I think this deserves a specific thread @moderators on which a list of existing coreboot flashing services should be promoted? There should be no distinction to be made between coreboot flashing services and Heads flashing services, even less since Basic boot mode (referred above) exists. Heads can be flashed without bounding it to any USB security dongle nor provisioning any secret. Therefore an end user could just reflash internally upon reception of the hardware and not trust the firmware and go from there.
Now things are a bit out of context, unfortunately since post has been moved to a new thread.
If Heads is flashed by a third party, you trust that third party, until you reflash yourself internally, having verified the hash of the firmware yourself, and then remotely attesting the trusted firmware integrity feature, enabling anti-interdiction and remote attestation for in-transit tampering detection.
Basic mode permits, for the first time, to have Heads being flashed as a service, just like people flash libreboot or skulls, which are coreboot distributions, without enabling any of Heads security features enabled. This means no need to buy and couple OpenGPG smartcard to be provisioned by third party, no OS preinstallation necessity: it just permits a third party to do the first external flash which might be complicated for some, even more depending on the hardware in question where those SPI chips are not so easy to access.
Basic mode goal is exactly that: not enforce any security mechanism. It could permit third party to address your first comment on the other thread: the initial burden of externally flashing the hardware, and then permitting you to internally flash your hardware to a firmware image you verified the integrity yourself. You would still have to trust to a certain level that third party to a certain extent, after all, that human will have access to the hardware insides.
When you buy a laptop flashed with Heads from online sellers, those normally provide physical seals and pictures of them, QR code sharing, and coupling a Nitrokey Pro/Librem Key/Nitrokey Storage for HOTP firmware integrity atestation, which third party also preinstall on OS for which /boot content is signed and verified by the public key fused into ROM, bound to the private key on the OpenGPG smartcard of the USB security dongle. I is recommended to reown security components of the hardware upon reception of the hardware anyway. For paranoids, it is also recommended to internally flash/upgrade the firmware at that point, so that the LUKS encryption key is yours only (reencrypting installation) and generating new subkeys on your OpenGPG smartcard, so they are yours only as well. The short version of this is : Heads coming pre-provisioned’s goal is in-transit tampering detection. If you reflash and re-own those components at reception of the hardware (recommended) then the risks are that the hardware might have had implants inserted. It is always better to have a person flash in front of you (or you flash yourself) to guarantee that nothing has been tampered in the hardware itself. But if those are impossible for yourself, having the firmware flashed by a third party might be a viable option.
What i’m basically telling here is that since Basic mode arrival under Heads, laptops could be flashed with Heads as a service without those bundled additional services, which could be beneficial or not for you.
But Heads is just that: a firmware image you can either build yourself or download and verify prior of flashing, after which security mechanisms are to be applied in place for you to be able to attest and verify the the state of your firmware on succeeding reboots. And maximized images are exactly that: full spi images that will overwrite the whole content of what is booted from, replacing ME and everything else in SPI flash with a fresh copy, that on next boot will be sealed in TPM on which you will then be alerted of changes.
Ideally you do all of that yourself, but just like for Skulls, libreboot and coreboot: the first external flash is problematic for some, and that service is offered also by some to ease access to coreboot firmware ecosystem.
Here is what I found:
Various servers, workstations, and laptops
€49 - €199
Selected hardware models
Contact for a quote
EU and US
Various laptops, phones, and other devices
Varies depending on the device
I’m not aware of North American coreboot flashers, but it would be interesting to compile such list. Would you be willing to take the task of modifying your now OP with such a compiled list with sources provided in this thread?
@catacombs Fablabs are amazing for their dedication into free knowledge sharing and ability to assist into doing those things and might be able to do/help into externally initially flashing the device while you being present.
Here is a non-exhaustive list of fablabs which would benefit of being extended and called/emailed to see if they can help doing this with phisical presence, with sources to extend it with some manual efforts, including the entry for Texas:
Email: email@example.com, Phone: +34 963 877 069, Address: Camino de Vera s/n, Edificio 8G, Acceso J, 46022 Valencia, Spain
Fab Lab Oulu
Email: firstname.lastname@example.org, Phone: +358 294 482 200, Address: Erkki Koiso-Kanttilan katu 3, Linnanmaa Campus, University of Oulu, Finland
Fab Lab San Diego
Email: email@example.com, Phone: +1 619-200-3256, Address: San Diego Central Library @ Joan Λ Irwin Jacobs Common, Innovation Center (8th Floor), 330 Park Blvd., San Diego CA 92101
Fab Lab Baltimore
Email: firstname.lastname@example.org, Phone: +1 443-840-4466, Address: Community College of Baltimore County Catonsville Campus - Engineering Building Room E-100A, 800 South Rolling Road Baltimore MD 21228
Fab Lab El Paso
Email: email@example.com, Phone: +1 915-209-2656, Address: 601 N. Oregon St. Suite #2 El Paso TX 79901
Fab Lab NOLA
Email: firstname.lastname@example.org, Phone: +1 504-671-5012, Address: Delgado Community College City Park Campus - Building One Room W-101A New Orleans LA 70119
Fab Lab Houston
Email: email@example.com, Phone: +1 713-842-3669, Address: BakerRipley East Aldine Campus - Fab Lab Houston Room A-102 Houston TX 77039
Fab Lab Barcelona
Email: firstname.lastname@example.org, Phone: +34 933 209 637, Address: Pujades 102 baixos Poble Nou Barcelona Spain
That information was automatically generated based on old sources it seems.
Note that fablabs are “regulated” terminology and the official source for registered fablabs is at https://www.fablabs.io as opposed to MakerSpaces which should also be investigated. You can ask them if they have SOIC8/SOIC16 clips (depending on models to flash) and ch341a 1.6+ programmers and/or bring your own (and even donate some if you can. Buying those bulk is not much more expensive then buying one over alibaba or ebay).
It seems that Fab Lab Houston | FabLabs is more updated then the information I automatically generated through a bing creative chat. Here is an updated generated list focused on fablabs having CNC printers and a known to have an electronic focus:
I will not maintain those lists! Just showing that they are accessible and fablabs/makerspace should be visited more often. If unaware of coreboot (possible but improbable) they should be trained once to it and then knowledge will trickle down and propagate as it should.
I have to say that i’m in love with Bing (web search) on top of GPT4 in creative mode. There is no reason to not have a qube connected to a vpn (bing doesn’t love tor without bridge relay, otherwise connectivity issues/captcha) and use this service as long as it is detached from your own real identity and would not go back without that kind of a co-pilot on my work/coding related tasks for research. This post is not about bing. So please do not continue in that direction here. But that service is unbelievably useful to get around problems without known solutions and use creative ways to solve them.