I noticed this recommendation of a Nix tool.
Its not my specialism and Im only providing it for stimulation or as a
conversation starter.
```
All the necessary components (coreboot, kernel, busybox-based initramfs
with cryptsetup/lvm2) are stored entirely in the bootloader flash chip.
This leaves no writable unencrypted media in the boot process when the
flash chip's write protect pin is shorted.
Ownerboot extends coreboot with a new normal/fallback mechanism. The
flash chip holds two complete copies of the bootloader; only a single
page (the bootblock) is shared between them. Each image can be flashed
and write-protected indepedently of the other. The fallback image can be
selected by /dev/watchdog, nvramtool, or physical input (front-panel
button on servers, stylus eject on laptops).
Because ownerboot is written in nix, it can ensure that these builds are
deterministic. Ownerboot contains no binaries, and instantiates nixpkgs
with config.allowNonSource=false; if you disable nix's binary
substituter you are assured that all the software in your bootloader
will be built from source on your local machine, all the way back to the
compiler which compiles your compiler.
```
https://sr.ht/~amjoseph/ownerboot/
--
Jonathan McHugh
indieterminacy@libre.brussels
