FDE and Custom Keys Secure Boot on Fedora Questions - FW 13 Intel Core Ultra

Framework Laptop 13 Linux
1

Hello,

I recently purchased a brand new Framework Laptop 13 with the Intel® Core™ Ultra Series 1. I haven’t even turned it on yet, it is DYI, so I have my own hard drive and ram in it. I know that I want to use Fedora as the operating system, but I would also like to increase its security and usability in the following ways:

  1. Full Disk Encryption (with single password sign-in by bypassing additional passphrase prompt using the TPM2 Method)
  2. UEFI secure boot with a custom key (including removing the Microsoft keys)
  3. Add Snapshot and Rollback Support

I located these two guides, which in theory together should allow me to do what I am looking for:

Questions:

  1. Should I set up the secure boot with custom keys before or after setting up FDE?
  2. Is there anything I need to check on / know about before I would remove the Microsoft keys to make sure I don’t brick my computer? Is there any functionality that I may lose by removing them? (I will not be using Microsoft software on the computer)
  3. Is there a benefit or disadvantage to GNOME vs KDE desktop environment? (I have read plenty that describes the GNOME desktop more simple and KDE more customizable. I really just don’t know what this means from a practical standpoint.)
    A. Is there any features or security concerns I need to know related to either of these?
    B. If I went with GNOME, is there any changes I need to make to the above UEFI secure boot guide, as that is written related to KDE.
  4. Is there any changes I need to make to the steps from the above guides to make this work?
  5. Is there a way to backup the bios before I make any changes, just in case. Is that even a thing?

My background:
I have basically no Linux experience. I have always been the family / resident “tech guy” but mostly I just know how to web search, navigate computers, and trouble shoot with trial and error. I have very very basic coding knowledge (mostly searching for pre-typed code for what I need and dropping it in a website). I currently don’t have a working computer to test anything on a Linux VM. I am not convinced it would help much, as the bios and hardware will be different on the Framework anyways.

I did look at other guide and posts on here, but they seemed to not fully apply or be missing parts related to my questions (AMD vs Intel, no details on custom keys potential issues with this set up, etc.)
I’m sorry if any of these are stupid noob questions, but any help would be greatly appreciated.

2

I don’t really bother with secure boot on my laptops (usually just keep it disabled especially when installing linux distros). I use an arch based distro and they say secure boot is an absolute pain to setup, so I just leave it disabled. I do not know much about secure boot and am yet to install Linux on my FW (have plans to but just got the storage while my FL16 was at the repair center).

I can comment though that GNOME vs KDE is just a matter of personal preference and usually quite polarized as they have quite different layouts and design philosophies. I personally prefer KDE, but you can try either of them and just stick to the one you like. There isn’t too big of a difference in security between these DEs.

On some versions of Insyde BIOSes, they have a BIOS Backflash feature that you can enable which restores the BIOS to a version that is not corrupted. You can also change all the settings back to the default in the exit menu of the bios. I can’t say what will happen to the secure boot keys though.