From 810301908dc27bfcd3e553a8493ad32d5781ac37 Mon Sep 17 00:00:00 2001
From: SysAdmin <sysadmin@silverlabs.uk>
Date: Sat, 25 Apr 2026 03:41:49 +0100
Subject: [PATCH] docs(hardware): capture Coreboot SKU shortlist for Phase 1.13
 hardware pilot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three viable vendors today for a UK-based hardened-laptop reseller program:
Star Labs (UK), NovaCustom (NL), System76 (US). Recommended 3-SKU lineup:

- Tier 1 / Lite: Star Labs StarBook Horizon (Alder Lake-N, ME disabled,
  ~£1,140) — UK domestic, no Heads option
- Tier 2 / Pro: NovaCustom V54 (Meteor Lake, Dasharo + factory Heads,
  ~£1,210) — flagship; B2B reseller programme + custom engraving
- Tier 3 / Workstation: NovaCustom V56 (Meteor Lake + optional dGPU,
  ~£1,250+) — Qubes-certified, dual NVMe, 96 GB RAM ceiling

Key findings:
- Framework not yet shipping factory Coreboot for non-Chromebook (AMD
  openSIL port still in development per Phoronix Mar 2026); revisit Q4 2026
- Purism Librem 14 ruled out — old CPU, supply unreliable
- AMD PSP cannot be cleanly disabled in shipping firmware in 2026 — Intel
  with neutered ME wins for the hardened tier; revisit when Star Labs
  StarFighter AMD or Framework AMD Coreboot ports stabilise (~2027)
- NovaCustom is the strongest single partner: Clevo B2B reseller
  programme, factory-flashed Heads option, free UPS to UK, custom-logo
  engraving available

Operational cautions documented: Meteor Lake S0ix suspend caveat with ME
disabled (default to hibernate-only), EC firmware not 100% open anywhere
(don't market as "fully libre"), Dasharo firmware ships quarterly so
re-verify before each procurement batch.

Snapshot dated 2026-04-25; all source URLs cited for human verification.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/hardware-skus.md | 128 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 docs/hardware-skus.md

