I recently purchased a ThinkPad x230 with a goal in mind : flashing libreboot to it and making it the most secure / privacy-focused machine as possible.
Then, I realized I needed a SOIC8/SOP8 flashing clip to quite literally clip onto the physical chip which contained the Lenovo BIOS firmware, and I ended up being super lucky because an electronic store in my area had one in store, so I didn’t have to order it online.
I drive back home, super hyped, flash the default Libreboot payload to the 2 chips on my x230 motherboard, I boot, everything is working. At that point, the setup was already great, I had a single LUKS encrypted partition (yes, no boot partition, because GRUB is literally inside the chip which contained the BIOS, and bios-level GRUB can also decrypt LUKS containers). Over the course of the next few days, I hardened the laptop further, made my own initramfs payload, stripped down my kernel, hardened it, full LTO, etc. I was running Gentoo with dwm and pretty much the whole suckless.org software suite.
And then I think to myself - the CPU on the x230 is simply not good enough for my work, I need something better, more modern, yet something I can libreboot. So I went ahead and did my research, found out that it is possible to libreboot the ThinkPad T480. Currently, it is the “best“ ThinkPad which can be librebooted. ( https://libreboot.org/docs/install/t480.html )
“The Lenovo ThinkPad T Series represent the company’s flagship, “workhorse” business laptop line, designed for durability, high performance, and reliability.”
Perfect for me, plus the T480 was released in 2018, much better that using a 2012 laptop in 2026.
I call my friend who owns a buy/sell/repair computer store, and luckily, he has a T480 in stock, I snatch one for a good price, head home, and same story as the x230, except I did things a little differently this time. I started by installing Debian 13 (Trixie), and then I look into customizing Libreboot and find out you can literally make the primary payload GRUB instead of SeaBIOS, and better yet, you can modify GRUB!
So here’s my setup :
On boot, the first thing you see on the screen is “Welcome to GRUB!“, and then instantly a prompt to decrypt my LUKS container. Once it is decrypted, only then is the GRUB option menu shown, with an option for Debian, and one for SeaBIOS. In the case GRUB can’t detect my LUKS container, it will default to the SeaBIOS payload instead of asking for my LUKS passphrase.
I personally think this is the coolest thing ever. Unencrypted boot partition always bothered me in modern setups, and this build literally makes the entire SSD inside the T480 an impossible-to-audit brick of noise.
Here are the specs on this bad boy :
1920x1080 display
Intel i5-8250u (I ordered an i7-8650u motherboard, it should arrive fairly soon) → 4 cores, 8 threads
64 GB DDR4 RAM (snatched 2x32GB sticks from a guy who has selling them at around 50% below market price)
256 GB NVMe M.2 SSD
24Wh Internal Battery
72Wh External Battery
I also ordered a better heatsink (dual heat pipe mod) and PTM7950 to ensure I always get good temperatures.
Additionally, I ordered an Atheros qcnfa222 wireless card, which (from my research) is considered as the best wireless card which runs an open source driver (ath9k) without binary blobs.
The idea with this setup is to make a machine which will work just fine 10 years from now, and to reduce the attack surface as much as possible - physically/hardware speaking.
One might say “why didn’t you just buy a framework laptop or one of those open source machines lol“, and my answer to this question is simple. ThinkPads are known for their reliability, robustness and durability. Hell, they are even MIL-SPEC tested. I am not saying firmware laptops or other open source laptop brands are not reliable or durable, I am simply saying ThinkPads have been heavily battle tested. Plus they have a nipple.
It’s kind of like the AES-256 vs ChaCha20 debate : ChaCha20 is a fantastic cipher, but AES-256 has been battle-tested to hell and back across every environment imaginable. I’ll take the proven workhorse.
If anyone’s interested in a setup like this or wants one built, feel free to reach out.
If the community shows interest, I’ll write a detailed guide on Servury.com to make your own, and I’ll try to outline all possible quirks and optimizations, like undervolting, LTO, custom initramfs, kernel hardening, etc.
I’m also looking into Heads firmware to try to make the evil maid attack / “evil actor flashes an evil libreboot version onto your laptop“ attack.
Images : https://ibb.co/album/4whFqc
Reddit Post : Reddit - The heart of the internet
