Damn, so in practice what sort of exploits could these older hardware without the microcode updates be exposed to?
I thought that newer hardware introduced more problems than it solves.
In your opinion what is the best ready to buy laptop that is as cheap as possible? (like I say I only need to edit text files, accounting, spreadsheets, documents and so on) so these fancy 1500$+ are so overkill but if I buy some used thinkpad now im risking that too so im not sure.
Yeah, did you see this bit here that said:
Do not buy CH341A!
NOR flashes on libreboot systems run on 3.3V DC or 1.8V DC, and this includes data lines. CH341A can have 5V logic levels on data lines, which can damage your SPI flash and also the southbridge that it’s connected to, plus anything else that it’s connected to.
These ch341a programmers are unfortunately very popular. DO NOT use it unless you have fixed the issue. You CAN fix it so that the data lines are 3.3v, if you follow the notes here:
CH341A Serial Memory Programmer Power Supply Fix - Page 1
In practice, most people will not fix their ch341a and instead just risk it, so no documentation will be provided for ch341a on this website. It is best to discourage use of that device.
Not covered on that eevblog page: the WP/HOLD pins (pins 3 and 7) must be held high via pull-up resistors, but on CH341A dongles, they are directly connected to 3.3V DC (continuity with pin 8). It is advisable to cut these two connections, to the WP and HOLD pins, and jump the cuts using pull-up resistors instead. A value between 1k to 10k (ohms) should be fine.
In the event of a surge, like for example you connect the clip wrongly and cause a short circuit between two pins, lack of pull-up resistors on WP/HOLD could cause a direct short between VCC/ground, which would cause a lot of heat build up and possibly fire (and definitely damaged circuitry). On SOIC8, pin 3 is WP and 4 is GND, so a direct 3.3v connection there is quite hazardous for that reason; all the more reason to use a pull-up resistor.
The motherboard that you want to flash (if using e.g. pomona clip) will probably have pull-up resistors on it already for WP/HOLD, so simply cutting WP/HOLD on the CH341A would also be acceptable. The pull-up resistors that you place (in such a mod) on the CH341A are only useful if you also want to flash chips in the ZIF socket. If pull-up resistors exist both on e.g. the laptop motherboard and on the CH341A, it just means the equivalent series resistance will be of the two resistors (on each line) in parallel. If we assume that a laptop is likely to have a resistor size of ~3.3k for pull-ups, then a value of ~5.6k ohms on the CH341A side seems reasonable.
Alternatively, you might work around the voltage issue by using an adapter with logic-level converter, making sure to have matching vcc going into the flash. Use of a logic level converter would be quite flexible, in this scenario, and you could use it to set many voltages such as 1.8v or 3.3v.
In case it’s not clear:
Please do not buy the ch341a! It is incorrectly engineered for the purpose of ROM flashing on systems with 3.3v SPI (which is most coreboot systems). DO NOT USE IT! This issue still isn’t fixed by the manufacturer, and it doesn’t look like they will ever fix it.
If you see someone talking about CH341A, please direct them to this page and tell them why the CH341A is bad.
Libreboot – Read/write 25XX NOR flash via SPI protocol
Maybe with raspberry pi it would have worked. You will try again?
About ivy1 method, then this method does not require hardware modification and is just running some commands?
What is the difference between this and the more complex method that involves flashing the SPIs??
I read a lot about the whole CH341A scare but didn’t really care. Some people say it’s dangerous, some say it doesn’t really even matter.
After I bricked my X230, I got lucky & bought a maxed out Nitropad X230 for $200 w/ HEADS, so I have no reason to try flashing anything again.
In terms of the differences between 1vyrain & flashing the SPI chips:
Wow how did you find it for such good price also how do you verify everything is legit? I still dont get the difference between Coreboot Heads, Coreboot Skulls… etc etc in a way that is easy to understand.
You can always get lucky if you spend some time just checking marketplaces everyday. I also managed to buy a brand new System76 Darter Pro 8 for 400$ cause I was always on the lookout for System76 laptops.
