What's the difference? AMI (American Megatrends Inc.) Aptio V and coreboot are both firmware. These exist to provide an interface between your Operating System and hardware so the OS know's what devices there are and how to control them.
There are two main parts of that firmware, the bootloader and the payload. The bootloader initialises the hardware, and the payload provides a UEFI platform. UEFI was a direct replacement for BIOS, and whilst UEFI has been standard for over a decade, it's commonly referred to as BIOS.
Both coreboot and AMI use edk II as a payload; AMIs version is about 10 years old and highly modified. coreboot uses a standard but bleeding-edge version.
Since day one, we've used AMI Aptio V firmware for our laptops, and now, we're making a second option available - coreboot. We're making both available because there isn't a definite answer to which one is "better". Which one is better for you depends on your priorities and how you use your laptop.
AMI is an industry-standard firmware, alongside Insyde and Pheonix. It offers many features, including a graphical interface that allows various settings to be changed.
coreboot, on the other hand, is an open-source project that has only been made available for a finite number of devices (the majority of these being Chromebooks). The version of edk II it uses has no dedicated interface apart from a simple boot menu. Configurable options can be changed using our coreboot configurator program, which is available for Linux. You can find all the details of this here.
So which is better? AMI is more capable, but one of the significant coreboot appeals is that it's open-source, so all of the source code is public - you can find it here. It means you can see everything inside it; if you know how you can change anything you like. It suits Linux, as it uses the same licensing (GPLv2) as the Linux kernel.
Due to how lightweight coreboot is, it will offer better performance and lower power consumption. For example, the LabTop Mk IV combined with coreboot will deliver approximately 8% more performance and around 20% longer battery life (with a record of 13 hours and 42 minutes for general use).
Is coreboot more secure? The jury is out on this one; it depends on who you speak to and how it's configured. From now on, we'll be talking about the version of coreboot that we build, as, for example, Google's configuration is very different. The main difference in security is the way that they update, as this is the primary method used in an attempt to compromise firmware.
Both receive updates via the LVFS but differ in the plugin they use. AMI uses EFI capsules, you can send any EFI capsule to the firmware as an update, but before it is installed, the firmware will check the signature to ensure that the vendor writes it. If it's not, it will be rejected. This is widely considered one of the most reliable and secure ways of delivering updates.
coreboot uses flashrom, which runs from the userspace (outside the kernel) and writes directly to the SPI (a small chip where the firmware is stored). Instead of verifying the update, it will allow anything using user id 0 (aka "sudo", "root" or "admin") to write to it. Whilst this may sound less secure, and arguably it is, if user id 0 is compromised, then the vast majority of security measures are null and void.
One advantage of seeing the source code is that as the contents are public - there's no chance of anything being there that shouldn't, such as spyware or keyloggers. Whilst our development team have full access to the AMI source code, we aren't allowed to share this due to the licensing - so you have to take our word for it that there is nothing terrible inside!
Advantages of AMI:
* Graphical interface that allows all settings to be changed
* Uses EFI capsules to update
Advantages of coreboot:
* Incredibly lightweight, which results in better performance and battery life
* coreboot-configurator allows all settings to be changed
What do Star Labs recommend? If security isn't your number one concern, we recommend coreboot as the laptop will perform better.
If security is imperative, as there is no definite answer, then you are the only person who can decide which is best for you.