RYF is clear that any software that can be updated using the CPU must be free software. Our (Purism’s) interpretation is that it does not force a requirement that firmware cannot be upgraded out-of-band from the CPU, or external to regular software updates.
We designed the Librem 5 based on RYF requirements, believe we comply fully, and are in the process of getting certification. In addition to that requirement we also believe a user should have freedom over their hardware similar to Freedom 0 (that one should be able to use free software for any purpose). As applied to hardware this means that we do not institute any kind of write-lock or burnt fuses that would prevent the owner of the hardware from reflashing it with whatever firmware (new or otherwise) they choose.
This is significant because burning fuses on firmware is sometimes used as a security control, so attackers can’t overwrite it with malicious software. Yet it also is often used as a control to prevent legitimate users from “rooting” their devices and installing third-party firmware or software of their choice. In fact I’d argue many companies are using the security control more as marketing cover when the real reason behind burnt fuses is to give the vendor tighter control over the hardware at the expense of user freedom.
Beyond that, preventing out-of-band reflashing of firmware would also prevent us from offering a free software alternative to the proprietary firmware to be reflashed later on if we were able to develop it in the future. This isn’t far-fetched either, as we have done exactly this with coreboot and PureBoot firmware on our laptops.