your needs.

Coreboot

Coreboot Configuration Menu

Coreboot is a well-established open-source project that aims to replace proprietary BIOS/UEFI firmware with a fast, lightweight, and flexible alternative. This modular and customizable firmware focuses on minimal hardware initialization before handing control to a payload, such as:

  • SeaBIOS: An open-source legacy BIOS implementation.
  • TianoCore (EDK2): An open-source UEFI firmware implementation.
  • GRUB: A powerful bootloader capable of loading multiple operating systems.
  • Linux: Directly booting the Linux kernel.
  • U-Boot: A lightweight bootloader for embedded systems and some personal computers.

Coreboot offers fast boot times, broad compatibility across various motherboards (including laptops, desktops, and servers), and numerous security features like verified boot and memory clearing.

However, while coreboot supports many devices, not all hardware is compatible, and even on supported motherboards, not all features might function. 

Additionally, installing and configuring coreboot can be complex and may require technical expertise and a good understanding of firmware and hardware interaction.

Libreboot

Libreboot Menu

Libreboot is a derivative of coreboot but with a stricter focus on free and open-source software (FOSS). It removes all non-free components (also known as blobs) found in coreboot. This approach aims to eliminate potential security risks associated with proprietary code and achieve the most secure and transparent boot process possible.

Due to its strict FOSS focus, Libreboot supports a smaller range of motherboards compared to coreboot. It also officially supports fewer payloads, specifically GRUB and SeaBIOS.

Heads

Heads Options

Heads is a security-focused firmware that enhances coreboot with a tamper-evident, trustworthy boot process. It aims to provide better security through a combination of measured boot, remote attestation, and signed firmware updates.

Heads firmware offers robust physical hardening by leveraging advanced security measures to ensure the integrity of the main SPI (BIOS) firmware. It uses a hash code from the TPM (Trusted Platform Module) chip that can be verified through a multi-step process:

  • USB Security Key: A security key such as the Nitrokey 3A Mini is used to verify the hash code. If the firmware has been tampered with, the USB security key will signal an alert by blinking red.
  • Two-Factor Authentication (2FA) (optional): An additional layer of security can be added by using a 2FA Authenticator. If the firmware is compromised, the input will be rejected, preventing unauthorized access.

This combination of TPM-based verification, USB Security Devices, and optional 2FA ensures that the system's BIOS firmware remains secure and untampered, providing a high level of physical hardening against potential attacks.

All these privacy and security measures make Heads' hardware compatibility and customization options limited compared to using coreboot directly. 

Furthermore, it is worth noting that the custom coreboot distribution utilized in Heads still includes some closed-source components (Intel’s MRC and ME firmware), potentially raising concerns for some users.

Linux Hardware with Open-Source Firmware

This section highlights the companies leading the charge in integrating open-source firmware into their hardware offerings.

Disclosure: Please note that this article contains affiliate links and any sales made through such links will reward me a small commission – at no extra cost for you. These commissions help support the maintenance and growth of the blog, allowing me to continue providing quality content and resources.{alertWarning}

Purism

Image Credit: Purism

Purism is renowned for its commitment to privacy and security. They offer a range of products, including Librem 14the most secure laptop you can buy, Librem Mini (mini-PC), Librem 11 (tablet), Librem 5 (phone), Liberty Phone, and Librem Server. All Purism devices run PureBoot, a coreboot-based firmware combined with the Heads security layer.

NovaCustom

Image Credit: NovaCustom

NovaCustom provides customizable Linux laptops with Dasharo coreboot, an enhanced version of coreboot with added security and customization features. Their offerings include the V56 Series, V54 Series, and NV41 Series. NovaCustom also offers a Heads firmware variant as a paid subscription, currently available for the NV41 Series only.

NitroKey

Image Credit: NitroKey

NitroKey, renowned for its security-focused USB keys, offers a range of devices including the NitroPad series of laptops and the NitroPC desktops. The NitroPad series includes models like the V56 and V54 laptops, as well as the T430 and X230, based on the ThinkPad T430 and X230 respectively. Additionally, they offer the NitroPC Pro 2 desktop workstation. All these devices come preinstalled with coreboot and the Heads security firmware, ensuring a tamper-evident and secure boot process.

System76

Image Credit: System76

System76 offers a range of laptops, desktops, and servers designed to work seamlessly with Linux. Their devices, including the Lemur Pro, Oryx Pro, and Bonobo WS laptops, are equipped with System76 Open Firmware, which is based on coreboot.

Star Labs

Image Credit: Star Labs

Star Labs focuses on providing Linux laptops with open-source firmware. Their laptops, such as the StarFighter, run coreboot firmware and are compatible with various Linux distributions, including Ubuntu, Fedora, and Manjaro.

TUXEDOComputers

TUXEDOComputers is actively working on providing coreboot support for their devices. However, the development process is progressing slowly, and as of now, none of their computers offer coreboot as an option.

Unfortunately, all the computers mentioned so far (except for the StarFighter from Star Labs) feature only Intel processors and NVIDIA graphics, which are no longer the most optimal choices for Linux users.

AMD processors and GPUs have become increasingly powerful and energy-efficient, offering superior architecture and a robust commitment to open-source principles.

While AMD continues to innovate and support the open-source community, Intel and NVIDIA prioritize political and ideological investments over technological advancements. This shift has made AMD a more attractive option for those who value performance, efficiency, and open-source compatibility.

Are Open-Source Firmware Benefits Worth the Effort?

In conclusion, the open-source community is making significant strides in providing secure, privacy-focused firmware alternatives to traditional proprietary BIOS and UEFI. While adopting these solutions may come with some challenges, the benefits in terms of enhanced security and user control are well worth the effort.

🗨Which open-source firmware do you find most promising? Are you more likely to purchase hardware from a company that supports open-source firmware? Why or why not? Share your thoughts in the comments below! 

At Linux-Tech&More, I'm committed to providing you with an adsense-free (and automated ads-free) reading experience. I believe in delivering uninterrupted and user-focused content. If you enjoy my blog and would like to show your support, you can do so via

Your support makes a difference!{alertIdea}
Djalel Oukid

Science teacher, PhD student, Master degree in Microbial biotechnology , Microbiologist, designer, video editor, podcaster & blogger. linkedin portfolio github

2 Comments

Comments are welcomed and encouraged on this blog. Spam, abusive and off-topics comments will be deleted. Please read our Comments policy before commenting.

  1. what so you think about kicksecure and why was it not mentioned?

    ReplyDelete
    Replies
    1. Thanks for your question! Kicksecure is indeed a robust security-focused operating system that hardens Debian with various security measures. However, the article focuses specifically on open-source boot firmware like Coreboot, which replaces proprietary BIOS/UEFI to provide greater transparency and control at the firmware level. While Kicksecure is excellent for enhancing OS-level security, it operates at a different layer than the boot firmware itself, which is why it wasn't included in this particular discussion.

      That said, Kicksecure is definitely a great tool worth considering, and I may write a dedicated blog post about it in the future—stay tuned!

      Delete
Post a Comment
Previous Post Next Post
Blackview BV9900 Pro Thermal Camera Mobile Phone Helio P90 Octa Core 8GB+128GB IP68 Rugged Smartphone 48MP Quad Rear Camera