This atlas ranks a specific set of laptops, desktops, mini PCs, firewall appliances, and tablets through a single uncompromising lens: maximize owner control of the boot chain and minimize hidden co-processors and opaque firmware surfaces.
Vendor reliability is not treated as “vibes.” Where there is concrete evidence of sustained non-delivery or severe customer harm, it is linked inline and used to reduce the VR score.
Each device receives 0–100 in every criterion. Composite score is a weighted sum. The weights are intentionally front-loaded toward boot-chain sovereignty and firmware attack surface.
| Criterion | Weight | Definition (what it measures) |
|---|---|---|
| FF | 30% | Firmware & silicon freedom: owner control over boot chain, transparency, and ability to audit/modify. Includes explicit ME/PSP/BMC class impacts and EC openness where relevant. |
| HO | 10% | Hardware openness & repairability: open docs/schematics where available, standard parts, modular access, and reward for open microcontroller firmware (keyboard/system controller). |
| VA | 10% | Vendor alignment: Linux-first posture, coreboot/Libreboot investment, anti-telemetry ethos. Example anchors: Purism coreboot project, System76 open firmware position. |
| VR | 10% | Vendor reliability & availability: delivery behavior, support responsiveness, realistic obtainability. Explicit penalties when evidenced (e.g., Technoethical report; Purism Trustpilot aggregation). |
| SEC | 20% | Security & attack surface: ME/PSP/BMC presence, radio/GPU blobs, and measured-boot integrity (HEADS, TPM-based measured boot, tamper evidence). Measured-boot anchor: Dasharo measured boot. |
| PL | 10% | Performance & longevity: useful life for serious work (VMs, compilation, nodes), plus the realistic OS support horizon (especially hardened / compartmentalized OS). |
| SR | 10% | Stack role & irreplaceability: how structurally important and non-redundant the device is in a sovereign stack. Architecture diversity is rewarded when it meaningfully reduces dependence on hostile silicon. |
Most of the ranking spread is explained by where a device falls in this taxonomy. This is the core axis because it’s the irreducible reality under modern hardware.
| Class | Meaning | Representative examples in this set |
|---|---|---|
| Class 0 | No Intel ME / no AMD PSP; owner-controllable modern architecture or pre-ME x86. | Raptor POWER9 systems (Talos II, Blackbird), GNU Boot / Libreboot era ThinkPads (X200), KGPE-D16 based systems (D16 Workstation). |
| Class 1 | ME present but heavily lobotomized; Boot Guard defeated (Libreboot “deguard” class). | Minifree Libreboot T480 (product) and installation technique (Libreboot T480 install). |
| Class 2 | ME present and constrained (HAP/Soft disable); open firmware improves transparency but cannot erase silicon realities. | Dasharo laptops (NovaCustom models), Nitrokey laptops (NitroPad V54), Protectli Dasharo devices (VP46xx releases), System76 Open Firmware (repo). |
| Class 3 | ME/PSP present and effectively unmanaged; typical UEFI ecosystem. | Conventional laptops without open firmware; within this set, the closest example is a standard-UEFI Linux OEM profile like the ThinkPenguin T4 (product). |
Measured boot is treated as a material security primitive (tamper evidence), but certification status is tracked separately.
Example: the NitroPC Pro 2 Qubes page explicitly states only the “Dasharo TianoCore UEFI without measured boot” option is certified, while “HEADS with measured boot” is not certified: NitroPC Pro 2 Qubes certification details.
The measured-boot concept is anchored to a concrete implementation surface in the Dasharo ecosystem: Dasharo measured boot documentation.
Composite values are “≈” by design: the ordering and tier assignment are the stable artifact. Each device name links to its primary product page. Where relevant, secondary links (docs/certification/reliability evidence) appear inside the verdict text.
