edit: I was able to pass HSI L2. 
I had to run sudo grubby --update-kernel=ALL --args=“intel_iommu=on” in addition to enabling execution prevention in the BIOS.
I’ll try to get as many HSI 3 checks passed, but they look kinda complicated and I’m unlikely to pass them all.