In December 2024, Libreboot released support for the ThinkPad T480 - a modern laptop that can now run open source firmware with Intel ME disabled. For years, the choice was old hardware or proprietary BIOS. That gap is finally closing. [1]
Your computer's BIOS (now usually UEFI) is the first code that runs when you power on. It initializes hardware, loads your operating system, and sits between your software and silicon. It's also proprietary, unauditable, and has complete system access. Every security measure you implement - disk encryption, secure boot, hardened OS - runs on top of firmware you can't inspect.
Coreboot and Libreboot change this. They're open source firmware replacements that let you see exactly what code runs on your machine from the moment you press power.
What These Projects Do
Coreboot
Coreboot is the foundation. It's an open source project that performs minimal hardware initialization before handing off to a "payload" - usually a bootloader like GRUB, SeaBIOS, or TianoCore. Think of it as a clean, auditable replacement for proprietary BIOS. [2]
Coreboot itself doesn't guarantee blob-free operation. On modern Intel systems, you still need binary blobs - closed-source components like Intel FSP (Firmware Support Package) - for full functionality. Coreboot accepts these trade-offs for wider hardware compatibility.
Key features:
- Fast boot times: Sub-second initialization vs 30+ seconds for proprietary BIOS
- Open source: Core code is auditable and modifiable
- Wide hardware support: Modern motherboards, laptops, Chromebooks, servers
- Flexible payloads: Boot Linux, Windows, or other operating systems
- Active development: Major companies (Google, Facebook, System76) contribute
Libreboot
Libreboot is Coreboot with a philosophy. It's a distribution that removes proprietary components wherever possible and refuses to include systems that require blobs for basic functionality. The result is truly free firmware - at the cost of hardware compatibility. [3]
Libreboot's December 2024 release (20241206) added ThinkPad T480/T480s support - the first modern laptop with Intel ME disabled via Libreboot. This was possible because of the "deguard" technique for ME v11, which puts the ME in a state where unsigned code can run, effectively neutering it. [1]
Key differences from Coreboot:
- No binary blobs: Refuses proprietary components where alternatives exist
- Pre-built ROMs: Ready-to-flash images for supported hardware
- Simpler installation: Designed for non-technical users
- Intel ME disabled: Neutralizes ME by default using me_cleaner
- Limited hardware: Only supports systems that work blob-free or near-blob-free
Supported Hardware
Libreboot-Supported Systems
Libreboot focuses on systems that can run free. Current support includes: [3]
Laptops:
- ThinkPad T480 / T480s (new in 2024 - modern hardware!)
- ThinkPad X200 / X200s / X200 Tablet
- ThinkPad T400 / T400s / T500 / W500 / R500
- ThinkPad X60 / X60s / X60 Tablet
- ThinkPad T60 / T60p
- Various ARM Chromebooks
- Apple MacBook 1,1 / 2,1
Desktops/Servers:
- ASUS KGPE-D16 (dual Opteron server board)
- ASUS KCMA-D8 (single Opteron)
- Gigabyte GA-G41M-ES2L
- Intel D510MO / D410PT
- Dell OptiPlex 3050 Micro
Coreboot-Supported Systems
Coreboot supports far more hardware because it accepts blobs: [2]
- Chromebooks: Nearly all run Coreboot (Google requirement)
- System76 laptops: Ship with Coreboot and open EC firmware
- Purism Librem laptops: Coreboot with ME disabled
- NovaCustom/Dasharo: Modern laptops with Coreboot
- Many server motherboards: Supermicro, various AMD EPYC boards
What Gets Disabled
Intel Management Engine
Libreboot includes me_cleaner, which removes 90-92% of Intel ME firmware. The ME still runs during early boot (Intel made it impossible to fully disable), but its network stack, AMT, and most runtime functionality are stripped out. [4]
On the T480/T480s specifically, the "deguard" technique puts ME in an even more neutered state where unsigned code can run - essentially breaking the ME's security model so thoroughly it can't function as intended.
Proprietary BIOS Features
Replacing proprietary firmware eliminates:
- Manufacturer backdoors (intended or accidental)
- Computrace and similar theft "recovery" rootkits
- BIOS-level telemetry and phone-home behavior
- Firmware-based DRM and restrictions
- Unsigned or poorly signed code execution
Installation Overview
Flashing firmware carries real risk. A failed flash can brick your device. The process varies by hardware, but the general flow: [5]
External Flashing (Safest)
For first-time installation on many systems:
- Open the device to access the SPI flash chip
- Connect a programmer (Raspberry Pi, CH341A, Bus Pirate)
- Read and backup the existing firmware
- Write the Libreboot/Coreboot ROM
- Verify the write succeeded
- Reassemble and boot
External flashing bypasses software protections but requires hardware access and soldering skills (or at minimum, SOIC clip connections).
