I was helping a friend replacing the battery and thermal paste on his System 76 laptop. Never own one before but I notice it runs a special BIOS version, Coreboot. It turns out there are Coreboot and Lireboot. .These help to boot really fast though.
Anyway, I notice there are no password BIOS lock like on Lenovo. How would this protect against someone plug a USB in and just wipe my drive? On Lenovo you can set a supervisor / boot passwords, and you can remove USB drives from the boot list.
sigh To actually answer your question:
Coreboot itself is just init firmware that contains a payload, such as Seabios, GRUB or Tianocore.
Those can have passwords (or also not, Seabios can’t, as far as I’m aware).
There’s a Libreboot site on how to lock down GRUB.
Basically, you have to flash your own config by adding your password hash and replacing the one in the ROM with e.g. cbfstool. It may sound scarier than it is.
Besides having less features than many proprietary BIOSes, I prefer the flexibility of having your own config to play around with. You can also create custom entries to boot fully encrypted RAIDs and such stuff.
(I sighed because many answers were about BIOS passwords not being effective anyway, which, to me, is dog shit, because of course you do not want somebody random to be able to just boot a USB from your device and screw up your system. And no, it does not reset itself when you take out the CMOS battery.)