The very best option right now (and dirty cheap, ~$200 new) is to get an Asus C201P / Flip Chromebook. It uses a Rockchip ARM CPU, and if you disable 3D acceleration (which is slow anyway) and use an external wireless antenna, you don't have any closed firmware in your computer. Not even CPU microcode firmware.
This is unique. Of course, it's a machine targeted by Libreboot:
I guess that if you install GuixSD, given all binary packages can be verified against the source, and there are some decent sandboxing facilities you can get pretty great security.
At the moment GuixSD doesn't yet work on ARM. Not much is missing and you can use Guix as a package manager on top of some other variant of the GNU system, but GuixSD on ARM is not quite ready yet. Give it a couple more weeks.
Don't take my comment to mean that Purism is evil, just that you aren't getting some ironclad security guarantee. This explains the "controversy" better than I can (http://www.pcworld.com/article/2960524/laptop-computers/why-...). Purism is certainly a step up from Lenovo that was shipping computers with rootkits installed.
If you wear a tinfoil hat then you're going to be better off with a libreboot laptop, but you have to accept that you will never use a computer made after 2008.
I think that the niche that a Purism laptop fills isn't worth the price premium. A laptop from a main vendor plus a security conscious OS install (full disk encryption, two factor authentication) is fine for me.
So just to be 100% clear, and for the edification of everyone (myself included);
It is literally safe to assume that every single device is 100% compromised and the 5eyes, can if they wish, monitor every single thing you do, based on these issues, correct?
But then, you also have to think that every service that you use, outside of your own 100% controlled purview (I.e. Literally any cloud service) is also summarily compromised to the point that you cannot say that one is completely secure...
That's a rather strong way of putting it, but yes, you should assume that every device you use can be penetrated by a sufficiently advanced and motivated actor. You should also be comfortable with the fact that state level actors have been recording information so that they can reach into your past should you ever become a problem with them. In that mindset, you have to create a security environment such that the truly advanced actors aren't motivated enough to bother with you. At the same time, don't leave your front door wide open so that any teenager can walk in and steal your TV.
I'm personally not worried about the 5eyes (but anti-gov activists should be). I'm worried about the smart kid who can use metasploit to take the banking info off my laptop in the middle of the night without me knowing it. A Purism laptop doesn't protect me from the smart teenager any more than an HP does. Full disk encryption and a Yubikey probably does, along with a decent firewall. Using cloud services where I encrypt my data before uploading is better than one where I transmit unencrypted (or where the cloud service controls the key).
A company willing to drop several thousand dollars on a Talos II might be worried about corporate espionage, so they might be willing to pay for a verifiable bios.
The NSA has to worry about thousands of hackers from dozens of countries around the world, so they are willing to pay for custom silicon.
Of course, you also need to consider physical security, which is like this: https://xkcd.com/538/
The lazy part of me thinks that using a POWER based system as my desktop for internet related activities provides one of the best protections from shitty, buggy software. No one's exploit is going to include POWER based shellcode to go along with their vulnerability. My browser might crash, but that x86 shell code isn't going do to shit.
You can buy somewhat older hardware with Libreboot from various outlets including Minifree.org, tehnoetic.com, Zerocat.de, and Vikings.net. They all offer x86 hardware that works without blobs and without ME.
(Of course they don't solve the problem of firmware on disk controllers or network chips, but there is no such project yet.)
Also, this is a laptop, so a diff class than server/desktop models - so may not be fair to even compare them ?