Yeah, you are getting mislead big time.
They do have incidental benefits by making code more auditable, making it possible for people to do in-house builds instead of trusting a separate build server
This only means something if the followings are true:
- The firmware design and implementation are actually secure to begin with
- People actually read the code, check the code changes every update, and apply them in a timely manner.
Let’s see how it works out in reality…
Insisting that the user gets to control the root of trust
This is the problem. Where is the root of trust with Pureboot/Heads? It doesn’t exist. Refer to this link: https://forum.qubes-os.org/t/how-exactly-is-heads-pureboot-secure/23092
Nothing is stopping an attacker from flashing malicious firmware that will just lie about the measurements to the TPM. In a normal laptop, Boot Guard will malicious firmware from being flashed, but this means that you need to trust the laptop vendor and they control the root of trust.
If you really want the user to control the root of trust, you will need to somehow provide them with a way to enroll their key into the PCH with an eFuse… That way, they can have BootGuard with their own key. This is not what Purism is doing though. Oh, and BootGuard is proprietary Intel technology, so I doubt their FSF ideology even allows for it.
they developed the firmware required for the Librem Key (reskinned NitroKey) to authenticate the laptop in a way that the user can manage and set up boot drive authentication specifically so that the user controls which PGP keys are trusted.
This does not work even conceptually because of the reason I mentioned above. But even if we were to ignore that - an attacker with access to both the key and the laptop will be able to fool you anyways. They will just replace the GPG key on the key and sign their malicious firmware with that key. You need to fall back to TOTP or something and not actually using the PGP key.
a distributor can ship laptops configured to trust the distributor’s keys and tell customers not to replace them - but the technology would still let me choose whether or not to trust that distributor and change that decision at any arbitrary point in the future
No, because the keys are not supposed to be replacable - that will defeat the whole security model. After a key is enrolled, an eFuse should be blown, and it should be impossible to change the key from that point on.
Free software is not synonymous with security/privacy but they are related and as far as I can tell Purism does a better job of adhering to both than most companies
They do a much worse job than Dell and Lenovo with proprietary firmware 
This is not to mention the stupid RYF certification mandates that they do not ship any proprietary firmware updates in their OS, and they even go out of their way to select stupid things like ancient Wifi cards with no firmware updates.