We tried reaching you on a private message asking for the Service Tag number to ascertain the warranty but did not receive a response. Please feel free to reply to the private message whenever you are available.
@_jeffd_ On all the Dell systems I’ve used for years now, if you uncheck the checkbox next to any options in the BIOS Setup boot list that you don’t want available and then set an admin password, you’ll need to provide the admin password to select those options in the F12 menu. Do you not have checkboxes next to the boot options?
@jphughanIt's really odd. What you describe does indeed hold true so long as the device (Latitude E5540 in this case) has the boot mode set to LEGACY -- uncheck a 'Boot Sequence' entry in setup with an admin password set and it will show in the F12 menu with an asterisk/require a password. I too am accustomed to this behaviour having supported Dell's for many years. It even applies to any bootable UEFI devices detected (e.g.: bootable USB flash drive, onboard NIC with the UEFI network stack/PXE enabled, etc) -- they too will be marked with an asterisk/require password. So long as the boot mode = LEGACY.
As soon as I reconfigure the device to the desired state with the boot mode = UEFI and Secure Boot = Enabled (requires Legacy Option ROMs = Disabled) the F12 boot menu is now wide open. Admin password is still set, but no asterisk/password required -- I can UEFI boot from any available device. And in this mode, the check boxes in setup re: boot devices only show while the undesired device is connected, so I can't blanket disable say all USB or CD-ROM devices out of the gates.
I'm wondering if this comes down to a difference in behaviour/capability with the UEFI spec version of the device/firmware and if this model just need to be left in
LEGACY mode in order to secure the boot menu, forgoing benefits of UEFI/Secure Boot?
@_jeffd_ Interesting find. Thinking back myself now, I guess I never tried the "admin password boot menu lockdown" method on a system that was configured for UEFI booting. As to why that isn't possible on a UEFI system, it might be because the options presented in the F12 menu are those that are defined in the BIOS Setup (which would require an admin password to modify anyway) and then any boot options discovered based on the presence of a bootloader file at \EFI\Boot\Bootx64.efi on a partition readable by the UEFI firmware. So whereas the Legacy boot mode has a "Boot from USB" option, that doesn't exist in the same way for UEFI. That's not to say that it couldn't -- I imagine it would be possible to say "Hide or lock down any discovered options that reside on USB-attached media" -- but perhaps Dell simply hasn't done that. I remember discovering years ago that Dell systems did not support setting HDD passwords on M.2 NVMe SSDs, even though M.2 SATA was fine. Other systems were capable of doing that, but for whatever reason, Dell systems didn't have that capability. (Not sure if that's changed.)
In terms of whether to use Legacy and a locked down boot menu or UEFI and Secure Boot, that's a difficult choice because those security measures are designed to protect against completely different threat models, so they're not interchangeable, nor is one "better" than the other. But sooner or later you'll be forced to use UEFI anyway. Starting with the Latitude xx90 models, for example, Legacy boot is only available when booting for external devices. Booting from internal storage can only be done in UEFI mode. And Intel announced in 2017 that their CPUs would drop support for Legacy boot in 2020, although I don't know if that actually happened.
@jphughanYeah, it's definitely an interesting one. I've seen oddities before, but typically on older devices with early CSM implementations of UEFI. For what it's worth, the Latitude E5450 seems to behave the same as the E5540. Newer models like the xx90 are fine as they offer the 'UEFI Boot Path Security' option in setup that can be set to 'Always, Except Internal HDD', which will require password for any other bootable device that's detected. So, UEFI is a non-issue on newer stuff. I suppose I'll have to decide how I want to handle these two Latitude models...
DELL-Cares
Moderator
•
27.5K Posts
0
October 10th, 2021 02:00
We tried reaching you on a private message asking for the Service Tag number to ascertain the warranty but did not receive a response. Please feel free to reply to the private message whenever you are available.
jphughan
9 Legend
•
14K Posts
0
October 10th, 2021 05:00
@_jeffd_ On all the Dell systems I’ve used for years now, if you uncheck the checkbox next to any options in the BIOS Setup boot list that you don’t want available and then set an admin password, you’ll need to provide the admin password to select those options in the F12 menu. Do you not have checkboxes next to the boot options?
_jeffd_
3 Posts
0
October 12th, 2021 07:00
@jphughanIt's really odd. What you describe does indeed hold true so long as the device (Latitude E5540 in this case) has the boot mode set to LEGACY -- uncheck a 'Boot Sequence' entry in setup with an admin password set and it will show in the F12 menu with an asterisk/require a password. I too am accustomed to this behaviour having supported Dell's for many years. It even applies to any bootable UEFI devices detected (e.g.: bootable USB flash drive, onboard NIC with the UEFI network stack/PXE enabled, etc) -- they too will be marked with an asterisk/require password. So long as the boot mode = LEGACY.
As soon as I reconfigure the device to the desired state with the boot mode = UEFI and Secure Boot = Enabled (requires Legacy Option ROMs = Disabled) the F12 boot menu is now wide open. Admin password is still set, but no asterisk/password required -- I can UEFI boot from any available device. And in this mode, the check boxes in setup re: boot devices only show while the undesired device is connected, so I can't blanket disable say all USB or CD-ROM devices out of the gates.
jphughan
9 Legend
•
14K Posts
0
October 12th, 2021 08:00
@_jeffd_ Interesting find. Thinking back myself now, I guess I never tried the "admin password boot menu lockdown" method on a system that was configured for UEFI booting. As to why that isn't possible on a UEFI system, it might be because the options presented in the F12 menu are those that are defined in the BIOS Setup (which would require an admin password to modify anyway) and then any boot options discovered based on the presence of a bootloader file at \EFI\Boot\Bootx64.efi on a partition readable by the UEFI firmware. So whereas the Legacy boot mode has a "Boot from USB" option, that doesn't exist in the same way for UEFI. That's not to say that it couldn't -- I imagine it would be possible to say "Hide or lock down any discovered options that reside on USB-attached media" -- but perhaps Dell simply hasn't done that. I remember discovering years ago that Dell systems did not support setting HDD passwords on M.2 NVMe SSDs, even though M.2 SATA was fine. Other systems were capable of doing that, but for whatever reason, Dell systems didn't have that capability. (Not sure if that's changed.)
In terms of whether to use Legacy and a locked down boot menu or UEFI and Secure Boot, that's a difficult choice because those security measures are designed to protect against completely different threat models, so they're not interchangeable, nor is one "better" than the other. But sooner or later you'll be forced to use UEFI anyway. Starting with the Latitude xx90 models, for example, Legacy boot is only available when booting for external devices. Booting from internal storage can only be done in UEFI mode. And Intel announced in 2017 that their CPUs would drop support for Legacy boot in 2020, although I don't know if that actually happened.
_jeffd_
3 Posts
0
October 12th, 2021 09:00
@jphughanYeah, it's definitely an interesting one. I've seen oddities before, but typically on older devices with early CSM implementations of UEFI. For what it's worth, the Latitude E5450 seems to behave the same as the E5540. Newer models like the xx90 are fine as they offer the 'UEFI Boot Path Security' option in setup that can be set to 'Always, Except Internal HDD', which will require password for any other bootable device that's detected. So, UEFI is a non-issue on newer stuff. I suppose I'll have to decide how I want to handle these two Latitude models...