The NSA just published a Cybersecurity Technical Report UEFI Secure Boot Customization
Secure Boot is a boot integrity feature that is part of the Unified Extensible Firmware Interface (UEFI) industry standard. Most modern computer systems are delivered to customers with a standard Secure Boot policy installed. This document provides a comprehensive guide for customizing a Secure Boot policy to meet several use cases.
Recommendations for system administrators and infrastructure owners: Machines running legacy BIOS or Compatibility Support Module (CSM) should be migrated to UEFI native mode. Secure Boot should be enabled on all endpoints and configured to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode). Secure Boot should be customized, if necessary, to meet the needs of organizations and their supporting hardware and software. Firmware should be secured using a set of administrator passwords appropriate for a device's capabilities and use case. Firmware should be updated regularly and treated as importantly as operating system and application updates. A Trusted Platform Module (TPM) should be leveraged to check the integrity of firmware and the Secure Boot configuration.