This is what I would do. Did some research with some other people on this:
1. Framework
Framework is bad with firmware updates. They are so bad, the 12th and 13th gen Intel computers have not gotten any updates since their release. 1, 2.
The AMD models get updates a bit more frequently, but IIRC they are still all vulnerable to Logofail according to their forums.
They do not seem to take firmware security seriously and I’d recommend avoiding them.
2. StarLabs
No Boot Guard.
AMD Platform Secure Boot is the equivalent.
3. Purism
Circular logic. PureBoot cannot provide anti tampering by design. They are trying to check whether the firmware has been tampered with by trusting the measurements given to the TPM by the firmware, which the firmware can always lie about.
No Boot Guard to talk about. Decrepit old hardware with no memory encryption. Overpriced.
On top of that, the CPU is unfused. (The eFuse is to prevent tampering)
4. System76
HSI 0 on most models. Very concerning results on LVFS like BootGuard fuse not being blown. fwupdmgr security is not very reliable so that that with a grain of salt. However, exercise extreme caution with System76 because this does not look promising. They only just got secure boot very recently, some notes there about bricking if you have 10th gen or earlier.
5. Modern Dell Latitude/Precision
HSI 4
- Secure Cored
- Regular firmware updates
- vPro Enterprise models have Memory Encryption
- Blows Fuses on security updates, preventing downgrade attacks
- Minor issue of not measuring whether hyper-threading is enabled in the firmware or not. The Microphone toggle in the firmware doesn’t work. No deal breaker.
The HSI level is going to be shown in GNOME: