Question: What can be done to secure an older HP workstation against firmware based malware?

Notes:

1) Secure Boot doesn’t protect against the UEFI LoJax rootkit.
2) Secure Boot is a feature that is found in the UEFI setup utility but not the BIOS setup - see attached image.
3) Security community recommends keeping UEFI firmware up-to-date and, if possible, have a processor with a hardware root of trust.
4) Intel processors have Intel Boot Guard (from the Haswell family of Intel processors onwards) introduced in 2013.
5) The exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).

In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else. Systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:
 SedUploader, a first-stage backdoor
 XAgent, Sednit’s flagship backdoor
 Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network

HP Setup