Vaseline

Can you explain the limitations of the HC4's when using as a desktop replacement? I mostly just work/edit on wordpress and other cms based websites, watch youtube videos / amazon prime and from time to time do basic image editing like changing image dimensions / file format or adding some text. Might the HC4 suit my needs?

As long as any kind of flash memory is involved in the booting process and the flash memory is writable without an external programmer - I consider this setup unsafe. If any software can be loaded in front of the OS without my knowledge... (Thought process transferred to desktop computers: Who is checking his UEFI on a regular basis? All kind of malicious software might get loaded - see https://security.stackexchange.com/questions/196746/how-can-you-reset-a-uefi-completely-in-case-of-a-firmware-infection https://www.bleepingcomputer.com/news/security/hp-patches-16-uefi-firmware-bugs-allowing-stealthy-malware-infections/ https://cooltechzone.com/news/windows-uefi-bootkit-might-be-infected-by-finspy-malware). It's only a matter of time before criminals catch up with real good hackers or state authorities and abuse hardware security flaws on a large scale imho. So while the chance of getting exploited on a SBC might be even smaller nowadays - I still wan't to keep my working environment as safe as possible. In fact I really wonder why only a few people around the world seem to care about their online safety - computers have become part of our lives and most of the hardware and software isn't safe by design. A serial programmable interface itself is fine. I just want a SoC/SBC that has no additional flash memory installed. Regarding the Pinebook Pro: This might be an option for me "to overlook" the insecurity introduced by the built in SPI flash memory. But there is other firmware that can be altered through software level access (which to my humble knowledge is a security risk) Isn't there any system that really is safe by design? I'm not talking about total safety. If you are a high value target, drug kingpin and law enforcement agencies or state authorities are after you, they might just break into your flat or house silently and tamper with your hardware / bug your place whats'o'ever. I just want to be safe from even the most experienced online crooks that might use any remote code execution exploit, priviledge escalation, flash firmware / memory from the os level and install their rootkit. Why is this attack vector open and why does nobody seem to care?

I would love to use armbian. I just mentioned that another os would be okay as well if armbian has any limititations regarding my goal of a write protected setup. A regular encrypted volume doesn't solve my problem. Im looking for a write protected setup like a live distro - no write access to the linux partition and no internal flash memory within the SBC Does the Odroid C4 need any write access to the SD card after initial setup? If not I might just install a live distro on the sd card and set the PERM_WRITE_PROTECT flag

What about setting the PERM_WRITE_PROTECT flag on the sd card after firmware, config files and the linux live distribution are stored on the cards memory? - This could do trick. https://forums.raspberrypi.com/viewtopic.php?p=1447783 a) Will a SoC like the Odroid C4 be able to load the firmware from a read only / write protected sd card? b) Will the device be able to boot a linux live distro afterwards?

Thank you very much for your precious time! You are right, the live distro and missing eeprom/flash memory is mandatory because I have to handle a lot of passwords on my business machine that I type in by hand. Any keylogger or rootkit would result in having to change about a thousand passwords (which is a pain in the *** - I had to do this once) So I was thinking of a device that is loading the firmware and os from a storage medium (sd card or usb-stick / usb-ssd). After installing firmware, setting up hardware and a live distro, I want to make the storage write protected by using an adapter with hw/ write-protect (as described here sdlocker or hardware write-protection sum up) When certain updates are needed I have to create a new live distro, copy it to the storage medium and h/w write protect it afterwards. Just like a dvd live linux works. However... I would need to be able to boot from USB this way. Any idea on how to achieve a real hw write-protect when using eMMC as storage medium? Isn't there any SoC device that might suit my needs? No internal flash memory and usb boot capatibility? @NicoD Or does anyone know of a method to make an sd card write protected by hardware without rerouting through usb? Imho the Odroid C4 could suit my needs well but It doesn't boot from USB. As far as I know it doesn't have eeprom/flash memory and loads everything from attached storage media. And it should be powerful enough for 720p playback within the browser - Am I right? But how could I achieve real hardware write protection on this one? PS. I'm not tied to armbian. I might as well use another Linux distro if necessary and I will have a look at the recommended videos from NicoD now.

I wonder what the best desktop replacement might be. I'm in need for a stable and secure desktop replacement that is energy saving and capable of dooing office work, browsing the web and even playback videos from youtube and prime video. 4K isn't necessary but I want at least 720p or 1080 fullscreen. If possible: No internal spi / eeprom / flash memory. I want the firmware to be loaded from a USB Storage / SD Card that gets hardware write protected after the first setup. Like a live distro from dvd so that there is no risk of getting infected by rootkit / bad firmware ever. Most current gen SoC offer built in flash memory. Older ones like Rock64, Pi3 and even the newer Odroid C4 doesn't seem to have built in flash memory. Which might suit my needs. The odroid c4 has been my favorite choice but a lot of people complained about several bugs and poor os support in general - David L wrote: "It's now Jan 2021 and it's a shame that with this excellent hardware the OS situation is still very poor with many issues such as freezing regularly, black/frozen screens if the monitor goes into standby mode while you are away, and many more. There are manual fixes for some of them, but the level of OS support shouldn't still be this poor and left to users to identify fixes. It was the same with the U3 and (less so with the) C2, and unless HK provide more OS support, they will find people moving to other platforms (no mattter how good their h/w is!)." Amazon Prime playback compatibility isn't necessary Fullscreen Youtube 720p playback capatibility is mandatory Beeing able to use a live distro is mandatory Im really looking forward to your suggestions. Best regards