USB Boot Password

Just got my framework earlier today and loving it so far. Before I used this device, I used a thinkpad and had it configured to have a bios password. When the bios password was set, it would also require the bios password to boot to a USB device with the one time boot override key. The framework does not work this way. Would it be possible to implement this in a future firmware update? I think it would be fantastic for security as it prevents people from simply inserting a USB stick to take your files. For now I can simply disable USB boots when I’m not installing an OS, it just seems like a convenient option.

Tangentially related, how do I download firmware updates? I haven’t been able to find it on the Framework website.


We currently have a beta release 3.03 available for testing: Public Beta Test: 11th Gen BIOS v3.03 + Driver Bundle 2021_08_31

@A_Moose I don’t disagree about the convenience, but there’s a better way to protect your files: encrypt your drive. That way, nobody can access your files by removing the SSD. Bitlocker for Windows, LUKS for Linux, just to name a couple examples. The performance cost is extremely small, and some SSDs have hardware-based encryption.

1 Like

@Jacob_Padgett I’m actually looking into that right now after noticing windows 11 automatically encrypts the system partition with Bitlocker! I generally run a dual boot system so I’m currently looking for ways to get LUKS and Bitlocker to play nice with each other, ideally with both automatically decrypting at boot time. It’s a bit outside of the purpose of this thread, but I may make a new thread if I have any valuable information to add on the subject.

1 Like

I also find that the one-timt boot override menu should be covered by the BIOS admin password. All other devices I have owned implemented it this way.
Even if my drive is fully encrypted, I still would like to prevent others booting software from external drives without knowledge of the password…

I also think USB-boot should be covered by the BIOS password, this is not really a security feature, but a thief deterrence feature. In this way, if my laptop is stolen, it is effectively a brick, as they cannot install other OS on my disk, change the disk (chassis intrusion detection), and cannot enter my OS.

I understand that thief deterrence is generally not useful unless widely implemented, but at least I can annoy anyone who attempts to stole my laptop.

Well, how do you reset a BIOS password? Oh, you take off the battery and backup buffer battery and eventually apply a shunt to a special 2 pins for that purpose.

If someone has access to your laptop physically, all BIOS passwords are useless.
You can only really protect your data if you encrypt the filesystems and keep the key on a separate device. And by encrypting, use opensource software, not software backed up by huge corporations … (applies to bitlocker, or in disk encryption + PWD protection). In the end, if a security issue surfaces, if the device is to old: they couldn’t care less.

PS: also, never use biometrics. The password, they have to beat it out of you. The biometric, just use your face or finger.