AMI Aptio V vs coreboot

What's the difference? Both AMI (American Megatrends Inc.) Aptio V and coreboot are both UEFI firmware. These exist to provide an interface between your Operating System and hardware, so the OS know's what devices there are and how to control them. UEFI was a direct replacement for BIOS and whilst UEFI has been standard for over a decade, it's commonly referred to as BIOS.

Since day one, we've used AMI Aptio V firmware for our laptops and now, we're making a second option available - coreboot. The reason why we're making both available instead of one is that there isn't a categorically answer to which one is "better". Which one is better for you, really depends on your priorities and how/what you use your laptop.

AMI is an industry-standard firmware, alongside Insyde and Pheonix. It offers many features, including a graphical interface that allows various settings to be changed such as performance modes and offering secure boot.

coreboot on the other hand is an open-source project, that has only been made available for a finite number of devices (the majority of these being Chromebooks). It offers a basic set of features and has no interface, apart from a simple boot menu.

So AMI is better? AMI is definately more capable but one of the major appeals of coreboot is that it's open-source, so all of the source code is public - you can find it here. This means that you can see everything inside it, and if you know how, make any change you like. It really suits Linux, as it uses the exact same licensing (GPLv2) as the Linux kernel.

Due to how lightweight coreboot is, it will offer better performance and lower power consumption. For example, the LabTop Mk IV combined with coreboot will offer approximately 8% more performance and around 20% longer battery life (with a record of 13 hours and 42 minutes for general use).

Is coreboot more secure? The jury is out on this one so it really depends on who you speak to. The main difference in security is the way that they update, as this is the primary method used in an attempt to compromise firmware.

Both receive updates via the LVFS but they differ in the plugin that they use. AMI uses EFI capsules, any EFI capsule can be sent to the firmware as an update but before they are installed, the firmware will check the signature to ensure that it is written by the vendor. If it's not, it's rejected. This is widely considered one of the most reliable and secure ways of delivering updates.

coreboot uses flashrom, which runs from the userspace (outside the kernel) and writes directly to the SPI (a small chip where the firmware is stored). Instead of verifying the update, it will allow anything using user id 0 (aka "sudo", "root" or "admin") to write to it. Whilst this may sound less secure, and arguably it is, if user id 0 is compromised, then the vast majority of security measures are null and void.

One advantage of being able to see the source code is that as the contents are public - there's no chance of anything being there that shouldn't, such as spyware or keyloggers. Whilst our development team have full access to the AMI source code, we aren't allowed to share this due to the licensing - so you just have to take our word for it that there is nothing bad inside!

Advantages of AMI:
* Graphical interface that allows settings to be changed
* Offers SecureBoot
* Uses EFI capsules to update

Advantages of coreboot:
* Incredibly lightweight which results in better performance and battery life
* Open-source

What do Star Labs recommend? If you don't use any of the customisable options in the AMI firmware, and security isn't your number one concern, we would recommend coreboot as the laptop will perform better. If you use the customisable options, these simply aren't available in coreboot so AMI is the only option.

If security is important to you, as there is no categorical answer, then the only person who can decide which is best for you is you.

Mar 24, 2021

Contact Us

Not finding what you're looking for? Contact Us Directly