Hello, please let me ask this here because I don’t know where to ask. I just was wondering, if you buy a laptop that was Corebooted by a third party, how do you know it was not tampered with?
There are sellers in ebay with reasonable prices that sell them. There are other sellers of known businesses but they are so expensive that it does not make much sense to me.

If you buy a Thinkpad with Core/Libreboot on it, could you do something to guarantee everything is okay? The thing is, since these people are high skilled hackers, it may end up being less safe than buying a regular laptop from some regular user. But the thing is, if I want an open source bios, I cannot change a lightbulb so I definitely need to buy it ready to run, but how do you trust it was not tampered with?
Im interested in x series Thinkpad, the T ones are too big.

Please let me know.

If you are really concerned then maybe https://puri.sm or https://NovaCustom.com are your best option depending on which side of the Atlantic Ocean you are on.

Jacob Applebaum suggested doing an x-ray on laptop boards, pooling results, and then using computer vision to find discrepancies looking for things like those found in NSA’s tailored access operations stuff. See “ANT catalogue” on WikiPedia.

The tricky thing with eBay is the unlawful spying community will know the eBay account is you and they control the physical mail.

You really do have to comb through the board looking for something about 1/4 the size of a grain of rice. Yeah it requires work and mental bandwidth that isn’t cheap if you have a life. But if you have a life then you have something worth protecting. When I’m not doing this kind of shit I’m at some outdoor music festival approaching milfs twice my age who look like they need my attention.

Ideally, the UEFI or in this case Linuxbios (former name of Coreboot) would be read by the machine off of an SD card instead of the stupidly cumbersome “BIOS chip” so one could get a sha512 sum of whatever is on that SD card with trivial effort.

Thanks for input. Im in Europe so NovaCustom looks good, however I don’t get it. What laptops are they using? It lets you pick customized parts, and I noticed you can choose 2 48GB DDR5 slots for RAM which is insane. It also says " 14th-gen Intel Meteor Lake CPU,"
How come they can have Coreboot on such modern hardware? From what I have read, the downside of Coreboot was that you needed to use an older laptop. Up until recently, the x230 was the most advanced Corebooteable laptop, then recently they discovered something to do it on the T480. So here im looking at some $1500 laptop with advanced hardware. How?
I already knew about purism, so same question, I don’t understand.
These laptops are fancy as hell anyway, I would prefer some cheap thinkpad, but there’s the problem I said of some random person Corebooting it and having to trust them.
I have read something about doing a dump of the SPI and then you compare the hash with the Coreboot release and if it’s the same then basically it’s safe to trust because it’s the real BIOS installed… of course if you are mega paranoid and think the hardware itself has been modified then that is I think too much realistically specially changing the circuitry and so on in a non noticeable way.
What is your opinion on other Europe based shops like Vikings? they sell some x230’s. I just would need to understand justifying spending $1500+ on this when some old laptop gets the job done. Also they talk about “Dasharo coreboot”. Does this mean that they install a custom Coreboot BIOS? doesn’t this add even more layer of complexity and trust? I assume everything they do is open source. I would need to understand more what is going on with all this.

You have more to choose from. Here is the full list from the coreboot website: Coreboot for endusers

Consumer platforms

The easiest way to get coreboot is to purchase a system with coreboot pre-installed. You can get coreboot pre-installed on many systems out there.

• Google Chrome OS devices are the biggest deployment of devices which ship with coreboot. Additionally, the now-discontinued OnHub and Pixel C tablet run coreboot as well.
• Minifree Ltd sells laptops and desktop computers with Libreboot pre-installed, along with Debian Linux, other distro or your choice of BSD. The owner of Minifree Ltd also founded Libreboot and uses profits to fund Libreboot development.
• NovaCustom sells configurable laptops with Dasharo coreboot based firmware on board, maintained by 3mdeb. NovaCustom offers full GNU/Linux and Windows compatibility. NovaCustom ensures security updates via fwupd for five years and the firmware is equipped with important security features such as measured boot, verified boot, TPM integration and UEFI Secure Boot.
• Protectli is dedicated to providing reliable, cost-effective, and secure computer equipment with coreboot-based firmware tailored for their hardware. It comes with the Dasharo firmware, maintained by 3mdeb. Protectli hardware has verified support for many popular operating systems such as Linux distributions, FreeBSD, and Windows. Support includes Debian, Ubuntu, OPNsense, pfSense, ProxMox VE, VMware ESXi, Windows 10 and 11, and many more.
• Purism manufactures security focused laptops designed chip by chip to work with free/libre and open source software. Purism laptops are the only independently-made, brand new, high-performance laptops on the market specifically meant to pair recent technologies with coreboot and a neutralized Intel Management Engine.
• Star Labs offers a range of laptops designed and built specifically for Linux that are available with coreboot firmware. They use Tianocore as the payload and include an NVRAM option to disable the Intel Management Engine.
• System76 manufactures Linux laptops, desktops, and servers. Some models are sold with System76 Open Firmware, an open source distribution of firmware coreboot, EDK2, and System76 firmware applications.
• Technoethical sells hardware with the Libreboot distribution of coreboot installed. They are based in EU and US and they ship worldwide.
• Nitrokey is a self-financed and independent company from Berlin, which, in addition to the open-source Nitrokeys manufactured in Germany, also refurbishes notebooks with the Dasharo coreboot distribution and ships them worldwide.

