Dell Bios Security Settings - compatibility with Fedora

I am pretty security/privacy conscious, but lack technical knowledge. Not a good combination I know only too well!

I was looking in the BIOS settings on my Dell 5420 laptop, and saw a lot of options under security. Is it best to avoid trying these in case of messing up Fedora?

Intel TME - sounds good, encrypt RAM to protect against physical/malware attacks. It’s off, wondering about turning on .

BIOS password - I see loads of passwords all disabled in my BIOS/Security area. Should I at least have a BIOS password, maybe some of the other ‘admin’ and ‘setup’ passwords, I could just use my drive encryption key (which I have to enter every boot anyway), and add some security. Sounds sensible to add security where it’s available, but thought I’d check first before I do something I regret!

1 Like

My choice is to not use them since I seldom travel.

Bios passwords are great, but are also a major burden.

If you do a lot of traveling the bios password is great security should the laptop get misplaced/stolen. If not traveling and the laptop is always at home then a password is probably not necessary.

The biggest problem is that if you ever lose the bios password then the laptop is likely toast. If you sell or give it away and you fail to remove the password or the new owner does not have your password the laptop is likely toast.

You certainly may use the password, but be aware of the risks.

Most have 2 passwords. One for booting and one for admin and they serve different purposes when set. The boot password must be used every time you power on or reboot. The admin password must be used when you wish to make any changes in the bios settings.

2 Likes

Thanks very much Jeff. I have no concerns about losing/forgetting password so I might give it a go.

I noticed more than 2 passwords in my Bios, in fact i think it was 4, but definitely at least 3.

The last one was ‘BIOS password’, which I assume is only needed when entering the BIOS. The Admin one seemed for something else, it isn’t explained very well, and didn’t impress me that Dell has badly formed English in the BIOS!

I am a big fan of security and privacy. I recommend using the security features of what you have. For example, VPN solutions keep no logs so privacy is enhanced. I do not like it that others can poke around my stuff whether legally or illegally so I gladly endure loss of ease-of-use in favor of enhanced privacy/security. There are plenty of papers delving into why this is highly dedirable and in many environments mandatory. Increased privacy is healthier to boot!

For UEFI access (why is it still called BIOS?) I just set the admin password as I am the only user. Dell has a master password that I disable before setting the admin password so Dell can no longer recover access in the event of a lost password. I also purchase Dell laptops with Intel ME disabled.

For secureboot I would like to delete the “trusted signers” Dell ships and only use what is under my control but I am not confident in what that does when it comes time to update firmware so I have not done it yet.

So, Intel Bootguard to test UEFI, secureboot to test shim, fedora signatures to test grub and kernels and no way to change this without the admin password. I am looking forward to the whole measured boot process being implemented.

Currently I am working out how to bootc with the ESP on an sdcard (and kernels/initrds also on the ESP) and internal storage LUKS encrypted with the detached headers on the sdcard as well. Way to much too explain here.

You can get a bit better understading in Dell articles.

It is still the same identifying name and function as before uefi was developed. Basic Input Output System (BIOS) is the bootstrap hardware startup software to cold start the system.

1 Like

Historically, BIOS was the device drivers for MS-DOS and CP/M.

I was working at Intel when EFI ran on it’s first target platform: merced. I remember how at the time EFI was billed as not being BIOS. When UEFI started showing up in x86 PC it was also strongly distinguished as not being BIOS. Manufacturers like Dell loved UEFI and over time, it replaced all the MSDOS based manufacturing tools that relied on BIOS. UEFI in all respects is MUCH better than BIOS. But Dell today refers to UEFI as BIOS. They gave in to the pressure to misuse technical jargon from marketing wizards if I had my guess. I embrace technical evolution and refuse to rationalize away convenient misapplication of terms:-)