diff --git a/docs/hardware-skus.md b/docs/hardware-skus.md
new file mode 100644
index 0000000..82afe1d
--- /dev/null
+++ b/docs/hardware-skus.md
@@ -0,0 +1,128 @@
+# Hardware SKU Recommendations — Coreboot Laptops
+
+> **Snapshot date**: 2026-04-25. Coreboot/Dasharo firmware ships quarterly; vendor stock and policy change. **Re-verify before each procurement batch.**
+
+This document captures the SilverMetal Linux hardware-bundle SKU shortlist for the Phase 1.13 pilot batch (10 preflashed Coreboot-supported laptops) and the recurring SilverMetal hardware product line.
+
+## Conclusions
+
+For a UK-based reseller program shipping a hardened Debian/Kicksecure variant in 2026:
+
+- **Three viable vendors today**: Star Labs (UK), NovaCustom (NL), System76 (US)
+- **Framework is not yet shipping factory Coreboot** for non-Chromebook models — AMD openSIL port for Framework 16 is in active development as of Q1 2026 but not shippable. Re-evaluate Q4 2026
+- **Purism Librem 14 ruled out** — Comet Lake CPU is 5+ years old in 2026, supply unreliable, vendor financial stability questioned. Could remain a special-order "maximum-libre" option for specific customer requests
+- **Intel + neutered ME beats AMD** for the hardened tier today — AMD PSP cannot be cleanly disabled in shipping firmware. Re-evaluate when Star Labs StarFighter AMD or Framework AMD Coreboot ports stabilise (~2027)
+- **NovaCustom is the strongest partner overall** — explicit Clevo B2B reseller program, factory-flashed Heads option, UPS to UK without import friction, custom-logo engraving and blank-keyboard options
+
+## Recommended 3-SKU Lineup
+
+### Tier 1 — SilverMetal Lite (Budget)
+**Star Labs StarBook Horizon 13.4"** — ~£1,140
+
+- Intel Alder Lake-N i3-N305 (8C/8T, 7W TDP — fanless-class)
+- 32 GB LPDDR5 (soldered), 1× M.2 NVMe up to 2TB
+- 13.4" 2520×1680 90Hz 3:2 display
+- Factory Star Labs Coreboot, **Intel ME disabled (HAP)**, partly-open EC firmware
+- TPM 2.0 (dTPM/PTT)
+- UK company → same-day domestic shipping, no customs friction
+- **No Heads option** — must implement Secure Boot + measured-boot without Heads tamper-evidence (sign our own keys; enrol PK/KEK/db; bind LUKS to PCR 0/2/7)
+
+**Position as**: "travel / secondary device / journalist road-warrior" SKU.
+
+### Tier 2 — SilverMetal Pro (Mainstream)
+**NovaCustom V54 14"** with Dasharo coreboot+Heads — ~€1,420 / ~£1,210
+
+- Intel Core Ultra 5/7 125H/155H (Meteor Lake)
+- Up to 96 GB DDR5 SODIMM, 2× M.2 PCIe 4.0 NVMe up to 4TB each
+- 14" 1920×1200 or 2880×1800 16:10
+- Factory Dasharo Coreboot, **factory-flashed Heads option** (we don't have to flash Heads ourselves)
+- Dasharo fork of System76 open EC firmware
+- ME optional disable in BIOS (HAP) — *with documented S0ix/suspend caveat*
+- Hardware TPM 2.0 — works with our Secure Boot + LUKS PCR-bind plan
+- NovaCustom Clevo B2B reseller program: custom-logo engraving, blank-keyboard option
+- Free UPS shipping to UK
+
+**This is the flagship SKU.**
+
+### Tier 3 — SilverMetal Workstation (Premium)
+**NovaCustom V56 16"** with optional RTX 4060/4070 dGPU — ~€1,460+ / ~£1,250+
+
+- Same firmware story as V54 (Dasharo + factory-flashed Heads)
+- Intel Core Ultra 7 155H + optional discrete GPU
+- 16" display, dual NVMe + 96 GB RAM ceiling
+- Qubes-certified — useful narrative for power users / journalists
+- Optional dGPU opens a "local-LLM workstation" angle (relevant to SilverLABS self-hosted-AI positioning)
+- Default config should be **iGPU-only** for maximum-libre buyer; offer dGPU as explicit upgrade with disclosure (proprietary GPU firmware in trust story)
+
+## Comparison Matrix
+
+| Criterion | Star Labs Horizon | NovaCustom V54 | NovaCustom V56 | System76 Lemur Pro | Purism Librem 14 |
+|---|---|---|---|---|---|
+| **Coreboot** | Factory (Star Labs distro) | Factory (Dasharo) | Factory (Dasharo) | Factory (firmware-open) | Factory (PureBoot) |
+| **Heads option** | No (EDK2 only) | **Yes — factory-flashed** | **Yes — factory-flashed** | No | Yes (PureBoot = Heads) |
+| **EC firmware** | Partly open | Open (Dasharo fork of S76 EC) | Open (same) | Open (System76 EC) | Proprietary blob |
+| **Intel ME** | Disabled (HAP) | Optional disable (HAP, S0ix caveat) | Same as V54 | Disabled (RPL+ confirmed; MTL inherits) | Disabled + neutered (HAP + me_cleaner) |
+| **CPU** | Alder Lake-N i3-N305 (7W) | Core Ultra 125H/155H (Meteor Lake) | Core Ultra 155H + opt. RTX dGPU | Core Ultra 125U/155U | i7-10710U (Comet Lake, 2020) |
+| **RAM** | 32 GB LPDDR5 (soldered) | 96 GB DDR5 SODIMM | 96 GB DDR5 SODIMM | 56 GB DDR5 | 64 GB DDR4 |
+| **Storage** | 1× NVMe (≤2TB) | 2× NVMe PCIe 4.0 (≤4TB each) | 2× NVMe PCIe 4.0 | 1× NVMe (≤8TB) | 2× NVMe |
+| **Display** | 13.4" 2520×1680 90Hz 3:2 | 14" up to 2880×1800 16:10 | 16" up to 2880×1800 16:10 | 14" 1920×1200 16:10 | 14" 1920×1080 |
+| **TPM 2.0** | Yes (dTPM/PTT) | Yes (Intel PTT/fTPM + hw TPM available) | Yes | Yes (PTT/fTPM) | Yes (dTPM) |
+| **Approx price** | £1,140 / $1,058 | €1,420 / ~£1,210 | €1,460+ / ~£1,250+ | $1,399+ / ~£1,200 + VAT | $1,399+ but supply poor |
+| **UK shipping** | UK domestic | Free UPS, no import friction | Free UPS, no import friction | US → UK + ~20% VAT/duty | US → UK, slow |
+| **B2B / reseller program** | Contact sales (no published) | **Yes — Clevo reseller; logo engraving; blank keyboards** | Same (V54/V56 share programme) | "No local resellers" (per S76) | None published |
