Linux Foundation Workstation Hardening
Linux Foundations guide on Workstation Hardening
UEFI boot mode is used (not legacy BIOS) (ESSENTIAL)
Password is required to enter UEFI configuration (ESSENTIAL)
SecureBoot is enabled (ESSENTIAL)
UEFI-level password is required to boot the system (NICE)
Good Freaking lord! And I would wager that they need to be different passwords, 8-16 characters using the following
That makes my brain hurt.
Of course UEFI comes with its own risks, as we have recently seen, so it is more imperative that you trust your hardware maker when using UEFI. Not that trusting them wasn't always essential, but their toolkits for being naughty have expanded.