My interest in secure firmware began after adopting Qubes a few years ago. Only after discovering alternatives like Coreboot and Heads did I grasp how insecure conventional firmware really is. I still remember the Gigabyte motherboard firmware backdoor (Wired covered it here), which was the final call that showed me vendors don’t prioritize security.
One better alternative is Coreboot. It’s a (mostly) open-source firmware built on the philosophy of only doing the minimum, then handing of the rest: initialize hardware, transfer control a to payload, and keep resident services minimal. It shrinks the pre-OS attack surface and allows public review. Modern platforms still require some closed-source vendor binaries for hardware initialization (which is why it cant be 100% fully open source), but the improvement over proprietary UEFI is substantial. Notably, Google’s Chrome OS devices (known for their strong security) ship with Coreboot. You can also buy Coreboot-preinstalled hardware from Novacustom, Protectli, System76, Nitrokey and others.
Heads is a Coreboot distribution that uses Linux as a payload for advanced security. It makes measured boot and user-controlled verification central: a minimal Linux environment in ROM measures boot components into a TPM, provides tamper evidence, and supprts sealing disk unlock keys to expected masurements. Additionally, OTP/TOTP verification counters evil-maid physical attacks.
I run both Heads and Coreboot on my devices. Heads is not for everyone, unlike Coreboot, which suits most users with minimal friction compared to standard UEFI. My biggest friction point with Heads is the sparse documentation, which made debugging and fixing things hard for me in the past.