Recommended BIOS setting for Intel platform

Genode and Sculpt OS
1

Hello,

I guess it could be a noob question but I’m indeed not very knowledgeable here and I haven’t seen any doc on that.

Bear with me,
I know that there are requirements listed on the Sculpt OS page, those are simple, but my question is more about recommendations on all the fancy words I see in my BIOS.

I have these set already on my PC, no worries, not a sloppy reader here

  • VT-d enabled
  • VT-x enabled (aka Intel (VMX) Virtualization, aka Intel Virtualization Technology)
  • Boot from USB enabled
  • UEFI boot enabled
  • UEFI secure boot disabled

And since we are talking about secure OS I’d like to have some recommendations for the following settings in my BIOS (probably common to all Intel-s) for both Nova and HW kernels.
In particular from stability and security view point for Sculpt OS.

Of course each BIOS has it’s own layout and it’s impossible to have a common map for all, but there’s a number of features that are kinda mystery in terms of security and reliability.

TPM Device Selection (aka Trusted Computing).
What is safer: to disable or enable it? What is better for stability?
Sometimes it has additional setting for ME Operation Mode (that’s kinda a backdoor from Intel, rght?)

APM (Advanced Power Management)
Looks like directly connected with the sleep/standby features. I wonder if this is relevant to the Sculpt OS?

  • CEC Ready
  • Energy Star Ready
  • ErP Ready

ASPM (Active State Power Management)
These are confusingly spread over different submenus and for different subsystems (PCH - PCI Express, SA - PCI Express) and include these options (not sure all are connected to it though)

  • Native ASMP (aka PCI Express Native Power Management?)
  • DMI Link ASPM Control
  • PCH DMI ASPM
  • ASPM
  • L1 Substates
  • PCI Express Clock Gating
  • PEG - ASPM

CPU Configurations
These I believe very important and have direct impact on the system security, stability and performance

  • Software Guard Extensions (SGX)
  • Tcc Offset Time Window
  • Hardware Prefetcher
  • Adjacent Cache Line Prefetch
  • Hyper-Threading (I heard it’s safer to disable it to avoid side-channel attacks?)
  • MonitorMWait

CPU Power
These I believe very important and have direct impact on the system, stability and performance

  • Intel(R) SpeedStep™
  • Intel(R) Speed Shift Technology
  • Intel(R) Turbo Boost Max Technology 3.0
    • Runtime SMM Polling
    • Turbo Mode
  • CPU C-States
  • Dual Tau Boost
  • CFG Lock

PCH Storage
This I believe this is specific to the storage devices and I wonder if these are relevant to or supported by SculptOS? And how do they affect the stability/performance?

  • Aggressive LPM Support
  • SATA Hot Plug

Overall I feel it would be really helpful to have kinda a cheat sheet for BIOS settings with their relevance for Sculpt OC (Nova and HW) and recommendations for each feature.

I spent a couple hours trying to figure that out with AI agents, but looks that practical security/stability info is so scared and scattered that it can’t give reliable suggestions.
And when trying to apply it to Sculpt OS it just hallucinates without making much sense.

1 Like
2

One thing I may have missed: Is the system actually booting at present?

If it works I would probably not worry too much. I generally feel there is no harm in having most optional features set to default (usually on) even though the OS probably won’t use them. Secure boot I think will prevent the computer from booting anything that’s not the installed windows, so you probably want that last box in the first list checked.

3

My systems?
Yeah they are booting and run ok.

My question more on security side here + stability tips.
If an app may break free exploiting one of those features without the Ring 0 access level then all the Genode isolation measures are useless.

E.g. I heard about side channel attacks that exploit physics and HT vulnerabilities on lower level than OS controls.
Same I heard about Intel ME device that is de-facto a PC inside a PC invisible to OS with it’s own network stack and sometimes even with a web server on board :exploding_head:

Maybe it’s more on the tin-foil-hat side, but still it would be useful to know how to prepare a solid hardware foundation for the SculptOS. So it will be actually the most security improvement possible rather than a shiny metal door on a cardboard walls and plastic hinges :sweat_smile:

4

I tend to put a lot of these things in the category of stuff that you will really have to be handling other people’s confidential data, or be otherwise a particularly high target for espionage, before having to worry about.

The other thought that occurred to me, and probably most important, is simply to ensure your firmware (BIOS) is the latest version.