diff --git a/system/machine/T400/boot-bios.nix b/system/machine/T400/boot-bios.nix
new file mode 100644
index 0000000..01fcc8c
--- /dev/null
+++ b/system/machine/T400/boot-bios.nix
@@ -0,0 +1,11 @@
+# Boot via legacy BIOS -- the stock Lenovo BIOS, or coreboot with the SeaBIOS
+# payload (both present a legacy BIOS interface). GRUB is installed to the MBR of
+# the boot disk. This is the default.
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    # Must point at the actual install disk -- adjust if it is not /dev/sda.
+    device = "/dev/sda";
+  };
+}
diff --git a/system/machine/T400/boot-coreboot-grub.nix b/system/machine/T400/boot-coreboot-grub.nix
new file mode 100644
index 0000000..ba5a6ab
--- /dev/null
+++ b/system/machine/T400/boot-coreboot-grub.nix
@@ -0,0 +1,13 @@
+# Boot via coreboot's GRUB payload (e.g. libreboot default). The GRUB in the
+# flash chip reads the grub.cfg that NixOS generates on disk, so GRUB here is
+# config-only -- it is NOT installed to any disk MBR (`device = "nodev"`).
+#
+# Your coreboot grub.cfg must locate and load the on-disk config, e.g. search
+# for and `configfile` /boot/grub/grub.cfg (or chainload the disk's GRUB).
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "nodev";
+  };
+}
diff --git a/system/machine/T400/boot-coreboot-uefi.nix b/system/machine/T400/boot-coreboot-uefi.nix
new file mode 100644
index 0000000..2c65608
--- /dev/null
+++ b/system/machine/T400/boot-coreboot-uefi.nix
@@ -0,0 +1,17 @@
+# Boot via coreboot's Tianocore/edk2 (UEFI) payload. This turns the T400 into a
+# real UEFI machine, so use systemd-boot. Unlike Apple's firmware, coreboot's
+# UEFI honours EFI variable writes, so canTouchEfiVariables is on.
+#
+# Requires an EFI System Partition. It is declared here so it travels with this
+# boot mode; the generated hardware-configuration.nix should NOT also define
+# /boot. Label the ESP `ESP` at install, or replace with the generated UUID.
+{ ... }:
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/ESP";
+    fsType = "vfat";
+  };
+}
diff --git a/system/machine/T400/configuration.nix b/system/machine/T400/configuration.nix
index b941349..2180ce9 100644
--- a/system/machine/T400/configuration.nix
+++ b/system/machine/T400/configuration.nix
@@ -5,15 +5,14 @@
 {
   imports = [
     ./hardware-configuration.nix
+    # Boot: import exactly ONE, matching the firmware currently flashed.
+    # Stock Lenovo BIOS and coreboot+SeaBIOS both use boot-bios.nix.
+    ./boot-bios.nix
+    # ./boot-coreboot-grub.nix # coreboot with the GRUB payload (config-only GRUB)
+    # ./boot-coreboot-uefi.nix # coreboot with the Tianocore/edk2 UEFI payload
+    #                          #   (systemd-boot; carries its own ESP mount)
   ];
 
-  # The T400 is legacy BIOS only (no UEFI), so boot via GRUB in BIOS mode.
-  # `device` must point at the actual install disk -- adjust if it is not /dev/sda.
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/sda";
-  };
-
   networking.hostName = "T400-NixOS";
 
   console.font = "Lat2-Terminus16";
@@ -32,12 +31,23 @@
   # lets swaylock authenticate via password.
   security.pam.services.swaylock = { };
 
-  # Intel Core 2 (Penryn) microcode + redistributable firmware for the Intel
-  # WiFi Link 5100/5300 iwlwifi blobs. The GMA 4500MHD works out of the box via
-  # i915/KMS, so no extra graphics config is needed.
+  # Intel Core 2 (Penryn) microcode + redistributable firmware. The latter also
+  # supplies the iwlwifi blobs (Intel WiFi Link 5100/5300) and the radeon
+  # firmware needed by the discrete GPU below.
   hardware.cpu.intel.updateMicrocode = true;
   hardware.enableRedistributableFirmware = true;
 
+  # This T400 has the optional discrete GPU fitted: an ATI Mobility Radeon HD
+  # 3470 (RV620), driven by the open `radeon` KMS driver. Load it in the initrd
+  # for early modesetting (clean Sway/Wayland start); firmware comes from
+  # enableRedistributableFirmware above.
+  #
+  # The T400 has switchable graphics (this discrete GPU + the Intel GMA
+  # 4500MHD). Select "Discrete" in the firmware's graphics setting so only the
+  # ATI is live; if you instead run "Integrated", the Intel i915 driver takes
+  # over with no extra config and `radeon` simply stays idle.
+  boot.initrd.kernelModules = [ "radeon" ];
+
   # See `man configuration.nix` / the stateVersion docs before changing.
   system.stateVersion = "26.05";
 }