Not interested for religious war
The problem is in a model - school of thought - perspective, whatever.
First of all, for what purpose you procured the laptop - CAD/CAM, coding, building, storage etc?
I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.
IBM and Lenovo design and quality control is as different as Earth and Mars are.
I assume that you procured ThinkPad Workstation 16" with AMD cpu and NVIDIA Quadro, or similar.
Have you decided to procure Lenovo product or you were advised? In both cases, you shouldn't procure from them.
Use DELL and HPE equipment if you're serious with your business.
It’s coming directly from
China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!
That logic doesn't count that hardware is compromised by manufacturer itsef.
Without defined threat model - identified actors and their capabilities primarily - assuming that there is a threat array - I may only say that if that laptop is coming to you or affiliated person, it may be tampered during transport and customs procedure.
Protection against strangers, hackers and others that would use a 5 minute window to access the laptop while I'm away.
What stranger - why hackers - whom others? Your sentences imply that you're HVT carrying confidential information. Hence, you're either a target of industrial espionage or a conventional one.
Why would you carry confidential information with yourself in any form
What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.
Why is a Microsoft Windows 11 a requirement for you - due to lck of knowledge of Linux or for because of assumed software support and lack of it on Linux?
My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.
If you will carry protected information with yourself on a laptop's storage, then it's against OPSEC and CI/INFOSEC.
But, in this business, adaptability is a key. If you are going to expose yourself to a risk, then that laptop should have at least two properties
XML:
That it can't boot without high assurance encryption keys
XML:
An encrypted remote storage and backup exist
For the first property, Linux with UEFI bootstrap and encrypted /boot volume would be required. As for the second one, a colocated 1U/2U servers with RAID 5/6 or 6+0 should be established for remote storage and backup purposes via rsync and your own
VPN.
Biometric authentication may be used as comfort measure but with expiry period - up to 30 minutes - after which strong authentication methods must be used.
Whatever Linux distribution is used, it's essentially the same. For GUI, GNOME should be used. And not, Ubuntu isn't a spyware
For Microsoft Windows software, an isolated VM instance may be used with GPU pass-through.
- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)
OPAL SED is nominaly good. But, their firmware may be a problem as we detected on our internal network used for IPMI management a traffic apparently related to certain vendor. As a lucky moment, we don't use them for production servers.
Considering that you're mobile, you should have a WWAN active as well as firewal - iptables with prerouting rules or nftables.
AV should be used only if you have an exchanges with external parties thru mail or mobile storage.
Apple and Microsoft products should not be used for any serious matters.
If you need assistance for set-up, send a DM and I will gladly help you - free of charge, I don't need a revenue from OCT - or delegate the task to our knowledgable technician.
But, you should really consider not to use Lenovo products.