Chromebook (without ChromeOS) + Coreboot (MrChromebox Full ROM) + GNU/Linux = affordable open firmware laptop?

All Chromebooks already come with Coreboot out of the box. There is of course some proprietary Google stuff but custom Coreboot firmware is available on MrChromebox.tech that gets rid of at least some of it, completely uninstalls ChromeOS and allows you to install GNU/Linux directly as on any other PC.
For ASUS Chromebook C201 from 2017 there is even Libreboot available.

Now one just needs to upgrade SSD, if possible, as Chromebooks sometimes have just 16 GB SSD. Simpler option is to buy 128 GB SD card.

Chromebooks seem to be an overlooked easy and rather cheap way how to get a Coreboot GNU/Linux laptop, however, do some Chromebook specific privacy-risk remain even after you get rid of ChromeOS and replace the original firmware?

References

Here I just list quotes with links for things that I have mentioned above.
As a new user I am limited to two links per post, so rest of the links are written as Preformatted text.

Coreboot documentation

All ChromeOS devices (Chromebooks, Chromeboxes, Chromebit, etc) released from 2012 onward use coreboot for their main system firmware. Additionally, starting with the 2013 Chromebook Pixel, the firmware running on the Embedded Controller (EC - a small microcontroller which provides functions like battery management, keyboard support, and sensor interfacing) is open source as well.
https://doc.coreboot.org/distributions.html#chromeos-devices

MrChromebox provides upstream coreboot firmware images for the vast majority of x86-based Chromebooks and Chromeboxes, using Tianocore as the payload to provide a modern UEFI bootloader.
https://doc.coreboot.org/distributions.html#mrchromebox

MrChromebox.tech

The firmware used by ChromeOS devices is built around serveral open-source projects, and consists (mainly) of a hardware init component (coreboot) and one or more payloads (depthcharge for Verified Boot and ChromeOS, SeaBIOS for Legacy Boot Mode) which are subsequently executed. The firmware resides on an SPI flash chip and uses the layout shown below. The shaded sections at the bottom are read-only, which is enforced by the firmware write-protect screw on the main board (sometimes with a sticker as well on some newer models). When we talk about updating the firmware on ChromeOS devices, we’re referring to … the entire firmware image (often referred to as a “full ROM”).

(UEFI) Full ROM

  • A complete firmware image which includes updated/customized versions of the hardware init component (coreboot) and UEFI boot payload (Tianocore); Chromeboxes have the option of a Legacy Boot (SeaBIOS) firmware also, since some specialized Linux distros run on them are not yet UEFI compatible (e.g., roon)
  • Removes the developer mode boot (white “OS verification is OFF”) screen
  • Completely removes the ability to run ChromeOS (and ChromeOS Recovery Mode), creating a small risk of bricking your device
  • Offers the best support for booting all OSes besides ChromeOS
  • Adds full hardware support for virtualization (vmx / VT-x)
  • Fixes many bugs and/or idiosyncrasies associated with the stock firmware
  • UEFI firmware contains updated EC firmware as well, which brings additional fixes on most Chromebooks (mainly keyboard related)
  • Requires installation of a UEFI-compatible OS after flashing
  • Essentially turns your ChromeOS device into a “regular” PC / laptop

The (UEFI) Full ROM firmware is the best option for all users who no longer need/want to run ChromeOS (ie, want to run Linux/Windows exclusively), and who don’t mind opening their device to disable the firmware write-protect.
https://mrchromebox.tech/#firmware

Standalone Linux
On many Intel-based Chromebooks, you can simply boot a Linux ISO via the stock firmware’s Legacy Boot mode and install like you would on any other PC. When installing Linux via ISO in conjunction with the stock firmware + Legacy Boot Mode, there are sometimes issues booting the install media due to bootloader conflicts (e.g., Syslinux) or setting the graphics mode (GRUB/Ubuntu 16.10) or broken sleep/suspend due to the TPM (all CR50 devices). Because of this, most devices will benefit from running the latest UEFI Full ROM firmware, which should be flashed prior to OS install when running Linux and not dual booting w/ChromeOS.
https://mrchromebox.tech/#alt_os

(MrChromebox’s) coreboot, SeaBIOS, Tianocore, and EC firmware repositories, along with the source for the scripts on this site, are also available on github:
https://github.com/MrChromebox/coreboot
https://github.com/MrChromebox/SeaBIOS
https://github.com/MrChromebox/edk2
https://github.com/MrChromebox/scripts
These repos contain not only the source used to build the current firmware releases, but also the build scripts and configurations used as well. The only components not included are the various binary “blobs” which are not redistributable; if you want to build your own firmware, you have to extract these blobs from your existing factory firmware (there are instructions for doing so on chromium.org; these are written for Haswell devices but apply more broadly).
https://mrchromebox.tech/#firmware