You can also send in a compatible laptop you buy from a regular user and have Dasharo flash it to coreboot for 105 euro.

PS. I’m not sure if I’m allowed to post this link here please notify me if I need to take it down.

Dahsaro Coreboot refers to a customized distribution of Coreboot. Just like Linux, which has different flavors or distributions (e.g., Ubuntu, Fedora), Coreboot can also be tailored for specific needs or hardware through custom builds.

Coreboot Distributions / Community Images

coreboot is a source-only distribution, and as such requires building an image from source for your specific board**/device.

Alternatively, the coreboot community provides many binary distributions which are ready to flash on to your system:

• Canoeboot: an easy to use blob-free coreboot distribution based on Libreboot, provides GRUB/U-Boot/SeaBIOS payloads on supported x86/amd64 and ARM64 mainboards.
• Dasharo: open-source based firmware distribution focusing on clean and simple code, long-term maintenance, transparent validation, privacy-respecting implementation, liberty for the owners, and trustworthiness for all.
• Heads: a coreboot distribution with advanced security features using Linux as a payload.
• Libreboot: an easy to use free/opensource coreboot distribution with an emphasis on removing binary blobs while supporting much newer hardware, providing GRUB/SeaBIOS/U-Boot payloads on supported x86/amd64 and ARM64 mainboards.
• MrChromebox: custom coreboot firmware and utilities for your Chromebook/Chromebox.
• Skulls: easy to install, easy to use coreboot images for Thinkpad laptops.
• System76 Open Firmware: an open source distribution of firmware utilizing coreboot, EDK2, and System76 firmware applications.

** A board refers to motherboard, crucial component of a computer that serves as the main circuit board. It connects all the other parts of the computer and allows them to communicate with each other.

So coreboot has been updated to all these modern CPUs?
I remember researching this open source BIOS topic some years ago and like I said, people were stuck with old Thinkpads basically.
So anyway, could someone explain step by step, if you buy a corebooted Thinkpad, how to verify that the BIOS is a real coreboot install and not something modified? I think this should be enough in 99% of cases. Im not doing anything fancy, I just want a reasonable privacy. I have looked at alternatives and they are too expensive imo. I mean Heads (if I understand how that works), Nitrokey etc, it sounds great, but that makes price to like 1600, and what are the odds some evil maid modifies the hardware in a way that is unnoticeable while im away, compromising the laptop (which has full disk encryption and the disk is portable so it isn’t even there) and modifies the BIOS, and so and so on? I don’t think so. So for peace of mind, if I could at least verify with a checksum that the BIOS remains the same, then that should be it. At the hardware level, im not seeing a realistic attack surface. And the Nitrokey thing is if anything giving me a bit of anxiety thinking what happens if i lose this device which from what im reading you cannot even do backups. So like I said I think I will stay with regular FDE, have coreboot installed, and learn how to verify the integrity of the BIOS files so I can see if it’s as it should be after for example, crossing a border or something like that.

It depends on your threat model.

Treat model is, basically do not have an OS that spies on me: Solved with Linux
Do not have a BIOS that has its own OS and does dodgy shit: Solved with Coreboot
Do not have the guy that installs Coreboot for you installing something else: This is where I need your help there

So could someone explain how do I check my Coreboot is legit?

