Coreboot/Heads flashing help/services?

Now things are a bit out of context, unfortunately since post has been moved to a new thread.

Recontextualizing:

If Heads is flashed by a third party, you trust that third party, until you reflash yourself internally, having verified the hash of the firmware yourself, and then remotely attesting the trusted firmware integrity feature, enabling anti-interdiction and remote attestation for in-transit tampering detection.

Basic mode permits, for the first time, to have Heads being flashed as a service, just like people flash libreboot or skulls, which are coreboot distributions, without enabling any of Heads security features enabled. This means no need to buy and couple OpenGPG smartcard to be provisioned by third party, no OS preinstallation necessity: it just permits a third party to do the first external flash which might be complicated for some, even more depending on the hardware in question where those SPI chips are not so easy to access.

Basic mode goal is exactly that: not enforce any security mechanism. It could permit third party to address your first comment on the other thread: the initial burden of externally flashing the hardware, and then permitting you to internally flash your hardware to a firmware image you verified the integrity yourself. You would still have to trust to a certain level that third party to a certain extent, after all, that human will have access to the hardware insides.

When you buy a laptop flashed with Heads from online sellers, those normally provide physical seals and pictures of them, QR code sharing, and coupling a Nitrokey Pro/Librem Key/Nitrokey Storage for HOTP firmware integrity atestation, which third party also preinstall on OS for which /boot content is signed and verified by the public key fused into ROM, bound to the private key on the OpenGPG smartcard of the USB security dongle. I is recommended to reown security components of the hardware upon reception of the hardware anyway. For paranoids, it is also recommended to internally flash/upgrade the firmware at that point, so that the LUKS encryption key is yours only (reencrypting installation) and generating new subkeys on your OpenGPG smartcard, so they are yours only as well. The short version of this is : Heads coming pre-provisioned’s goal is in-transit tampering detection. If you reflash and re-own those components at reception of the hardware (recommended) then the risks are that the hardware might have had implants inserted. It is always better to have a person flash in front of you (or you flash yourself) to guarantee that nothing has been tampered in the hardware itself. But if those are impossible for yourself, having the firmware flashed by a third party might be a viable option.

What i’m basically telling here is that since Basic mode arrival under Heads, laptops could be flashed with Heads as a service without those bundled additional services, which could be beneficial or not for you.

But Heads is just that: a firmware image you can either build yourself or download and verify prior of flashing, after which security mechanisms are to be applied in place for you to be able to attest and verify the the state of your firmware on succeeding reboots. And maximized images are exactly that: full spi images that will overwrite the whole content of what is booted from, replacing ME and everything else in SPI flash with a fresh copy, that on next boot will be sealed in TPM on which you will then be alerted of changes.

Ideally you do all of that yourself, but just like for Skulls, libreboot and coreboot: the first external flash is problematic for some, and that service is offered also by some to ease access to coreboot firmware ecosystem.

Here is what I found:

I’m not aware of North American coreboot flashers, but it would be interesting to compile such list. Would you be willing to take the task of modifying your now OP with such a compiled list with sources provided in this thread?