Upgrading SSD

If you know about some better resource about replacing SSDs and adding other extra memory into Chromebooks, please let me know.

https://www.androidcentral.com/how-upgrade-ssd-your-acer-c720-chromebook
https://www.omgchrome.com/chromebooks-can-upgraded/

Other open firmware laptops

I am well aware of many other options for laptops with free/open source hardware init (a.k.a. BIOS).

On x86 architectures there are the Intel Core (2) Duo ThinkPads from years 2006-2008 that can be used with Libreboot. System76 laptops that some come with Coreboot and other open firmware. Purism’s Librems with PureBoot blend of Coreboot.

For ARM architecture there is MNT Reform and PINEBOOK Pro which both come with Uboot.

Here I just want to explore the less discussed option of Chromebook as open firmware laptops. Just so I’ll be aware about all options that are available.

  • Liberboot Thinkpads https://libreboot.org/docs/hardware/#list-of-supported-hardware
  • System76 Coreboot https://github.com/system76/firmware-open
  • Purism’s PureBoot https://docs.puri.sm/PureBoot.html
  • MNT Reform Uboot https://source.mntmn.com/MNT/reform-boundary-uboot
  • PINEBOOK Pro Uboot https://wiki.pine64.org/index.php/Pinebook_Pro#Bootable_Storage

As I understand it, a Chromebook is only a Chromebook because of it’s OS and possibly the firmware (which seems to be required to boot into ChromeOS). As MrChromebox.tech says about the custom firmware:

Essentially turns your ChromeOS device into a “regular” PC / laptop

Once you take that away all you are left with is the hardware provided by the manufacturer which may or may not have it’s own set of potential security vulnerabilities. However, without the stock firmware and ChromeOS completely removed and replaced by another GNU/Linux distribution I don’t see what’s left from the original computer (aside from said hardware).

Yeah, that is exactly the point. You will be left with just hardware that definitely works with Coreboot.

By Chromebook specific risk, I meant something like the H1 CR50 chip.
Sophos presents it as just a chip for Two Factor Authentication:

Google has discovered a serious flaw in a Chromebook security feature which allows owners to press their device’s power button to initiate U2F two-factor authentication (2FA).

Known as the ‘built-in security key’, the experimental feature was first enabled for Google PixelBooks last summer. Since then, it has quietly been embedded on numerous Chromebooks that have the necessary H1 CR50 chip inside them, including many made by Dell, HP, Acer, Samsung, Asus and Lenovo. A full list of affected devices is available on Google’s website.

On the other hand, one rather obscure looking website called Loper OS has compared it to Intel Management Engine and said H1 CR50 chip is:

per the vendor’s published source – able to rewrite all firmware, under the control of an external debug snake, or other, yet-undiscovered triggers; start and stop the CPU; master the I2C bus, on which, among other things, are to be found the sound card’s microphone; upgrade its own firmware; and other interesting things that may or may not align with the machine owner’s wishes at a particular moment

the machine owner cannot simply remove or cut the traces to the Cr50: it has been placed in control of power supply bringup; the valuable debug interface; and other essentials.

Even after complete firmware change, the H1 CR50 chip naturally remains on the Chromebook. Has anyone more info on it?

Just to add more context to why I am asking specifically about Chromebooks:

If somebody wishes to have a laptop with free/open source firmware, they can either use ThinkPads from 2007 or pay at least $1,000 for Purism’s Librem, System76 or MNT Reform. This leaves only PINEBOOK Pro at $200 at the affordable new hardware category.

Chromebooks might bring more variety into the affordable new affordable hardware with free/open source “BIOS” category.

Sounds scary, I never heard of this chip before but it boils down to trusting the hardware you use. Knowing about this, it’s interesting to see things like GrapheneOS, regarded as highly secure that runs on Google-designed hardware exclusively. Not that I don’t like Graphene or I’m claiming it’s flawed or anything of that sort, just pointing that out.

About the topic, maybe it’s best to ask in the GalliumOS reddit for support or more info on the topic. Maybe the custom firmware offered patches this somehow.

From that Sophos article it seems there are a lot of devices no longer supported officially for a while now. You probably can get one of the pre-H1Cr50 very cheap from someone online?