This is where a completely different bios is likely better suited and not depending on software AEM but instead Hardware AEM with a librem key + heads bios which wipes out all the nasty stuff that stock bios come with such as Intel Management Engine, which is considered a backdoor and most manufacturers have confidential agreements with NSA / CIA / Mi6 and the like to deliver laptops with IME disabled. See here: Dell Special catalog for DOD, NSA, CIA
And see here about the easiest way to get into heads and hardware AEM, just by using the right hardware: Anti Evil Maid and Lenovo x230
You can pick up a barebones x230 with no ram, no hd for under $150 if you shop around on ebay and clist. Then just buy 16gb ram and the hd you need. Plus get a librem or nitrokey, they are the same, just different branding.
If you decide to go the x230 route, feel free to post in the x230 thread to get help with your journey.