Window's PC with UEFI, or Chromebook with custom firmware, are these secure?

I’m really curious to know which is more reasonable, using custom firmware for Chromebook, or using a Windows PC with UEFI? Especially in comparison to default Chromebook ChromeOS with verified boot?

Also acknowledging that installing alternative OS, or something like ChromiumOS would need to disable developer mode. To make it similar like default ChromeOS. I’m not sure if ChromiumOS forks keep verified boot the same.

It seems like going the Chromebook route is more likely to get better support too, like getting the right Linux kernel modules for it. Some Windows PCs don’t have a Linux equivalent kernel module to their windows driver.

Also Chromebooks do have a long AUE support time, but when flashing custom UEFI firmware maybe this security is not the same anymore?

With the Windows PC route, you can sort of use custom keys on the firmware at least. But, with UEFI flashed on Coreboot on a Chromebook, doesn’t seem like an actual way to put a custom key to load bootloaders.

Also the obvious, Chromebooks have a security chip called “Titan C” or “Discrete H1” or just TPM, like modern Windows PCs have. But I don’t know if ChromiumOS forks fully utilize this secure enclave/TPM?

This makes me wonder why Android devices have somewhat better developer support with Custom ROM’s, but Chromebook isn’t at that same level I guess

Without a firmware signing to ensure boot, or not let people have easy access like VT2 terminal, thus getting root access, I want to prevent these things because it makes it easier for people to acquire data on my device without my permission, and they can tamper the system files without system detecting it (if it doesn’t have verified boot), it makes me uneasy.

At the same time, I really do want to customize ChromiumOS, there are some things I do not like with basic stock ChromeOS.

Well, when you install a linux OS, as you know, you may enrcypt your data and there are some tools which are supposed to be able to encrypt a partition even later and without erasing their content (never tried them, though). In Windows you have bitlocker which comes handy.

Apart from that, a linux enencrypted installation is not secure I dare say by design. And that applies to any kind of known OS as far as I know.

I mean that, if a partition that stores sensible data is unencrypted, should you loose your device, with a minimal effort your data might be accessed by anyone.

So, if you encrypt your data, I suppose you’ll get a very acceptable level of security anyway.

On the other side, any kind of protection against not verified code at boot, be it based on Tpm or on any other kind or verification chip, is something that requires you to trust on MS, Google, Apple etc… Even the Uefi signature that most Linux distros sport, if I am not wrong, just means that Microsoft trust on the mantainers of those distros.

Even using someone’s software just like MrChromebox’s coreboot is safe only if you can read and understand the code itself of if you trust on someone else who can read it.

So security is just a matter of trust in a sense. Just like many things in life, btw.

I am now using Gnu Linux on a chromebook, so my opinion is not biased by myself being a Chromeos user only, but I definitely think that Chromebooks are by design the most secure devices ever, though they are somehow limited, especially for Crostini being sandboxed and not having access to bare metal. But chromebooks would be the best devices for 95% users imho, since most jobs just require a web browser nowadays. Maybe not for most people here though, but it’s unfair when some people say that Chromebooks are for young people and oldies and for computer illiterates. It just depends on your needs.

Btw, slightly off topic, I mostly use Gnu Linux but I bought a Morphius with Ryzen 5 and 16 Gigs ram in mint conditions for only 199 Euros and I wanted to stay with Chromeos but battery life in Chromeos, for that Amd Cpu, is not good and spans from 7 to 8 hours at most. It was something unexpected because Chromeos usually excels in battery life, but with Fedora Cinnamon I get 11 hours or more (mostly office usage). Otherwise I would be still enjoying Chromeos which I like very much, since I own further devices with Gnu linux that can help when chromeos is not enough.

I also have to admit that, in order to get a much better user experience on my device with Gnu Linux in comparison to chromeos, it took 10 or more hours of tinkering, while with chromeos I just had to sign in, install crostini and replace it with a previous backup.

Too long, sorry.