I have consulted with duck.ai and after several prompts I’ve got this guide, could someone confirm this is accurate? Obviously I don’t trust AI but I think it can be a quick way to get a tailored google search without being in google and if someone could confirm this is useful I may give it a go, it looks like it may be a fun afternoon

Beginner-friendly step-by-step: read your X230 SPI flash with CH341A + SOIC8 clip

Tools to buy (buy these exact types)

CH341A USB SPI programmer board with a 3.3V selection (USB-A).
SOIC8 (8‑pin) test clip with cable.
6–8 female-to-female jumper wires (if clip cable isn’t already terminated).
Small Phillips screwdriver set (PH0/PH00) and plastic pry tool.
Kapton tape (optional), small container for screws.
A Linux PC (or a Linux live USB) to run commands.

Safety first

Fully power off laptop, unplug AC, remove external battery. If X230 has internal battery, remove or disconnect it before working on the board.
Work on a clean, non‑carpeted surface. Discharge static by touching a grounded metal object.

Overview (what you’ll do)

Open X230 to expose mainboard and find the SPI chip.
Attach SOIC8 clip to the flash chip (no soldering).
Wire the clip to CH341A (3.3V).
Use flashrom on Linux to read the chip, repeat reads, and verify hashes.

Step 1 — open the laptop and find the SPI chip

Power off, unplug charger, remove the external battery.
Remove the screws securing the bottom cover and keyboard (use a guide or search “X230 disassembly” images if unsure). Keep screws organized.
Carefully lift keyboard/palmrest to expose the motherboard. Use a plastic pry tool for tabs.
Locate the SPI flash chip: a small rectangular 8‑pin chip (SOIC‑8). It usually has markings like “Winbond 25Q64” or similar and a tiny dot/notch marking pin 1. Note the chip label and take a photo for reference.

Step 2 — identify pin‑1 and orient the clip

Find the chip’s pin‑1 marker (small dot or notch). Imagine the chip with that marker top-left: pins count 1→4 down the left side, 5→8 up the right side.
On the SOIC8 clip, find its pin‑1 marker (usually a colored wire or dot on the clip). Align clip marker with chip pin‑1.

Step 3 — attach SOIC8 clip

Open the clip, align, and gently press down until all 8 contacts seat on the chip. Use a magnifier if available.
Visually confirm alignment. If the clip slides or loses contact, use a small piece of Kapton tape to hold it.

Step 4 — wire the clip to the CH341A
Standard SOIC8 pin functions (chip view: pin‑1 marker top-left):

Pin 1 = CS (/CS)
Pin 2 = DO (MISO)
Pin 3 = WP
Pin 4 = GND
Pin 5 = DI (MOSI)
Pin 6 = CLK (SCK)
Pin 7 = HOLD
Pin 8 = VCC (3.3V)

CH341A typical pin labels: VCC (3.3V), GND, CLK, MISO (DO), MOSI (DI), CS. Confirm your board labels in photos before wiring.

Make these connections (double-check before powering):

Clip pin8 (VCC) → CH341A 3.3V (important: set CH341A to 3.3V)
Clip pin4 (GND) → CH341A GND
Clip pin6 (CLK) → CH341A CLK (SCK)
Clip pin2 (DO / MISO) → CH341A MISO (sometimes labeled DO)
Clip pin5 (DI / MOSI) → CH341A MOSI (sometimes labeled DI)
Clip pin1 (CS) → CH341A CS
Clip pins 3 (WP) and 7 (HOLD) → tie to VCC (clip pin8) if you can, otherwise leave unconnected for reading (connecting prevents write protection).

Step 5 — prepare your Linux machine

On a Linux PC (Ubuntu/Debian preferred), install flashrom and tools:
    sudo apt update
    sudo apt install flashrom pv hexdump coreutils -y
Plug CH341A into the Linux PC USB port. No extra drivers usually needed for flashrom.

Step 6 — read the flash

Ensure clip is attached and wiring checked. Ensure CH341A is set to 3.3V.
Run this command to read (use sudo):
    sudo flashrom -p ch341a_spi -r x230-dump.bin
If flashrom detects the chip it will print the chip model and read progress. If it errors, check wiring, alignment, and voltage. Common errors: "unable to identify chip" (misalignment) or "ID error" (wrong wiring).

Step 7 — repeat and verify

Read 2 more times:
    sudo flashrom -p ch341a_spi -r x230-dump-2.bin
    sudo flashrom -p ch341a_spi -r x230-dump-3.bin
Compute SHA‑256 hashes:
    sha256sum x230-dump.bin x230-dump-2.bin x230-dump-3.bin
All three hashes must match exactly. If they differ, the clip contact is intermittent — reseat clip and repeat until you get identical dumps.