| # | Device | Tier | Composite | Role tags | Core verdict (with inline links) |
|---|---|---|---|---|---|
| 1 | Raptor Talos II Secure Workstation | S Tier | ≈96 | POWER9hypernodeowner-controlled | Apex modern platform: fully owner-controlled firmware domain; no ME/PSP trap. OpenBMC adds a real but open management surface. Availability anchored by Raptor’s production listing: status. |
| 2 | Raptor Talos II Desktop Development System | S Tier | ≈96 | POWER9dev/workstationanchor | Same sovereign advantages as Talos II core platform, packaged for development workflows. Platform overview: Talos II. |
| 3 | Raptor Blackbird Secure Desktop | S Tier | ≈94 | POWER9desktop anchorµATX | Compact owner-controlled desktop base. Same freedom profile as the Blackbird platform page: Blackbird mainboard. |
| 4 | MNT Reform | S Tier | ≈92 | open hardwarelaptopfield-capable | Most open laptop architecture in the set (open hardware + deep documentation). Product anchor: shop page. |
| 5 | MNT Pocket Reform | S Tier | ≈91 | open hardwarefield terminalportable | Pocket-scale open hardware laptop. Stack role is unusually high because a truthful portable node is rare: shop page. |
| 6 | Minifree Libreboot 3050 Micro | S Tier | ≈90 | x86 nodeLibrebootcompact workstation | Modern-ish desktop node with Libreboot preinstalled: product. Still not ME-free, but heavily constrained for owner control. |
| 7 | Minifree Libreboot T480 | S Tier | ≈90 | x86 laptopLibrebootdaily driver | Modern portability with “deguard” class owner-control. Technique anchor: Libreboot T480 install doc. |
| 8 | Technoethical D16 Workstation | A Tier | ≈90 | ME-less x86GNU Bootserver/workstation | Hardware purity is extreme (KGPE-D16 + GNU Boot), but VR is heavily penalized due to sustained non-delivery evidence: report. For GNU Boot KGPE-D16 background: GNU Boot KGPE-D16. |
| 9 | NitroPC Pro 2 | A Tier | ≈89 | Dasharodesktop nodeQubes-certified | High-PL workstation node with Dasharo coreboot. Compatibility anchor: Qubes certification (note the measured-boot certification nuance stated there). |
| 10 | NitroPad V56 | A Tier | ≈89 | DasharoHEADS optionsecure laptop | Modern laptop with measured-boot emphasis. Qubes compatibility anchor: Qubes certification. |
| 11 | NitroPad V54 | A Tier | ≈89 | Dasharosecure laptopmodern | Similar security posture to V56, slightly different tradeoffs. Availability nuance for V54/V56 variants: Nitrokey announcement. |
| 12 | NitroPad T480s | A Tier | ≈89 | HEADSmeasured bootrefurb ThinkPad | Measured-boot oriented entry platform; announcement: NitroPad T480/T480s launch. |
| 13 | NitroPad T480 | A Tier | ≈89 | HEADSmeasured bootrefurb ThinkPad | Same measured-boot posture as T480s, typically with better thermals/upgrade feel. |
| 14 | NitroPad X230 | A Tier | ≈88 | classicmeasured bootfield laptop | Older but unusually strong tamper-evidence profile. Widely used in secure-laptop workflows; product anchor above. |
| 15 | ThinkPenguin Penguin Mega (Coreboot) | A Tier | ≈88 | desktopcorebootDasharo-supported | Strong desktop node with coreboot option; ME “disabled” posture is still class-2 reality. Product page states Dasharo support and ME-disabled option. |
| 16 | Technoethical T500 | A Tier | ≈88 | ME-less x86GNU Bootreference laptop | Purity is exceptional; VR penalty applies due to evidenced non-delivery risk: report. FSF RYF certification context: FSF announcement. |
| 17 | Technoethical T400s | A Tier | ≈88 | ME-less x86GNU Bootthin classic | Same purity story as T500; VR penalty anchored to the same evidence link above. |
| 18 | Technoethical X200s | A Tier | ≈88 | ME-less x86GNU Bootultra portable | Ultraportable sovereign reference machine. Vendor reliability penalty applies (linked above). |
| 19 | Technoethical T400 | A Tier | ≈88 | ME-less x86GNU Bootworkhorse classic | High-trust firmware posture; lower PL due to age; vendor reliability penalty applies (linked above). |
| 20 | Technoethical X200 | A Tier | ≈88 | ME-less x86GNU Bootcanonical Libreboot-class | Canonical ME-less laptop reference. FSF “recommended systems” includes this line: FSF hardware list. |
| 21 | Technoethical X301 | A Tier | ≈88 | ME-less x86GNU Bootthin classic | Thin ME-less ThinkPad class. Vendor reliability penalty applies (linked above). |
| 22 | Technoethical X200 Tablet (X200T) | A Tier | ≈87 | ME-less x86GNU Bootconvertible | Convertible form factor; rare in a ME-less class. FSF RYF batch explicitly lists the X200T: FSF list. |
| 23 | Purism Librem 14 | A Tier | ≈87 | corebootkill switchesprivacy laptop | Strong alignment and security posture; VR is discounted due to sustained negative customer reports in aggregation: Purism reviews. Pureboot/coreboot anchor: Purism coreboot project. |
| 24 | NovaCustom V56 | B Tier | ≈86 | Dasharomodern laptopclass-2 ME | Dasharo coreboot base with ME constrained. Dasharo model list: overview. |
| 25 | NovaCustom NS70 | B Tier | ≈86 | Dasharo17"workhorse laptop | Large-screen modern laptop with Dasharo coreboot posture; strong PL for mobile work. |
