Ultimately, you need to build your own CPU (and everything else) from discrete components (assuming the universe is not a malicious simulation, of course) and bootstrap on it by writing you first assembler in machine code (You ought to come up with everything from scratch, any exisiting designs might have subtle deliberate vulnerabilities). The actual question is at which point you’re willing to risk a compromised supply chain, i.e. how far does your, quite warranted, paranoia go.
Yes and no. Buying a RiscV CPU has the same issues as buying an arm or x86_64, and building one from discrete components (which is absolutelt feasible, there’s multiple people that have done it) still means you might recreate some subtle and deliberate flaw in the spec (How sure are you there is none? That is the whole question). And trusting a FLOSS BIOS over a proprietary one is just accepting a different trust level/anchor. My whole point was that ultimately you cannot perfectly trust anything you haven’t designed and built yourself (and even that depends on this reality not being a malicious simulation; I am being serious), so you’ll need to consciously decide what trade-offs, if any, you’re willing to make.
Ultimately, you need to build your own CPU (and everything else) from discrete components (assuming the universe is not a malicious simulation, of course) and bootstrap on it by writing you first assembler in machine code (You ought to come up with everything from scratch, any exisiting designs might have subtle deliberate vulnerabilities). The actual question is at which point you’re willing to risk a compromised supply chain, i.e. how far does your, quite warranted, paranoia go.
That’s what RISC V is for.
And yes, there exist FLOSS BIOSes.
Yes and no. Buying a RiscV CPU has the same issues as buying an arm or x86_64, and building one from discrete components (which is absolutelt feasible, there’s multiple people that have done it) still means you might recreate some subtle and deliberate flaw in the spec (How sure are you there is none? That is the whole question). And trusting a FLOSS BIOS over a proprietary one is just accepting a different trust level/anchor. My whole point was that ultimately you cannot perfectly trust anything you haven’t designed and built yourself (and even that depends on this reality not being a malicious simulation; I am being serious), so you’ll need to consciously decide what trade-offs, if any, you’re willing to make.