Resources

A Quick Guide to Coreboot

coreboot

A Quick Guide to Coreboot

What is Coreboot and is it absolutely essential to have for a private and secure laptop / desktop running Linux?

We are sometimes asked re: our Ghost Laptop offerings if they are running Coreboot, as people have heard someone, somewhere, mention that it’s “preferred”.

The short answer to this question re: our current Ghost Laptop offering is, “No, our Ghost Laptops do not offer Coreboot.”

…but what is Coreboot and what does it actually do?

Coreboot is a free and open-source firmware replacement for the proprietary BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface) found in most computers. It is designed to initialize the bare hardware, load a payload (such as an operating system or a boot loader), and provide a minimal Trusted Computing Base (TCB) to reduce the attack surface.

Simple translation = Coreboot is a relatively new open source alternative to the widely used and adopted proprietary firmware system (what allows the hardware to speak to the operating system and other hardware components) that’s been deployed in the vast majority of laptops, desktops and servers for decades.

We are definitely fans of Coreboot and want to see it offered on many more options available in the marketplace.

Our opinion at this time, however, is that unless you’re a super-spook or high valued target for government or private interests, the gained value of using Coreboot vs the existing proprietary BIOS or UEFI system for the added expense just isn’t there… yet.

This is primarily because:

  • The limited # of devices that support Coreboot currently is a major problem because the laptops and desktops that do support Coreboot are extremely expensive right now. Close to 2-3x more expensive in most cases.
  • Most people can’t explain what exactly Coreboot is actually protecting them against. To this extent, Coreboot vs BIOS/UEFI as firmware is a far more complicated topic than many make it out to be. “It’s safer because it’s open source” doesn’t really cover it. As such, there is a lot of oversimplification and misinformation about what the major benefits of Coreboot are from a security perspective and what access a 3rd party can even gain via the existing proprietary options should they even have the technical capabilities and time to even attempt to crack a computer via the firmware layer… which only a select few individuals/organization in the world have the capabilities to accomplish.
  • Coreboot solves for a digital security problem set that the vast majority of consumers aren’t even facing… or will likely ever face.

The average consumer’s primary concern right now should be removing Apple, Microsoft and Google from the operating system layer of their devices. Leveraging an affordable device that is running a more user friendly version of Linux is a huge step in the right direction and should be priority.

The next major concern is learning how to then be more careful about what applications you install and run on your device. The browser you use (hopefully Brave) is a big piece of this equation.

The last major issue is related to how and what you use to access the internet. Again, your browser is also a big piece of this equation.

The 3 topics mentioned above cover 99% of the major issues we face as a society from BigTech harvesting and stealing our information all day, every day.

Note, the firmware used on your device is not on this list.

Worrying about your firmware, for the majority of consumers just starting their digital privacy journey, is like like wanting to learn black belt techniques to take down an enemy when you haven’t even mastered your initial basic moves!

“But What About All Those BIOS/UEFI Vulnerabilities?”

We occasionally hear from well-meaning folks who share articles about BIOS/UEFI security vulnerabilities, suggesting that without Coreboot, laptops running Linux have “major security issues.”

Let’s address this head-on with technical accuracy and practical reality.

The Vulnerabilities They’re Talking About

Yes, BIOS/UEFI vulnerabilities have been discovered over the years. Here are some of the most commonly cited:

LogoFAIL (2023) – A firmware exploit that rewrites boot logos to bypass Secure Boot. Sounds scary, right? Context matters: Only affects systems where boot logos can be freely modified. Dell and Apple systems with protected logos were never vulnerable. Patched by all major vendors. Requires physical access or existing system compromise to exploit.

Lenovo UEFI Issues (2015-2024) – Multiple vulnerabilities including the notorious “SecureBackDoor” drivers and Lenovo Service Engine. All have been patched. The LSE “rootkit” was discontinued in 2015, and all subsequent UEFI vulnerabilities have had firmware updates released.

ASUS DriverHub Vulnerabilities (CVE-2025-3462/3463) – Remote code execution flaws discovered April 2025. Patched May 2025. No evidence of wild exploitation. Only affects motherboards with DriverHub installed, which can be disabled.

HP BIOS Vulnerabilities (2022) – 16 high-severity UEFI firmware vulnerabilities. All patched in 2022. HP continues regular security updates.

Dell BIOSConnect & HTTPS Boot (CVE-2021-21571 series) – Chain of vulnerabilities allowing MitM attacks during BIOS updates. All patched by June 2021. Required network compromise + physical presence + specific features enabled to exploit.

Windows EFI/UEFI Secure Boot Bypasses (CVE-2024-37982, CVE-2024-7344) – Various Secure Boot bypass vulnerabilities. All patched between October 2024 and January 2025. All require elevated admin/root privileges to exploit.

What People Are Missing

When someone shares these links claiming you need Coreboot to be secure, they’re missing three critical technical realities:

1. These Are All Patched, Known Issues

Every single vulnerability listed above has been addressed by vendors through firmware updates. This is the security ecosystem working as intended:

  • Researchers discover vulnerabilities
  • Vendors develop and release patches
  • Users update their firmware
  • The vulnerability is neutralized

This process happens with all computing platforms, including Coreboot systems. Finding and patching vulnerabilities doesn’t mean a platform is fundamentally insecure—it means the security process is functioning.