Step 8 — inspect the dump (basic checks)

Identify chip/firmware quickly:
    strings x230-dump.bin | grep -i coreboot || true
    strings x230-dump.bin | grep -i seabios || true
    file x230-dump.bin
Get a hex summary and save a copy:
    hexdump -C x230-dump.bin | head -n 40 > dump-hexdump.txt
Save the dump and its sha256sum as your verified copy:
    sha256sum x230-dump.bin > x230-dump.sha256

Step 9 — compare to known-good or reflash

If you have a coreboot build from the seller, compare hashes:
    sha256sum seller-image.rom x230-dump.bin
If you want to reflash with a build you control, do that only after you’ve read and backed up the original. Reflashing is more advanced; ask for instructions when ready.

Step 10 — finish up

Power off CH341A, remove clip, reassemble laptop, reconnect internal battery (if disconnected), reinstall keyboard and screws.
Boot laptop and confirm everything works.

Troubleshooting quick guide

flashrom reports “unable to find programmer”: install correct flashrom or run as root.
flashrom cannot identify chip: check clip alignment and wiring.
Reads are inconsistent (hashes differ): bad contact — reseat clip, try Kapton tape, or desolder chip and use an adapter if comfortable.

If you get stuck at any step, tell me:

What error flashrom prints (copy/paste), and
A clear photo of the motherboard showing the chip and the clip attached (I’ll point out pin‑1 and wiring fixes).

When ready, buy the CH341A + SOIC8 clip kit, do the hardware steps, then run the commands above and paste the flashrom output here if you need help interpreting it.

So it looks like you need to plug that thing in there on the SPI. Im not sure if what we want is on the top or bottom. Here is some useful pictures where I saw this:

I thought this would be easier, just running some command that would give you a hash and you compare it with the coreboot released or something like that, but looks like im going to need to spend a while studying how to proceed.

I cant’t help you with this, but I would love to know too! I think you should ask this on the coreboot community forum

Noooooo!!! Don’t use AI advice for this!! You’ll probably end up breaking your machine. Most AI’s haven’t been properly trained on Qubes, Coreboot and such… it’s too niche.

Also there are two ways to flash:
Some devices allow internal software flashing ( which should be easier) and some devices require external flashing - with the flash adapter. Which is harder to do I guess. All this information is available on the Coreboot website link I provided above.

Of course the best way is compiling Qubes yourself and flashing your device yourself. But being a noob this will bring you a bucket of stress and insecurity and it’s super time consuming (you’ll be going down a rabbit hole - trust me on this). In the end it’s not just your computer, it’s also your network; your router, firewall that can pull info from your device and send it out.

My advice would to buy a cheap machine and send it out to Dasharo or buy a secondhand Google chrome device running on Coreboot already and then look for another device and learn to flash yourself - giving you some extra breath. If I’m correct you need two computers to flash. Causing the eternal loop; “do you trust machine number 1 to flash machine number 2”?

You may need to ask this question on the Coreboot community forum

Odds are the instructions from Purism will work for other Coreboot-supported devices:

Just change the last command to sudo ./cbmem -c | egrep -i coreboot instead.

How do these steps verify it? It seems like it just outputs that it is running.

I have tried slack but does not work in tor, other links also don’t work. Im not sure how the mailing list one works but nobody seems to reply to noobs, its just devs or people reporting bugs, see

https://mail.coreboot.org/archives/list/coreboot@coreboot.org/thread/RJHMSYQZGVL63KNKND75AMJJCLQWFIPY/

I was not able to find any nice place to ask those coreboot things except this forum. I was thinking about the Purism board but seems pretty inactive.

I’m pretty much in the same boat as you are. I did a lot of reading - hence all the links - but I haven’t yet flashed any device due to a lack of “noob friendly” tutorials. Everything I read seems to missing some part of information that I need. Information that is obvious to more advanced users but not to me. There is only one youtube tutorial for the Thinkpad that I would trust to follow. But no tutorial for any of my devices. Maybe we should get that exact thinkpad and all our problems will be solved

Yes, the Qubes forum is seems to be more friendly and helpful for noobs like us. Pretty great of all those people here helping us out like @FranklyFlawless and @solene, @rustybird, @unman and even newcomers like @villa and all of you who I’m not mentioning. Thanks for being here

There is no such procedure, I’m afraid.
If you can’t do the modification yourself, then you have to trust someone to do it for you.