For everything that was said against ChatGPT in this thread, it should at least be able to give you a better understanding on the differences between heads vs. skulls etc in simpler terms.
Isn’t the difference that heads is anti evil maid and more secure then coreboot??? Evil maid = Rubber Ducky psychical attack. It’s been a while since I read the docs but that’s somewhere in the back of my mind. At the least heads is more secure then coreboot from what I read.
I asked Lumo: Coreboot and Heads are related but serve different roles in the boot‑firmware stack.
| Aspect | Coreboot | Heads |
|---|---|---|
| Role | Low‑level firmware framework | Security‑oriented payload |
| Function | Initialize hardware, launch payload | Measure, verify, and protect the boot chain |
| Anti‑Evil‑Maid | Not provided out‑of‑the‑box | Yes – via TPM‑based measurements and user verification |
| Typical use | Faster, open BIOS for any OS | High‑security environments where boot integrity matters |
So, Heads is indeed anti‑Evil‑Maid, but it’s more than just that: it adds a suite of measured‑boot protections built on top of Coreboot’s lightweight firmware foundation. If you need a plain, fast open firmware, you’d use Coreboot alone; if you also require strong boot‑integrity guarantees, you’d pair Coreboot with the Heads payload.
Only a human can confirm this 
QSB-107 is the only recent one I know of. I believe everything else is already covered by Xen and Qubes, as @Insurgo stated earlier.
NitroPad X230:
Note the highlighted warning banner at the top of the documentation:
The StarBook is also priced in a similar tier:
Is the extra price justified for an x230?
Also, what happens if you lose the Nitrokey?
The value proposition is a turnkey solution and ongoing customer service with established vendors in exchange for trust. At this point, you should be able to assess and make an informed decision by weighing the benefits and drawbacks of each of your available options.
Assuming everything is configured in a similar manner to PureBoot, Heads will inform the user that the HOTP/TOTP secret cannot be unsealed. The user is then able to boot an operating system regardless of whether a Nitrokey or other compatible USB security token is available by the user explicitly choosing to ignore the firmware tampering warning and forcing bootup, or other countermeasures as deemed necessary, including an OEM factory reset option with any other compatible USB security token.
Found this course that explains things from scratch, pretty useful so far
I thought it would lock you out from booting.
So what happens if you do yourself changes? then the nitrokey would said something is changed. I guess this is easy to learn and update the nitrokey to tell it that this is the new ok setting.
And what does it detect? changes in boot partition for instance, but also is able to know if someone opens the laptop case?
What other alternatives could you use for this that aren’t the nitrokey? In case this company disappeared or something, I would like to plan ahead and have an alternative and be able to set it myself. I think this idea is great if it works well, but I would need to know alternatives in terms of being able to have backups of this key without depending on the nitrokey that they send you.
If you buy a laptop that comes with Libreboot pre-installed, could someone explain if you can update to a newer Libreboot version or even more to Coreboot at any moment without having to re-do the whole SPI flashing thing (I mean without having to need to open the laptop)?
I assume once it’s flashed with libreboot or coreboot you are free to install any free firmware you want by just having the desired firmware and then following a number of steps in the linux terminal and you are set. If so then I may just do this.
Heads will notify the user that the files in the boot partition have changed and prompt the user to sign the running BIOS by inserting the USB security token in order to produce another PCR measurement. Depending on your configuration, it may also prompt you to generate new hashes for files from the primary partition containing your operating system.
No, Heads does not address physical tampering, but an external flashing of Heads will be detected by the preconfigured USB security token since the HOTP/TOTP will no longer match afterwards.
The only complete alternative is the Purism Librem Key (v2), which is based on the Nitrokey Pro 2, but that has its own unaddressed issues:
It will depend on vendor support, but generally there is a script or tool to facilitate boot firmware reflashes. Here are example instructions from Star Labs:
Nice! Thanks for the share, this is definitely going to be on my “learning new skills” wishlist 