The sad and depressing part is that along the way we lost all possibilities of running coreboot or libreboot as an open alternative.
The only real option is to buy a used laptop from before the T44x generation (if you really want it secure)... or newer machines that come with other perks like soldered-on batteries that destroy the mainboard along with them when they leak out eventually.
I am not sure what the consumer rights protection agencies on the planet are doing, but seemingly they've been asleep at the wheel for way too long now.
> (Tinfoil hat) (...) I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve.
The only vendors that seem to do something against it are somewhat System76, Frame.Work, Purism and maybe Starlabs. But the huge majority of devices is under the absolute control of Microsoft's signing process now. So I would argue that this isn't a tinfoil conspiracy, but a strategical decision that MS made to re-grab their lost power on x86 systems.
Framework comes with Intel ME enabled, not able to be disabled, and barely updates their firmware. For example, they left logofail unpatched for a year.
As I said, the better option would be a pre-Haskell era CPU so that you can flash libreboot on it and don't have to worry so much about intel-ucode, but that would also imply a more than 10 years old laptop.
I just wish there would be more free and open options.
The RISC V meme of the Hackers movie from the 90s is now so old that it's never gonna happen anyways. Those CPUs are nice and all, but you're even better off using a Pentium CPU performance wise, and that's a 20 years old CPU.
>Those CPUs are nice and all, but you're even better off using a Pentium CPU performance wise, and that's a 20 years old CPU.
This is out of date information. Currently purchasable RISC-V CPUs (in e.g. Milk-V Jupiter) are already the level of Intel Core 2, with the important difference that Jupiter has 8x of them, whereas the top Core 2 chips were only quad-core.
Cores expected to ship in early 2025 on 16-core Milk-V Oasis are at the level of Intel Haswell or AMD Zen 1.
Akeana, Tenstorrent, SiFive and Ventana have IP available for licensing which performance is similar or above Apple M1.
There isn't much of a performance gap left to close.
The sad and depressing part is that along the way we lost all possibilities of running coreboot or libreboot as an open alternative.
The only real option is to buy a used laptop from before the T44x generation (if you really want it secure)... or newer machines that come with other perks like soldered-on batteries that destroy the mainboard along with them when they leak out eventually.
I am not sure what the consumer rights protection agencies on the planet are doing, but seemingly they've been asleep at the wheel for way too long now.
> (Tinfoil hat) (...) I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve.
The only vendors that seem to do something against it are somewhat System76, Frame.Work, Purism and maybe Starlabs. But the huge majority of devices is under the absolute control of Microsoft's signing process now. So I would argue that this isn't a tinfoil conspiracy, but a strategical decision that MS made to re-grab their lost power on x86 systems.