Preventing USB boot with Coreboot on Librem 14

Hi, I got the new Librem 14 and it seems like a nice device. But on my old system I protected my system from cold boot attacks and other shenanigans by protecting the bios with a password and disabling all boot devices besides the main disk in the bios.

This does not seem to be possible anymore or is there an option?

To me it is puzzling that the Librem 14 has a bigger attack surface because of this then my previous Thinkpad.

Of course I can or maybe should use the evil maid usb stick or maybe the librem key but this is much more effort/complicated (I use QubesOs, not sure if the librem key work with this and I already got a Yubikey) then simply preventing others from booting from their rescue systems so they have to open the chassis, and move the ssd to another system to manipulate it.
Thinkpads even had a temper detection so I could have seen if somebody removed the chassis unless they were super professional and somehow prevented the alarm from going off.

So is there any option to prevent the boot from other devices with the Librem 14?
What do you do to prevent attacks like these?

Thanks in advance.

Build firmware from scratch and add the functionality that you want?

1 Like

You can use TPM to defend your boot process: