So what I'm hearing you say is that there's likely no more risk to a aliexpress mini pc like Topton than there is in any other connected computing device, be it a PC from Dell, HP, the netgear switches I have, the standard homeowner wifi router, down to the IoT devices....correct?
If so this is why I bought the Topton in the first place - coreboot seems like a nice to have, but in the grand scheme of things it's no more of a security risk than any of these other things - not like I know where/how those firmwares are from and they certainly aren't open source.
Yep, because even if you get something with the sticker of some well-known brand on it, it's still going to have plenty of moments along the way where malicious behaviour could be introduced. Even if HP builds their firmware in Houston, there is nothing stopping someone from adding a firmware module after the fact. The only thing that would prevent that (in the case of HP) would be adding signatures for each release in the EC they use for SureStart, but ironically, coreboot and me_cleaner research has shown that SureStart tends to either only look for header integrity, or can be easily disabled by blanking its own SPI flash.
There are some other (non-technical) factors, mainly because a big name brand in the western world has a reputation to uphold:
- This can greatly influence the level of quality assurance, integrity checks and contractual rules made with companies like Foxconn, Quanta and Compal
- The level of support is very different, since customer satisfaction might influence future purchases
- The laws are different and can affect companies directly, but if you want to sue a company in China, good luck getting anything out of that
All off this still doesn't guarantee much since you'd have to lock down a supply chain end-to-end, and for almost nobody that is simply not worth the 100x price increase. And even for those who do go for that, it still can go wrong (i.e. military contracts where parts turn out to be straight from China but it was specified and paid for to be 100% US domestic). It also sometimes goes wrong even if it's just for consumer gear; i.e. some flash vendor getting infected with malware which caused an entire run of consumer devices to come pre-loaded with some sort of virus (I think that was iPods and it only happened when connected to a PC in disk mode).
On the flip side there is the problem for the manufacturer: doing the extra work to load up some malware modules in the firmware, the logistics to make sure the right malware goes to the right target (or get the target data out of a 100% infected device pool which is even harder) or the problem of doing that for multiple revisions, multiple models and multiple products... it's almost never worth it unless you are a military target. It's much easier to just preload some infected OS, and that's why that is what happens far more often. And as such, I would recommend never using a pre-installed OS. That also includes pre-installed windows on laptops for example, since those windows images have gotten infected every now and then causing entire ranges of devices to be delivered with malware.
Considering manufacturers seem to have enough trouble on their hands setting the correct power envelope on devices, I doubt malicious DXEs in the firmware is the first problem we have.
There is something else, and that is also what
@Patriot mentioned: coreboot gives you a way forward and that goes for many hardware vendors. This is a bit of a bonus as well since coreboot can be made to 'do less' which means there isn't much to be gained from different versions, and at the same time the stuff that it does do you can update all day long since as long as your device is in-tree it will be built on every release to test for breakage. Security-wise, having less 'value added' nonsense in the firmware is a positive thing considering it makes the attack surface smaller.
As for how trustworthy devices are: I'd say that a server manufacturer in the retail world would be getting the most damage from shipping malware in their devices, on a shared 1st place with companies like Google, Microsoft and Apple. Then the next step down is any consumer electronics mass producer like HP (not HPE) and Dell's consumer line, Asus etc. But considering they load up the desktop OS they ship with so much malware by default (i.e. touchpad drivers that log every keystroke for some reason, or compromised CAs in the root store so they MITM all your web traffic), they are pretty much on the same level as a pre-installed aliexpress firewall special. Just wipe it if it comes with any software and then run your own stuff. And if someone is able to add "install coreboot" to that list for more devices, that's better for everyone. Keep in mind that ironically the ability to install coreboot also means that someone else with access to your device can also install coreboot, but a compromised version, and you'd never find out. (unless we add PKI in the mix and do rom dumps periodically - root of trust is hard!)