I am not a car guy - I know a little bit about cars, and have a limited understanding of what people are doing when they install mods to their cars, but I have never delved into this arcane trade myself. I would like to one day. I saw an interesting video a couple of months ago where someone applied the Unix philosophy, that code should do one job and do it well, to his personal life. This resulted in him having two cars, the reliable workhorse and the perpetual project car. If I am ever blessed enough to have my own home and the capital to buy such a perpetual project car, I would like to do this also.
In spite of my lack of knowledge though, I do know what a governor is. For those not in the know, a governor is a bit of hardware in a car that limits the speed it can go - and thus is born a deeper issue. I bought the car, I theoretically own the car; I should be able to use my machine to its full capability regardless of what the manufacturer deems fit. It raises some important questions on the nature of ownership, and echoes the sentiment “if buying isn’t owning, the piracy is not theft”.
This post is not about cars, it is about a philosophical quagmire modern tech is in where the items that we buy are not ours, and my ill-advised mission to try and take back some semblance of control.
The Firmware Problem
To the uninitiated, when you use your computer, it is made up of a BIOS which loads in hardware, an init system which loads a kernel, and the kernel helps to load in the operating system. There is a certain amount of black magic at play that culminated in this process which I will not attempt to explain here, but at its core that is it. A beautifully sometimes-messy achievement of modern hardware and software engineering that allows you to surf the modern day internet to look at everything from ISIS beheading videos to cats being scared of pickles. If your machine was from before 2008, it is very likely that is all it is, but sadly this is not the case for machines spawned past this time-based-load-stone.
The Intel Management Engine is an autonomous subsystem that has been burned into virtually every Intel processor chipset past that point. Often confused with Intel AMT, it is the case the AMT runs atop ME and is not a distinct system. AMT can also be unprovisioned by owners at will, but there is no official documented process to disable ME. It primarily consists of proprietary firmware running on a separate microprocessor, and as long as the chipset or SoC is supplied with power, it continues to run. The official reasoning behind its existence is that it aids in the performance of Intel devices, and provides better control in enterprise environments. Its exact workings are largely undocumented, and its code is obfuscated using confidential Huffman tables stored directly in hardware, such that even the firmware does not contain the information necessary to decode its contents. This subsystem has effectively Ring -3 (yes, there is access more scary than Ring 0) access to the underlying system, with the capability to see storage, the input of peripheral devices such as keyboards and mice, network traffic, and whole host of other capabilities people like me pay top dollar for from sites like HAK5 to emulate. This is not just native to Intel — AMD and other manufacturers all support their own versions of this.
This is where it goes from being fact based to opinion based, so please bear that in mind going forward. I am not in the market of beating around the bush, so I will call this what it is - It behaves like something we would call a rootkit if it appeared after purchase. In my opinion it is a hardware level rootkit, installed from the assembly line without the informed consent of the end user. Under a zero trust worldview, source credibility does not grant architectural exemption - regardless of if Intel ME was spawned under the purview of a widely trusted hardware vendor or a vilified State Level Threat, I treat it the same. Any software on my system that has the capability to perform malicious actions, which I have not personally weighed up the pros and cons of it being on my system and have the inability to remove is malware to me.
Thus spawns a larger issue which many ignore when it comes this emotionally loaded subject. Your computer is an incredibly customizable thing when you know how to do it. Even something as hardwired in as an Init system is dictated by consumer choice due to the existence of systems like Gentoo and Artix Linux. Your laptop is truly yours with relative ease - except for the firmware. This is not about Intel ME, this is about the laptop’s firmware being something which can be updated and tweaked as long as you have the correct signing keys, but the moment I want to flash 3rd party firmware onto my legally owned device I suddenly need to buy an SPI clip and pray I don’t brick my motherboard. Intel ME is a symptom of a wider problem. If I cannot flash a new firmware onto my device, is it even mine?
Chromebooks, Coreboot, Cannibalism
Working in IT I have the distinct mispleasure to work with devices running ChromeOS - Most of these devices are lightweight machines that act essentially as thin clients whose entire job is to load up web based applications. Most of my run-ins at my job are to do with Google Meet hardware, but they come from the same DNA as Chromebooks and are essentially the same high-consumption slop that will only find a future in a landfill within five to ten years. With my love of taking old and decrepit hardware and breathing new life into it, I felt a moral duty to save the Chromebook I now call Spider from this dusty fate. It will be a cold day in hell the day I use ChromeOS however, so if I was going to do this I was installing Nix on it.
Several years prior I had a girlfriend who had a Chromebook she was using for her maths degree and asked me to try and help me get Ubuntu installed so she could use RStudio. I did some research into it and saw it was possible, but before I had a chance to actually do it she bought a new laptop. Taking this aside, with the EOL Google Meet hardware in my job, I have had colleagues install iGelOS onto. I knew this was possible, what I did not know was how absolutely cursed the process of doing this is.
Flashing a Chromebook isn’t difficult in the way installing Linux on a normal laptop is difficult — it’s difficult in the way prying open something that was never meant to be opened is difficult. ChromeOS devices are built around verified boot and vendor-controlled firmware, so even after enabling developer mode you’re still boxed in. To actually replace the firmware you often have to physically open the machine, disable hardware write protection, and negotiate with firmware regions and rollback protections that clearly weren’t designed with user sovereignty in mind. My one involved opening up the device and removing a screw to disable write protection - Yes a physical screw.