+| **Custom OS preinstall** | Yes | Yes (Qubes preinstall offered, BYO-distro normal) | Yes | Yes | Yes |
+| **Currently shipping** | Yes (announced 2026-01-06) | Yes | Yes | Yes (Meteor Lake refresh) | Yes but constrained |
+
+## Vendors Considered and Ruled Out
+
+- **Framework 13 / 16** — AMD openSIL Coreboot port still in development as of March 2026 (per Phoronix, 9elements). Re-evaluate Q4 2026
+- **Purism Librem 14** — old CPU, supply unreliable; keep as niche maximum-libre special-order
+- **Tuxedo** — Coreboot effort started, stalled; not factory-shipping in 2026
+- **MNT Reform** — ARM, niche, unsuitable for mainstream Linux laptop program
+- **ThinkPad enthusiast targets (X230, T440p, T480, etc.)** — cannot be sourced reliably at scale; no warranty path; EOL CPUs lack AES-NI/AVX features needed for full-disk-encryption performance
+
+## AMD vs. Intel for the Hardened Tier (2026)
+
+**Intel with neutered ME wins** — for now. Reasons:
+
+1. AMD PSP cannot be cleanly disabled in shipping firmware. No `me_cleaner`/HAP-bit equivalent exists for AMD
+2. Coreboot + openSIL on AMD is a research effort, not production
+3. Every shipping factory-Coreboot laptop with a credible ME-disable story today is Intel
+
+Re-evaluate when Star Labs StarFighter AMD or Framework AMD Coreboot ports stabilise (likely 2027).
+
+## Operational Cautions
+
+1. **Meteor Lake suspend with ME disabled**: NovaCustom explicitly notes S3/S0ix suspend limitations when ME is disabled. **Test on our Kicksecure base.** Default our SilverMetal image to **hibernate-only** for the privacy SKU and document the trade-off in customer materials
+2. **EC firmware is not 100% open anywhere**: All recommended SKUs have either a partly-open or System76-derived EC. **Don't market "fully libre"** — market "hardened, transparent, ME-neutralised"
+3. **Heads + LUKS PCR-bind**: Works on NovaCustom V54/V56 with the factory Heads option. Star Labs Horizon does *not* offer Heads — Tier 1 needs Secure Boot + measured-boot without Heads tamper-evidence (our own keys + PCR 0/2/7 binding)
+4. **NovaCustom = Clevo reseller**: They sell Clevo chassis with Dasharo flashed on top. **Long-term firmware support depends on Dasharo continuing to fund the variant.** Check Dasharo release notes for V54/V56 quarterly to track active maintenance
+5. **UK import for System76/Purism (if ever needed as fallback)**: Expect ~20% VAT + handling on top of headline USD price. NovaCustom and Star Labs avoid this
+6. **Custom branding**: NovaCustom advertises laser-engraving the lid and blank-keyboard customisation — we can ship a literal "SilverMetal" engraved chassis without OEM negotiations. Star Labs has no equivalent published programme — engraving would be in-house
+7. **Verify before each batch**: Re-fetch NovaCustom V54/V56 BIOS-disable-ME documentation and Dasharo Heads release notes immediately before each procurement order — Dasharo firmware versions change quarterly
+
+## Sources
+
+- [NovaCustom V54 Series](https://novacustom.com/product/v54-series/)
+- [NovaCustom V56 Series](https://novacustom.com/product/v56-series/)
+- [NovaCustom Dasharo coreboot overview](https://novacustom.com/dasharo-coreboot/)
+- [NovaCustom Clevo reseller / B2B page](https://novacustom.com/clevo-reseller-europe/)
+- [NovaCustom custom logo / engraving](https://novacustom.com/laptop-with-custom-logo/)
+- [Qubes OS — NovaCustom V54/V56 with Heads (May 2025)](https://www.qubes-os.org/news/2025/05/20/qubes-certified-novacustom-v54-v56-now-available-with-heads/)
+- [Dasharo Universe — NovaCustom overview](https://docs.dasharo.com/unified/novacustom/overview/)
+- [Dasharo Universe — V560TU release notes](https://docs.dasharo.com/variants/novacustom_v560tu/releases/)
+- [Phoronix — NovaCustom V54/V56 announcement](https://www.phoronix.com/news/NovaCustom-V54-V56-Laptops)
+- [Star Labs StarBook Horizon (UK / GBP)](https://starlabs.systems/pages/starbook-horizon)
+- [Star Labs StarBook Horizon specifications](https://us.starlabs.systems/pages/starbook-horizon-specification)
+- [9to5Linux — StarBook Horizon launch (Jan 2026)](https://9to5linux.com/starbook-horizon-linux-laptop-now-on-sale-with-32gb-ram-wi-fi-6e-and-coreboot)
+- [System76 Lemur Pro](https://system76.com/laptops/lemur-pro)
+- [System76 Open Firmware models](https://support.system76.com/articles/open-firmware-systems/)
+- [Phoronix — System76 disabling Intel ME on Raptor Lake](https://www.phoronix.com/news/System76-Disable-ME-RPL)
+- [Phoronix — Framework 16 Coreboot + AMD openSIL port (Mar 2026)](https://www.phoronix.com/news/Framework-16-Coreboot-openSIL)
+- [Framework community thread — Coreboot status](https://community.frame.work/t/responded-coreboot-on-the-framework-laptop/791/540)
+- [Purism Librem 14](https://puri.sm/products/librem-14/)
+- [Purism — Deep dive into Intel ME disablement (HAP)](https://puri.sm/posts/deep-dive-into-intel-me-disablement/)
+- [Nitrokey Heads release v2.6.1 (V54/V56/NV41)](https://github.com/Nitrokey/heads/releases/tag/v2.6.1)
+- [TUXEDO — Coreboot status FAQ](https://www.tuxedocomputers.com/en/Infos/Help-Support/Frequently-asked-questions/Coreboot-on-TUXEDO-Computers-devices.tuxedo)
+- [coreboot.org distributions list](https://doc.coreboot.org/distributions.html)
+- [me_cleaner HAP / AltMeDisable wiki](https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit)