BIOS security settings

Over the years, I've given people advice over some settings in their laptop's BIOS they might want to tweak for security purposes.

I believe that many consumer devices ship with the secure settings (though I have none to test myself), but I know that at least some companies request custom configuration. As a consequence, I will list settings that I suggest to modify to improve security, and figured I might as well publish this, also so that I remember everything myself when I get a new laptop.

Note that this overview is for the 2018 series of Lenovo ThinkPad BIOS. Your device might not have all these settings, or they might be located at different places in the menu.

Security -> Secure Boot -> Secure Boot

Unless you have specific reasons not to, set this to Enabled. It works out-of-the-box on various Linux distributions these days (among which Fedora, Red Hat Enterprise Linux and Ubuntu), and protects you against various flaws. If you require out-of-tree kernel modules (e.g. Nvidia drivers), those will be blocked from running, and I'll write a blog post on how to fix that.

Make sure as well that Platform Mode is in User Mode and Secure Boot Mode is Standard Mode. This means that Secure Boot is enforcing with the default keyset (you can enroll your own keys, but I'll document this in a later blog post). If any of these is different, you can reset them by selecting Restore Factory Keys.

Startup -> UEFI/Legacy Boot

This should be set to UEFI Only, but enabling Secure Boot will force it to this.

NOTE: If you change this after installation of your OS, you might need to reinstall or go through a complicated procedure to switch from legacy boot to UEFI. Do this before install or reinstall.

Config -> ThunderBolt 3 -> Security Level

You definitely want to set this to Secure connect or DisplayPort and USB3 only (though in the latter case, you lose functionality). ThunderBolt 3 is basically PCIe over a wire. PCIe devices can get direct access to your memory. The Secure Connect mechanism makes sure that when you connect a new ThunderBolt device (e.g. a dock), your OS will request permission to authorize the device, and then exchange a cryptographic key. On further connections, the device will need to prove that it is actually the same (i.e. not spoofing a previously-approved serial number) by responding to a security challenge.

Note: this means that docking stations or other devices only work after the device has booted far enough to load the crypto database in Linux, which happens after LUKS passphrase prompts (for now, this is being fixed I believe).

Config -> Intel AMT -> Intel AMT Control

You will probably want to set this one to Disabled, unless you're working for an employer that uses the Intel AMT features. They allow remote control of your device, and if your employer (or you) don't use it, disabling it might (maybe?) protect you from some of the vulnerabilities found in it.

Security -> Password -> Supervisor password

I would suggest to configure a Supervisor password, because this has implications with the further settings.

Security -> Password -> Lock UEFI BIOS Settings

Enabling this requires entering the supervisor password to change BIOS settings, and thus deters/protects against people trying to revert the settings you're currently tweaking.

Security -> Security Chip -> Security Chip

Setting this to Enabled allows you to use the TPM built-in to your device. You might have options between Firmware TPM and Discrete TPM, either one should enable a TPM. I might at some point write more about how to use the TPM.

Security -> UEFI BIOS Update Option -> Secure RollBack Prevention

Setting this to Enabled will protect against someone downgrading the BIOS on your device. If for some reason you need to, you can always disable it again.

Security -> Memory Protection -> Execution Prevention

Setting this to Enabled allows the OS to protect against some attacks by making memory non-executable.

Security -> Internal Device Access -> {Bottom Cover, Internal Storage} Tamper Detection

Setting these options to Enabled means that if the system detects tampering with the bottom cover or internal storage (e.g. opening it up), the next boot requires entering the Supervisor password (you set this one up, right?) before continuing booting. This would mean you get informed if someone tampered with the enclosure of your device.

Security -> Anti-Theft > * -> Current setting

Unless you or your employer is actively using one of the supported anti-theft solutions in your BIOS, I would strongly suggest to set these to Disabled. Some of these have somewhat ugly mechanisms to restore control even after a reinstall of the device, and they won't actually do anything unless you enroll in their service and configure them (which requires running Windows).

Startup -> Boot Order Lock

While this option might improve security of your system somewhat, I would strongly suggest to keep this to Disabled because of the confusion this might cause. If this is set to Enabled, a Linux installation will work fine, but be unable to persistently record itself to the boot order. This means that the install finishes succesfully, but on reboot ... There's no boot entry ...

Instead, I would suggest to change the Boot Order to disable all entries except for your primary OS after installation, and then protect the OS bootloader (a future blog post will describe how to protect your system after the BIOS).

Conclusion

I hope that this list was useful to at least some people. If you know of any settings that I've forgotten, or any other remarks, feel free to comment or drop me an email.

Infra Hackfest