| 26 | NovaCustom V54 | B Tier | ≈85 | Dasharo14"Qubes-certified | Strong practical daily-driver sovereign laptop. Qubes compatibility anchor: V54 certified configs. |
| 27 | NovaCustom NS51 | B Tier | ≈85 | Dasharo15.6"modern | Solid modern laptop footprint; coreboot base; class-2 ME reality remains. |
| 28 | NovaCustom NV41 | B Tier | ≈85 | DasharoQubes-certifiedHEADS option exists | Qubes certification and HEADS availability are explicitly tracked: NV41 with Heads certified. |
| 29 | Star Labs StarBook Horizon | B Tier | ≈85 | corebootLinux-firstmodern laptop | Strong Linux-first vendor posture with coreboot emphasis. Product family overview: Horizon details. |
| 30 | Star Labs StarFighter | B Tier | ≈85 | corebootperformancemobile workstation | Performance-oriented Linux laptop; firmware openness is meaningful but still sits inside modern x86 constraints. |
| 31 | Star Labs StarBook | B Tier | ≈84 | corebootmeasured boot (vendor claims)daily laptop | Product line highlights measured boot and LVFS updates: StarBook details. |
| 32 | Star Labs StarLite | B Tier | ≈84 | coreboottablet/laptop hybridportable | Lightweight mobile form factor; reduced PL relative to larger laptops. Product anchor: StarLite details. |
| 33 | Star Labs Byte | B Tier | ≈83 | mini PCcorebootsmall node | Compact Linux-first mini node; useful for small services and light homelab roles. |
| 34 | NitroPC 2 | B Tier | ≈84 | mini PCDasharonode | Solid mini-node with Dasharo posture; lower PL than NitroPC Pro 2 but strong value density. |
| 35 | Purism Librem Mini | B Tier | ≈83 | mini PCPureBoot (coreboot+Heads)tamper-evidence | Strong firmware security posture advertised via PureBoot (coreboot + Heads): product, coreboot project. VR discounted via aggregated customer reports: reviews. |
| 36 | System76 Lemur Pro | B Tier | ≈82 | System76 Open Firmwareultraportabledaily laptop | Strong VA/VR and open firmware posture; model support list: Open Firmware systems. |
| 37 | System76 Darter Pro | B Tier | ≈82 | System76 Open Firmwareportablemodern | Similar to Lemur in openness posture; slightly different ergonomics and performance envelope. |
| 38 | System76 Gazelle | B Tier | ≈81 | dGPU surfaceperformance laptopLinux OEM | Higher PL, but dGPU blob surface reduces SEC compared to iGPU-focused machines. |
| 39 | System76 Meerkat | B Tier | ≈80 | mini servernodeLinux OEM | Practical small node and mini-server. Strong vendor reliability; firmware openness depends on generation/support. |
| 40 | System76 Oryx Pro | C Tier | ≈79 | high PLdGPU blobsmobile workstation | Performance is excellent; sovereignty is limited by GPU blob stack and broader firmware complexity. |
| 41 | System76 Adder WS | C Tier | ≈79 | workstationdGPU blobsmax PL | A “need maximum laptop PL” device; sovereignty loss is the dGPU + complex firmware surface. |
| 42 | System76 Serval WS | C Tier | ≈79 | desktop replacementdGPU blobs2.5GbE | Extreme PL in a laptop shell; sovereignty compromised by the same high-performance GPU + firmware realities. |
| 43 | System76 Bonobo WS | C Tier | ≈79 | maximum PLdGPU blobsresearch/sims | The PL ceiling device in this list, but it sits far from a minimal, auditable compute base. |
| 44 | NovaCustom NUC Box 155H | C Tier | ≈81 | Dasharomini PCnode | Compact node with Dasharo posture. Dasharo model support shows NUC Box 155H: Dasharo overview. |
| 45 | Protectli Vault VP4630 | C Tier | ≈80 | router/firewallDasharo optionfanless | Excellent router/firewall form factor. Dasharo release notes for VP46xx: releases. |
| 46 | Protectli Vault VP4650 | C Tier | ≈80 | router/firewallDasharo optionfanless | Same role as VP4630 with higher CPU headroom; still class-2 ME reality. |
| 47 | Protectli Vault VP4670 | C Tier | ≈80 | router/firewallDasharo optionfanless | Top of this Vault line; best PL of the trio for virtualization-heavy edge roles. |
| 48 | Dell OptiPlex 7010 SFF (Dasharo) | C Tier | ≈78 | refurb nodecoreboot retrofitbudget | Strong use of reclaimed corporate hardware with open firmware. Dasharo platform overview: docs. |
| 49 | ThinkPenguin Penguin T4 | D Tier | ≈75 | UEFI-classLinux OEMcompromised | Usable Linux laptop, but stuck in the standard modern ME/UEFI class and not competitive with coreboot/Libreboot nodes. |
| 50 | PineNote | D Tier | ≈73 | e-inkARM devedge | Valuable edge artifact, not a core node. Official device page: PineNote. |
| 51 | PineTab2 | D Tier | ≈72 | ARM tabletdevedge | Dev-tablet role; official device page: PineTab2. |
| 52 | PineTab-V | D Tier | ≈72 | RISC-V tabletexperimentaledge | Architecturally interesting; still an edge platform. Official device page: PineTab-V. |
| 53 | CutiePi Tablet | D Tier | ≈68 | Raspberry Pitablettinker | Raspberry Pi tablet form factor; good for experimentation, but not sovereign-grade infrastructure: project. |
Tiers are not “quality awards.” They represent structural sovereignty capacity under the scoring model.
The top rank is reserved for platforms that combine: Class 0 co-processor reality + modern performance + practical availability. That is why Raptor POWER9 dominates the ceiling.
The ranking compresses into four structural blocks: