BIOS/UEFI Settings
Overview
FortrOS nodes boot from UEFI firmware. The BIOS settings determine whether the hardware can run FortrOS at all (TPM, UEFI mode), how well it runs (virtualization, power management), and what attack surface exists (Secure Boot, AMT, PXE). This page covers every relevant setting category with FortrOS-specific recommendations.
The examples use Dell terminology (common in the target hardware range). Other vendors use different names for the same settings -- the concepts are universal.
Boot Configuration
UEFI vs Legacy (CSM)
Set to: UEFI only. FortrOS uses UEFI boot exclusively. The preboot UKI is an EFI application on the ESP. Legacy/CSM mode cannot load it.
If the BIOS offers "UEFI with CSM fallback," disable CSM entirely. Legacy option ROMs are an unnecessary attack surface and can interfere with Secure Boot.
Boot Order
Set to: disk only. The preboot UKI lives on the ESP. Once installed, every normal boot goes straight to disk. PXE is not in the boot sequence.
For initial provisioning, the admin triggers PXE manually (F12 on Dell, or equivalent boot menu key). After the preboot writes itself to ESP, the node never PXE boots again.
Why not PXE first? Every boot would query the network before trying disk. This adds latency (DHCP timeout on disconnected networks) and an attack surface (rogue PXE server could serve a malicious image). Disk- first is faster and safer.
Fastboot / POST Behavior
Set to: Thorough. Thorough POST probes all hardware, which is what FortrOS's hardware probe and disk-probe services expect. Quick/minimal POST may skip device enumeration and cause disks or NICs to not appear at boot.
Trusted Platform Module (TPM)
TPM Version
Required: TPM 2.0. FortrOS uses TPM 2.0 for:
- Storing preboot_secret (NV index, 64 bytes)
- Storing preboot Ed25519 signing key (NV index, 32 bytes)
- Future: PCR-sealed LUKS unlock (measured boot)
- Future: remote attestation
TPM 1.2 is not supported (different API, no SHA-256, limited NV storage). Most hardware from 2016+ has TPM 2.0. Intel vPro always includes it.
TPM Settings
Enable: TPM device, attestation, key storage, SHA-256.
Do not clear unless reprovisioning the node for a different org. Clearing the TPM destroys preboot_secret -- the node loses its identity and must re-enroll.
Platform Trust Technology (PTT) vs Discrete TPM
Intel PTT is a firmware TPM (fTPM) built into the CPU. It works for FortrOS but is less isolated than a discrete TPM chip. If the hardware has a discrete TPM, prefer it. If only PTT is available, it's acceptable.
PPI Bypass Options
Leave unchecked. Physical Presence Interface (PPI) requires someone to physically press a key during boot to authorize TPM operations (clear, enable, disable). Bypass options remove this requirement, allowing software to modify TPM state without physical presence. Keep PPI enabled as defense-in-depth.
Virtualization
VT-x (Intel Virtualization Technology)
Enable. Required for KVM. FortrOS nodes are VM hosts -- every workload runs in a cloud-hypervisor VM. Without VT-x, no VMs can start.
VT-d (Directed I/O / IOMMU)
Enable. Required for VFIO device passthrough (GPU, NVMe, USB controllers passed directly to VMs). Also used by cloud-hypervisor for DMA protection. Even if not passing through devices today, enable it -- there's no performance cost and it's needed for future workloads.
Intel TXT (Trusted Execution Technology)
Enable if available. TXT provides a measured launch environment for the boot chain. FortrOS can use it for remote attestation (proving to the org that the node booted the expected code). Not required for basic operation but valuable for high-security deployments.
SGX (Software Guard Extensions)
Leave as software controlled. SGX provides hardware enclaves for sensitive computation. FortrOS doesn't use SGX currently but may in the future for key management or confidential computing. Software-controlled means the OS can enable it if needed.
Storage
SATA Operation Mode
Set to: AHCI. AHCI gives direct access to drives with standard kernel drivers. The alternative (RAID On / Intel RST) interposes a proprietary RAID controller that requires vendor drivers and prevents Linux from seeing individual drives.
FortrOS handles redundancy at the org level (erasure coding across nodes), not at the hardware RAID level. AHCI is the clean path.
SMART Reporting
Enable. SMART data is used by disk-probe to monitor drive health and predict failures. The maintainer reports SMART status to the org for proactive shard migration before a drive dies.
NVMe Configuration
No special BIOS settings needed. NVMe drives appear as PCIe devices and are detected automatically by the kernel. Ensure the NVMe is visible in the BIOS device list -- if it's not, check for a BIOS update.
Network
PXE / Network Boot
Available but not in boot order. PXE should be enabled in the BIOS so the admin can trigger it manually (F12 boot menu) for initial provisioning. But it should NOT be in the automatic boot sequence.
On Dell: enable PXE under Network settings, but set boot order to disk only. The boot menu (F12) still offers PXE as a one-time option.
Wake on LAN (WoL)
Enable (LAN). WoL allows the org to power on nodes remotely via magic packet. Useful for:
- Waking hibernated nodes for maintenance
- Power management (shut down idle nodes, wake on demand)
- Disaster recovery (wake nodes after power outage)
Set to LAN only (not WLAN -- WiFi WoL is unreliable and wastes power).
Wireless (WLAN/Bluetooth)
Leave enabled unless the deployment is air-gapped. FortrOS doesn't use WiFi for the overlay network (WireGuard runs over ethernet) but WiFi may be needed for:
- Client VMs that need WiFi (passthrough via VFIO)
- Fallback internet connectivity
- Portable nodes (laptops)
Bluetooth is rarely needed for servers. Disable if reducing attack surface matters more than peripheral support.
Power Management
AC Recovery
Set to: Power On (for servers/always-on nodes) or Last State (for nodes that should respect the admin's power decision). Power Off means the node stays off after a power outage -- the admin must manually power it on or use WoL.
For homelab: Last State is usually best. For datacenter: Power On ensures nodes recover automatically.
SpeedStep / Speed Shift / Turbo Boost / C-States
Leave enabled (all). These are CPU power management features that reduce power consumption at idle and boost performance under load. FortrOS benefits from all of them:
- SpeedStep/Speed Shift: dynamic frequency scaling
- Turbo Boost: above-base-frequency bursts for short workloads
- C-States: deep CPU sleep states during idle
There is no performance benefit to disabling them for a VM host workload.
Deep Sleep (S4/S5)
Leave enabled. Allows the hardware to enter deep power-off states. FortrOS's hibernate flow uses S5 (power off) after writing the hibernate image. Without deep sleep, the node draws standby power unnecessarily.
USB Wake
Leave enabled. Allows keyboard/mouse to wake the node from sleep. Useful for desktop/kiosk deployments where a user needs to wake the machine by pressing a key.
Security
Secure Boot
Disable for initial setup. Enable once signing chain is established.
Secure Boot verifies that the bootloader (our preboot UKI) is signed by a trusted key. For initial bring-up, disable it so we can boot unsigned images. Once the org's signing key is enrolled in the UEFI key database, re-enable Secure Boot.
When re-enabling:
- Do not clear existing keys (Microsoft/Dell). Firmware drivers (NVMe, GOP, network) are signed with these keys. Clearing them can prevent the firmware from loading its own drivers.
- Add the org's signing key to DB (append, not replace)
- Sign the preboot UKI with the org key
- High-security orgs that want full key sovereignty: see Pending Design Topics#Secure Boot Key Management
Secure Boot Mode
Dell shows "Deployed Mode" (normal) vs "Audit Mode" (logs violations but doesn't enforce) vs "Setup Mode" (allows key enrollment without auth).
For initial setup: Secure Boot OFF is sufficient. For enrollment later: put into Setup Mode temporarily to add org key.
Admin/BIOS Password
Per-org decision. FortrOS doesn't dictate BIOS passwords. Options:
- No password (homelab, physical access is trusted)
- Per-node password (managed by admin, stored in org secrets)
- Derived password (deterministic from org + node identity)
A dead org with derived BIOS passwords means locked hardware. Consider this tradeoff carefully.
SMM Security Mitigation
Leave disabled for now. System Management Mode (SMM) mitigation hardens against SMM-based attacks (firmware rootkits). It can cause compatibility issues with some hardware. Enable later once the node is stable.
Absolute (Computrace/LoJack)
Awareness only. Absolute is Dell's theft tracking firmware agent. It persists in the BIOS and can survive OS reinstalls. It's not harmful to FortrOS but it is a pre-installed firmware agent that phones home. For high-security deployments, disable it. For homelab, ignore it.
Intel AMT / vPro
Management Engine (ME)
Intel AMT provides out-of-band management: remote power on/off, remote console (KVM over IP), hardware inventory -- all independent of the OS. FortrOS can use AMT for:
- Remote power management (wake/sleep/reboot nodes)
- Console access when the OS is unresponsive
- Hardware health monitoring
MEBx Password
The Management Engine BIOS Extension has its own password, separate from
the BIOS admin password. Default on Dell is often admin. If accessible:
change it immediately. AMT with default credentials is a remote backdoor.
If the MEBx password is unknown (previous owner, locked), skip AMT configuration for now. AMT is valuable but not on the critical path.
AMT Provisioning
AMT can be provisioned from:
- MEBx (manual, during boot)
- OS-based provisioning (if "USB Provision" or OS provisioning is enabled)
- Remote configuration server
For FortrOS: leave AMT enabled in BIOS but don't configure it until the org's out-of-band management strategy is defined. The "restrict MEBx Access" option prevents AMT configuration from the OS, which is a good security default once AMT is set up.
Recommended Settings Summary
| Setting | Value | Why |
|---|---|---|
| Boot mode | UEFI only | FortrOS requires UEFI |
| Boot order | Disk only | PXE via F12 when needed |
| Fastboot | Thorough | Full hardware probe |
| TPM 2.0 | Enabled | Identity storage |
| VT-x | Enabled | KVM host |
| VT-d | Enabled | VFIO passthrough |
| SATA mode | AHCI | Direct drive access |
| SMART | Enabled | Health monitoring |
| PXE | Available, not in boot order | Manual provisioning |
| WoL | LAN | Remote power management |
| Secure Boot | OFF (for now) | Enable after signing chain |
| AC Recovery | Last State or Power On | Per deployment |
| AMT | Enabled, unconfigured | Future use |
Links
- 01 Power and Firmware -- Boot chain overview
- TPM -- TPM usage in FortrOS
- UEFI -- ESP and firmware interaction
- Out-of-Band Management -- AMT/IPMI for remote management
- Pending Design Topics -- Secure Boot key management for sovereign orgs