Firmware Configuration
While setting up your computer to run as an always-on server without a display, there are some firmware-level configuration settings we should verify.
This process is different for single-board computers and traditional desktops.
Single-Board Computers
The Raspberry Pi computer series do not have a battery source to ensure that firmware settings are saved even if the computer loses power. This means that they do not use a conventional BIOS or EFI architecture.
Instead, these systems use a configuration file that is stored on the hard drive and used to configure the system during the boot process. These settings are configured through the command line or a graphic user application.
Performance Options
Overlay file system, disable read-only. GPU memory.
Interface Options
SSH and VNC if desired. Disable unneeded such as SPI, I2C, serial port, serial console. 1 wire, remote GPIO.
System Options
Change password. Change hostname, this is used for mdns, I.e. raspberrypi.local. power led. Wait for network connection.
Advanced Options
EFI & BIOS
Older PC systems use a BIOS – or Basic Input/Output System – to handle core functions before the computer has loaded an operating system. The BIOS is used to configure fundamental computer settings that affects how hardware interacts with the operating system. This architecture stores your settings on a small memory chip powered by a coin-cell battery. Through a user navigable interface, core computer features can be configured.
Modern computer systems use UEFI – or the Unified Extensible Firmware Interface – to manage these settings through a graphic interface. Some systems require enabling an advanced or administer mode to access all firmware settings.
There are numerous manufacturers who use different BIOS and UEFI for their computer systems. There is no definitive standard for BIOS or EFI systems and that results in many different descriptive names for the same features. While we try to cover the common names, you may need to do some personal research.
Some OEM systems, such as business-grade workstation PCs, have simplified firmware with minimal configurable options. This computer should still operate as a server but may require additional configuration through the operating system to properly manage power and efficiency settings.
Disable Unused Hardwares & Features
You can increase the overall security of a home server by disabling extraneous hardware as a proactive measure to decrease your cyber attack surface area.
Some common hardware components to disable are:
- Serial and Parallel Ports
- Audio Ports
- Bluetooth
- Thunderbolt
- Wireless Internet
- Trust Protection Module
Bluetooth can be left on for connecting smart devices, but the protocol can be insecure. Wireless internet is not reliable enough to be used as the main connection for a server and should be disabled if not in use.
Power-Saving Features
We are running an always-on server which means our power efficiency settings are important. Turning off certain hardware when the computer is idle can increase their life expectancy, while turning off others can decrease your servers stability. These are settings to look out for:
Cool'n'Quiet or SpeedStep: Enable
Cool'n'Quiet (AMD) and SpeedStep (Intel) slow down the processor when idle to decrease overall power usage.
EIST: Enable
Enhanced Intel SpeedStep is an advanced mechanism for dynamically scaling the processor's speed and power consumption.
C-States: Enable, Auto or (C1, C3 and C6)
This feature allows the CPU to temporarily disable processor sections when they are not being used by the operating system.
C1E: Enabled
This is an advanced power-saving state that temporarily decreases the processor speed when idle while allowing for rapid return to an active state.
ErP Mode and EuP Mode: Disable
This is a comprehensive power feature related to an EU directive that aims to decrease overall device power usage. While useful for a standard computer, the setting an fundamentally alter system performance by disabling or under locking hardware.
Boot Settings
Disable booting from all HDDs or Controllers (except for the drives I'm actually booting off of). Keyboard mouse halt, Secure Boot, fast boot.
Power Management
Disable schedules, disable power efficiency, Wake-On Lan, Restart after failure
Storage Interface
AHCI vs SATA vs RAID.