Internal Flashing (Some Systems)
Some systems allow flashing from a running OS:
- Download appropriate ROM for your exact hardware
- Disable write protections (may require removing a screw or setting a jumper)
- Use flashrom to write the new firmware
- Reboot and hope
The T480 specifically supports internal flashing after initial setup, making updates easier.
Pre-Flashed Hardware
The easiest option: buy hardware with Libreboot already installed. [6]
- Minifree: Sells Libreboot T480, X200, T400 laptops
- Vikings: Libreboot servers and workstations
- Technoethical: Various Libreboot laptops
- System76: Coreboot laptops (not Libreboot, but open)
- Purism: Librem laptops with Coreboot and ME disabled
Trade-offs
What You Gain
- Transparency: Every line of boot code is auditable
- Intel ME disabled: Major attack surface removed
- Fast boot: Seconds instead of minutes
- No manufacturer backdoors: Code you control
- Future updates: You control when and what gets updated
What You Lose
- Hardware choices: Limited to supported systems
- Some features: Suspend/resume may be flaky on some hardware
- Easy updates: No automatic firmware updates from manufacturer
- Warranty: Flashing firmware voids most warranties
- Boot Guard: Systems with Boot Guard enabled cannot run Coreboot
The Boot Guard Problem
Intel Boot Guard is a "security" feature that cryptographically locks firmware to keys burned into the CPU at manufacture. If your laptop manufacturer enabled Boot Guard (most modern systems), you physically cannot replace the BIOS - the CPU will refuse to boot. [4]
The T480 support is significant specifically because those laptops don't have Boot Guard enabled, making them one of the newest Intel systems where Libreboot is possible.
Is This Worth It?
Running open firmware is not a casual undertaking. The question is whether your threat model justifies the effort.
Consider Open Firmware If:
- You're a high-value target (journalist, activist, researcher)
- You work with sensitive information requiring verifiable trust
- You fundamentally object to running unauditable code
- You want to learn low-level system security
- You're building infrastructure where firmware trust matters
Probably Not Worth It If:
- You need specific modern hardware features
- You're not comfortable with potential bricking
- Your threat model doesn't include firmware-level attacks
- You need manufacturer support and warranty coverage
- You just want a secure computer (GrapheneOS on a Pixel might be more practical)
Getting Started
If you want to try open firmware:
- Start with supported hardware: Buy a T480 or older ThinkPad specifically for this project
- Read the documentation: Libreboot's installation guides are thorough
- Join the community: IRC, mailing lists, and forums can help with issues
- Practice on disposable hardware: Don't flash your primary machine first
- Or buy pre-flashed: Minifree and others sell ready-to-use systems
The Bigger Picture
Coreboot and Libreboot represent what computing could look like if we demanded transparency. Every system could boot with auditable code. Every firmware update could be verified. No manufacturer would have hidden access to your machine.
Instead, we have Intel ME, AMD PSP, Boot Guard, and layers of proprietary code running before your operating system loads. Open firmware isn't just a technical project - it's a demonstration that alternatives exist. The hardware industry chose opacity. That doesn't mean we have to accept it.
Related Articles
- Open Source Laptops - Framework, System76, Purism compared with firmware details
- Open Source Hardware Guide - Complete guide to open hardware across all categories
- Intel Management Engine Deep Dive - What ME does and why it matters
- The Black Boxes in Your Devices - All the firmware you can't audit
- UEFI and Secure Boot - The trusted boot chain and its problems
- Linux Privacy Hardening - Securing the OS that runs on open firmware
- Open Source Phones - Librem 5, PinePhone, and postmarketOS options
References
- Libreboot. "Libreboot 20241206 released! ThinkPad T480 added." December 2024. libreboot.org
- Wikipedia. "Coreboot." wikipedia.org
- Libreboot. "Software and hardware freedom status." libreboot.org
- Libreboot. "Install Libreboot on ThinkPad T480." libreboot.org
- Libreboot. "Installation Documentation." libreboot.org
- Minifree. "Libreboot T480 Laptop." minifree.org