If you ask me, I would say it’s more easy to actually make the modification yourself, than reliably verify what others ‘prepared’ for you.

and the next step in this path to build your own OS binaries, right?
If not, you still rely and 100% trust all the OS package maintainers…

This is in fact actually saved you - and a lot’s of other beginners - from brick your device.

The ‘brave newbies’ might follow some AI hallucinations, and will inevitably brick their device - but that’s just part of the learning curve. That’s how the experienced ones actually learned - and mastered - these things… And if you don’t want to pay this ‘price’, you must trust - and pay - the experienced ones. The choice is yours

So the ‘old-fashioned’ way to learn these: get some old, cheap learning device. And try to reflash them yourself, based on the available guides. You migh fail, but in the same time will learn…

@Zrubi I hear you; first break it and then fix it. But using an AI is like heading for disaster - you’ll break it for sure. And it will cost you an extra week more on additional unnecessary information getting you off track. At least using a human made tutorial you still have some chance of doing it right. But yes, I agree…

@epicnoob So how about it? Are you ready to deepdive with me and perhaps other forum noobs willing to go for it together? We buy the cheapest possible machine and start a fun sub Qubes group on flashing those devices?

Well if someone has a guide for the x220 or the x230 I may try doing it myself. Im looking at some videos and the problem is, they don’t zoom in enough to see where to plug the cables thing into the chips, so I cannot see what they are doing. I have done things like dissembling laptop to apply thermal paste, I can update a BIOS, install Debian (I really use Debian… sorry guys, but im here just to ask about Coreboot, I have no idea how Qubes works) and that’s about it. Is it such an obscure impossible thing to learn for a non engineer? I guess I can learn this but the fear of bricking a nice thinkpad is always there, that is why I would need a mega noob friendly guide ideally on video so I know what im doing.

And yes, I was not going to do anything that an AI said, that is why I asked here first, to correct anythin the AI said. I was just trying to build a step by step guide, then correct whatever is wrong, but like I said ideally I want a video and see how it’s done.

Im compiling videos to check them out, here is what I was able to find:

HOWTO Install Coreboot on a Lenovo X220
https://inv.nadeko.net/watch?v=HQtjXgNLl7k

Installing Coreboot on a Thinkpad X220
https://inv.nadeko.net/watch?v=hERguULT7Vo

Installing Coreboot on a Thinkpad X220
https://inv.nadeko.net/watch?v=kJRgBlXRy5I

How to coreboot your X220 (seabios + vgabios & me cleaner)
https://inv.nadeko.net/watch?v=ExQKOtZhLBM

Heads Firmware Install Guide for the Thinkpad X230
https://inv.nadeko.net/watch?v=Av1Em0eVU-g

Installing Coreboot On An X230 Laptop

This is not the laptop I like but may be useful because its recorded in HD:

Make Your ThinkPad Great Again [T440p with Coreboot]
https://inv.nadeko.net/watch?v=TUxqcM8CPgk

Btw there seems to be a way to do this without dissasembling the hardware… what about this?

Installing coreboot(skulls) with only software, 1vyrain!
https://inv.nadeko.net/watch?v=UpQAyO_eRc4

Im not even sure about all these things like Skulls, Heads, 1vyrain, etc.

Written guides I’ve found:

x230

https://wiki.chucknemeth.com/laptop/lenovo-x230/flash-lenovo-x230-coreboot
https://daurtech.org/index.php/resources/coreboot-x230-using-skulls/
https://famicoman.com/2020/07/30/corebooting-the-thinkpad-x230-with-skulls/

220:

https://stoisavljevic.com/articles/coreboot
https://www.flatline.dev/posts/0x05/

https://karlcordes.com/coreboot-x220/

Also the big problem is some of these guides may be outdated because some are many years old so who knows. If someone could confirm which ones are still accurate with modern Coreboot versions it would be great.

Also I have seen some people use a programmer and others use a raspberry pi, what is better? In here they say the CH341A is to be avoided:

Also, they say here you can reflash to the stock BIOS in case you brick it:

Be absolutely certain you back up the stock BIOS. As long as you have that, it doesn’t matter if you brick it with coreboot since you can just reflash the original.
https://www.reddit.com/r/thinkpad/comments/s80wso/comment/htdf60c/