Securing BIOS
Before starting anything, one must ensure the BIOS is secured with password, permeating unwanted technical individuals from doing something nasty. This includes configuring first-boot order and messing with the hardware system configurations (e.g. clock, IO, etc.). This section guides you on how to secure the BIOS.
Identified Threats
There are a number of threats identified to defend against by securing BIOS.
(T-01) - BIOS Cross-Bootloading
Although Linux allows cross-bootloading, having Debian OS secured while exposing bootloader configuration is a no-go. An attacker can easily change the bootloader to cross-boot your system and attack your operating system right at BIOS+Bootloader.
Action Required
Here are some things you can do to secure against the mentioned threats. However, you must keep in mind that there are tools readily available to extract the confidential information from BIOS. Hence, you must not solely rely on these actions just to secure and counter the issue.
Set BIOS Master Password
Setting master password at BIOS level provides resistances to attackers from easily configure the system hardware level configurations including boot medium and boot order.
Identify Boot Medium and Disable Unused Boot Options
Boot options should be configured properly and depending on BIOS, disable unused boot options like USB, SD, eMMC whenever possible. Some BIOS offers such options.
That's all for securing BIOS.