I set BIOS supervisor password, then reboot, press F12 and was able to boot from any device without asking for BIOS password.
I think it is not very secure, because some person can boot from their specific USB flash and do something bad with my hardware (like changing boot images). Of course, attacker always can extract SSD and do dangerous thing on their machine, but it requires more time. It is always safer to have extra line of defense.
Also, many other laptops BIOS requires BIOS password on their one-time boot manager. I think it is what most people expect.
The BIOS password protects against BIOS configuration manipulation, not system access.
You did not configure everything. Got to the boot options and restrict booting only from the internal harddrive (the one with the OS). Disable all other boot options. Then other boot devices won’t be tried.
But this won’t prevent someone from extracting the disk and accessing it through other means.
You want to really secure the data on your laptop, use full disk encryption and as an open-source guy working in security since in IT, don’t use any built-in encryption (disks etc.) and nothing backed by a company (bitlocker etc.). Whatever is backed by a corporation has, from experience and IMHO, a backdoor or weakness that can be exploited (if not now, in the future).
2 Likes
The BIOS password protects against BIOS configuration manipulation
For me changing boot items is a “BIOS configuration manipulation”.
Disable all other boot options.
Disabling USB boot helps, thanks.
You want to really secure the data on your laptop, use full disk encryption
/boot can’t be encrypted, if you are taking about LUKS2 encryption (but of course I have it).
Actually, that is a configured boot-device. If you have enabled the possibility to boot from USB disk, then it is configured and an enabled boot device 
1 Like