I do need to clarify something here, I understand the need for an OS as locked down as this is. Chromebooks are not meant to be sold to individual users, they usually exist in fleet dynamics in education and corporate environments. As someone who works and supports devices like this, having the peace of mind the users cannot easily fuck with their device is something I wish was as prevalent in Dell’s as it is Chromebooks. A BIOS password is not enough, I want a gilded cage that says in the most corporate way possible “fuck off, this is not your machine”. My contention is around the fact these devices can be sold on, and if they are not useable in the second hand market they will just become E-waste.
An interesting caveat of this process however, due to the locked down nature of the firmware, in many cases you need to outright replace it. 9/10 this will be with Coreboot. Coreboot replaces the vendor’s BIOS/UEFI with something leaner and far more transparent about what it is actually doing. Its job is deliberately minimal: initialise the hardware, set the stage, and then hand control off to a payload like SeaBIOS or Tianocore, which in turn boots your operating system. You are not just installing Nix or Ubuntu at that point; you are rewriting the machine’s brain. It does not magically purge every proprietary component from the silicon, and it does not turn a Chromebook into a libre utopia overnight, but it fundamentally shifts who gets to decide how the device wakes up and what it trusts.
So I turned it on and it just worked. I know you probably want some dramatic drawn out sequence of “I sat there staring at the black screen waiting for any sign of life, and as the fans creaked to life and the rabbit appeared on screen I felt vindicated in this mission”. No, it turned on, I pulled my Nix config and it just worked. Well… Kind of. Chromebooks work great with ChromeOS and that is because the Hardware, Firmware, and Software are designed to work in harmony. The moment you start fucking with it the system becomes a lot less stable. As an example, right now I can use VsCode, do git commits, use my homelab apps… But opening KeePassXC is painful, YouTube barely functions, and any conversation with ChatGPT more than a few messages is just rage inducing.
Cannibalism?
I, like many in the Linux sphere, have a certain predisposition for the classic ThinkPads. I have been the proud owner of an X230 for some time, which I bought for the express purpose of Corebooting. I have just never done it. The reasons behind this are similar to the reasons I have not put GrapheneOS on my Pixel, despite the fact I bought that phone for the express purpose of doing so - There is a lot of work that needs to go into place prior to the act itself.
With the Pixel I needed to get a replacement for Google Photos, set up a way to sync my contacts, cross all my I’s and dot all my T’s. With the X230, I need to do research into how to actually install Coreboot (or Libreboot) on it. The latter sounds a lot simpler as a lot less practical work needs to go into it, but I assure you it is not. This is the sort of thing where once you have done it once it is incredibly simple, but as a first timer it is nerve-racking. I am effectively going to be removing my motherboard, putting an SPI clip onto one of the chips and programming it using a CH341A, all of which come with their own caveats. Most of all the CH341A, with Libreboot themselves say you shouldn’t use it, whereas every single tutorial I have seen seems to use one. Further to that, there is the additional argument of whether I Coreboot or Libreboot, which is an emotionally loaded topic onto itself. Taking all of this aside, I know me - Corebooting it will not be enough and I will soon follow the entire xyte.ch build process. But here is the rub… I like using a Corebooted laptop. I find myself between the rock and a hard place of not being able to stand using this Chromebook, and not wanting to rush this X230 build.
The thing no one wants to talk about
The thing no one quite wants to acknowledge in this space, is that the ThinkPads the Linux community romanticise so… they are old. This is so much more the case for devices that are compatible with Coreboot and Libreboot, and even more so for the devices where you want to straight up remove Intel ME rather than just neutering it. Just as flashing left me a laptop that was functional but wanting for more, the argument can be made that swapping it out for an X230 solves the pain points, but it is still not a fully functional workstation. In the near future this site is going to be hosted on TOR as well as I2P, and I am going to be running some intensive loads on my graphics card to try and get a domain name that is somewhat readable. This would not in a million years be possible on an X230, much less a Chromebook.
I have kept a close eye on framework laptops since they announced, and an even closer eye on their community thread requesting Coreboot support. The framework laptop is everything the leftover ThinkPad market is, just modern. Easily upgradeable, easily repairable, easily modded. I have said for an exceptionally long time once they support an open-source BIOS/UEFI I will buy one, turn my main PC into an AI/Rendering server, and run the laptop as my day-to-day. This horizon is deceptively far away it seems however, with constant stalls much to the dismay of the community. But then I ask the question, if framework shipped a laptop tomorrow with perfect Coreboot/Libreboot support would I be happy?
I have two 3D printers
- A BambuLab P1P
- An Ender 3
I started out with the Ender3 as many people do, but bought my P!P when my ender was just too slow and breaking too often to be a workhorse. I did not get rid of my Ender3 though, and it became a perpetual project printer. When that guy I mentioned at the start of the post bought two cars, one for projects and one for reliability, it dawned on me I was already doing this with my printers. So how does this apply to the current line of thinking? Framework laptops are sleek, nice and reliable; but taking a beaten up X230, drilling through the chassis for more ventilation, flashing a new BIOS on, frankensteining on an external Wi-Fi antenna - these are things it is not. I am okay with having a workhorse laptop and a perpetual project laptop. Despite all my complaints about my Chromebook I am still writing this post on it, and despite all my complaints about my X230 I will still eventually Coreboot it. It was never about digital self sovereignty or Intel ME or ownership; It is about your tech reflecting who you are as a person, something not a lot of us can actually articulate. I do not want comfort, I want mine.
Verify this post
This page is published as a PGP clearsigned document. You can verify it like this:
gpg --keyserver hkps://keys.openpgp.org --recv-keys CA98D5946FA3A374BA7E2D8FB254FBF3F060B796
curl -fsSL 'https://eddiequinn.xyz/sigs/posts/2026/feb/ownership-is-a-firmware-problem.txt' | gpg --verify