2. Exploitation Prerequisites Are Significant

Nearly all of these vulnerabilities require one or more of:

  • Physical access to the device – The attacker needs to physically touch your machine
  • Existing admin/root-level compromise – They already have full system access (game over regardless of firmware)
  • Multiple conditions simultaneously – Compromised network + physical presence + specific features enabled + user interaction

If an attacker already has admin privileges on your system, they don’t need a firmware exploit. They already own your machine.

3. Threat Model Mismatch

Here’s the honest truth about firmware-level attacks:

Who can execute firmware-level exploits:

  • Nation-state intelligence agencies
  • Advanced persistent threat (APT) groups with significant resources
  • Perhaps a handful of sophisticated cybercriminal organizations

What it requires:

  • Sophisticated technical capabilities possessed by fewer than 100 organizations globally
  • Significant time investment (weeks to months)
  • Substantial financial resources
  • Specific targeting of high-value individuals

Who should be concerned about firmware-level attacks:

  • Government officials handling classified information
  • CEOs of major corporations
  • High-net-worth individuals targeted by nation-states
  • Activists/journalists in hostile countries
  • Defense contractors

Who should NOT make this their primary concern:

  • The 99.9% of consumers just trying to protect their privacy from Big Tech
  • Small business owners
  • Remote workers
  • Students
  • Families wanting digital privacy

The Real Threats You Actually Face

For the vast majority of people, the daily threats are:

1. Operating System Level Surveillance

  • Windows telemetry sending your data to Microsoft
  • macOS harvesting your information for Apple
  • ChromeOS feeding everything to Google
  • Solution: Switch to Linux

2. Application-Level Compromises

  • Malicious apps with excessive permissions
  • Browser extensions stealing data
  • Cloud services scanning your files
  • Solution: Careful app selection, use Brave browser

3. Network-Level Surveillance

  • ISP tracking every site you visit
  • Unencrypted connections exposing your data
  • Public WiFi interception
  • Solution: VPN, HTTPS everywhere, network awareness

Notice something? Firmware vulnerabilities aren’t on this list.

What Our Ghost Laptops Actually Solve

Without Coreboot, our Ghost Laptops with ZorinOS provide:

Eliminated Big Tech OS surveillance – No Windows, macOS, or ChromeOS data harvesting
Linux security model – Dramatically smaller attack surface
Regular firmware updates available – Addresses all known UEFI vulnerabilities
Secure Boot capability – When properly configured, validates boot chain integrity
Strong baseline security – Built on proven Linux security architecture
Affordable price point – 1/3 the cost of Coreboot systems with similar specs

As discussed at length within our post, Is Going Ghost and Digital Privacy a Myth?, if someone has the means and motive they will be able to hack and crack into your digital life regardless of how many barriers you put up.

Hence, for the majority of consumers, we believe purchasing a device running Coreboot is NOT essential.

It’s a nice to have that would throw up additional barriers to a nefarious actor trying to crack into your device, HOWEVER, if someone is at the stage that they are now attempting to hack into your device via the firmware layer, you have MUCH bigger issues on your hands as you’re now dealing with someone that is very determined and will likely find another way to gain access to your digital life.

Our Position on Coreboot

We remain fans of Coreboot and want to see it succeed. If you’re a:

  • Government contractor handling classified data
  • Journalist working in hostile environments
  • Executive targeted by nation-state actors
  • Privacy advocate who can afford the 2-3x premium

Then yes, absolutely consider Coreboot systems. That extra layer of firmware security may be appropriate for your threat model.

For everyone else: Focus on the threats you actually face. Get off Windows/macOS/ChromeOS. Learn good browsing habits. Be careful what apps you install. Use a VPN. Keep your firmware updated.

That’s what actually protects you.

The Bottom Line

Sharing lists of patched BIOS/UEFI vulnerabilities to argue against Linux laptops without Coreboot fundamentally misunderstands:

  • The current state of those vulnerabilities (patched)
  • The realistic threat landscape (OS and app-level threats)
  • The practical exploitation requirements (nation-state resources)
  • The cost-benefit analysis for actual users (2-3x price for theoretical protection)

Security isn’t about implementing every possible protection against every theoretical threat. It’s about appropriate controls for realistic threats based on your actual threat model.

For 99% of people, that means escaping Big Tech surveillance, using good security practices, and keeping systems updated—not spending triple the money to protect against firmware attacks that require nation-state capabilities to execute.

Still concerned about firmware security?

Keep your BIOS/UEFI firmware updated, enable Secure Boot, practice good physical security, and run Linux. That addresses the vast majority of actual risk without the premium price tag and extremely limited hardware choices.

This opinion doesn’t help us sell more expensive devices that use Coreboot, but it is what it is.

Of course if you have an informed opinion on this topic, I’d love to hear it!

Connect on Social Media

Get updates by email
Shopping cart0
There are no products in the cart!
Continue shopping