Unified Extensible Firmware Interface

EFI in the boot sequence

The Unified Extensible Firmware Interface (UEFI)[1] is in the boot sequence before the operating system and after the firmware. UEFI replaces the legacy BIOS firmware interface found in all IBM computers.[2][3] Most UEFI implementations are backwards-compatible to the legacy BIOS. UEFI supports remote diagnostics and repairing of computers, even when there isn't an operating system.[4]

Intel made the Extensible Firmware Interface (EFI). Some of the EFI's usage and formats mimic those of Windows.[5][6] In 2005, EFI 1.10 (the final release) was deprecated.

History

Creation

The motivation for EFI came during early development of the first Intel–HP Itanium systems in the mid-1990s. Limitations had become too restrictive for the server platforms Itanium was looking for.[7] The effort to address these restrictions began in 1998 and was first called the Intel Boot Initiative.[8] It was renamed to Extensible Firmware Interface (EFI).[9][10]

In July 2005, Intel discontinued its development of the EFI specification at version 1.10, and gave it to the Unified EFI Forum, which has developed the specification as the Unified Extensible Firmware Interface (UEFI). The original EFI specification remains owned by Intel, which exclusively provides licenses for EFI-based products, but the UEFI specification is owned by the UEFI Forum.[7][11]

Versions

Version 2.0 of UEFI was released on 31 January 2006. It added cryptography and security.

Version 2.1 of UEFI was released on 7 January 2007. It added network authentication and the user interface architecture ('Human Interface Infrastructure' in UEFI).

The latest UEFI specification, version 2.9, was released in March 2021.[12]

Open source

The first open source UEFI implementation, Tiano, was released by Intel in 2004. Tiano has since then been succeded by EDK[13] and EDK2[14] and is now maintained by the TianoCore community.[15]

Advantages

UEFI firmware provides several technical advantages over a traditional BIOS system:[16]

  • Being able to boot a disk containing large partitions (over 2 TB) with a GUID Partition Table (GPT)[17][a][18]
  • Flexible pre-OS environment, including network capabilities, a GUI, and multi language support
  • 32-bit (for example IA-32) or 64-bit (for example x64) pre-OS environment
  • C language programming
  • Modular design
  • Backward and forward compatibility with the Legacy BIOS

Features

Services

Graphics Output Protocol (GOP) services
The Graphics Output Protocol (GOP) gives runtime services; see also Graphics features below. The operating system is allowed to write to the framebuffer provided by GOP during runtime mode.[19]
Variable services
UEFI variables provide a way to store data, in particular non-volatile data. Some UEFI variables are shared between platform firmware and operating systems. Variable namespaces are identified by GUIDs, and variables are key/value pairs. For example, UEFI variables can be used to keep crash messages in NVRAM after a crash for the operating system to get after a reboot.[20]
Time services
UEFI provides time services. Time services include support for someone's time zone and daylight saving fields, which allow the hardware's real-time clock to be set to local time or UTC.[21] On machines using a PC-AT real-time clock, by default the hardware clock still has to be set to local time for compatibility with BIOS-based Windows,[6] unless using recent versions and an entry in the Windows registry is set to indicate the use of UTC.

Applications

 
Interaction between the EFI boot manager and EFI drivers

Beyond loading an OS, UEFI can run UEFI applications, which stay as files on the EFI System Partition. They can be executed from the UEFI Shell, by the firmware's boot manager, or by other UEFI apps. UEFI apps can be developed and installed independently of the original equipment manufacturers (OEMs).

A type of UEFI application is an OS boot loader such as GRUB, rEFInd, Gummiboot, and Windows Boot Manager; which loads some OS files into memory and executes them. Also, an OS boot loader can provide a user interface to allow the selection of another UEFI application to run. Utilities like the UEFI Shell are also UEFI applications.

Protocols

EFI defines protocols as a set of software interfaces used for communication between two binary modules. All EFI drivers must provide services to others via protocols. The EFI Protocols are similar to the BIOS interrupt calls.

Graphics features

The EFI 1.0 specification defined a UGA (Universal Graphic Adapter) protocol as a way to support graphics features. UEFI did not include UGA and replaced it with GOP (Graphics Output Protocol).[22]

UEFI 2.1 defined a "Human Interface Infrastructure" (HII) to manage user input, localized strings, fonts, and forms (in the HTML sense). These enable original equipment manufacturers (OEMs) or independent BIOS vendors (IBVs) to design graphical interfaces for pre-boot configuration.

Most early UEFI firmware implementations were console-based. Today many UEFI firmware implementations are GUI-based.

Boot stages

SEC – Security Phase

This is the first stage of the UEFI boot but may have platform specific code. It is built as code written in assembly language for the specific architecture. It initializes temporary memory (often CPU cache as RAM) and serves as the system's software root of trust.

PEI – Pre-EFI Initialization

The second stage of UEFI contains of a dependency-aware dispatcher that loads and runs PEI modules (PEIMs) to handle hardware tasks such as main memory initialization and firmware recovery operations. It's also responsible for the discovery of the boot mode and handling many ACPI S0ix/ACPI S3 operations. In the case of ACPI S0ix/ACPI S3 resume, it is responsible for restoring many hardware registers to a pre-sleep state. PEI also uses CPU cache as RAM.

DXE – Driver Execution Environment

This stage are made of C modules and a dependency-aware dispatcher. With main memory now available, CPU, chipset, mainboard and boot devices are initialized in DXE and BDS.

BDS – Boot Device Select

BDS is a part of the DXE.[23][24] In this stage, boot devices are initialized, UEFI drivers or Option ROMs of PCI devices are executed according to system configuration, and boot options are processed.

TSL – Transient System Load

This is the stage between boot device selection and hand-off to the OS. At this point one may enter UEFI shell, or execute an UEFI application such as the OS boot loader.

RT – Runtime

The UEFI hands off to the operating system (OS) after ExitBootServices() is executed. A UEFI compatible OS is now responsible for exiting boot services triggering the firmware to unload all no longer needed code and data, leaving only runtime services code/data, e.g. SMM and ACPI.[25] A typical modern OS will prefer to use its own programs (such as kernel drivers) to control hardware devices.

When a legacy OS is used, CSM will handle this call making sure that the system is compatible with legacy BIOS expectations.

Criticism

Many digital rights activists have protested against UEFI. Some experts have blamed UEFI as an attempt to remove the ability of the user to control the computer.[26][27] It does not solve the BIOS's long-standing problems of requiring two different drivers—one for the firmware and one for the operating system—for most hardware.[28]

Open-source project TianoCore also provides UEFI interfaces.[29] TianoCore doesn't have the specialized drivers that initialize functions, which are instead provided by coreboot, of which TianoCore is one of many payload options. The development of coreboot requires cooperation from CPU manufacturers to provide the specifications needed to develop initialization drivers.

Secure Boot

 
Examples of custom Secure Boot public keys
 
MokManager, a part of Shim bootloader

In 2011, Microsoft announced that computers certified to run its Windows 8 operating system had to release with Microsoft's public key enrolled and Secure Boot enabled.[source?] Following the announcement, Microsoft was accused by critics and free software/open source advocates (including the Free Software Foundation) of trying to use the Secure Boot functionality of UEFI to prevent the installation of alternative operating systems such as Linux. Microsoft denied that the Secure Boot requirement was intended to serve as a form of lock-in. They also clarified its requirements by stating that 32-bit-based systems certified for Windows 8 must allow Secure Boot to enter custom mode or be disabled, but not on systems using the ARM architecture.[30][31] Windows 10 allows OEMs to decide whether or not Secure Boot can be changed by users of their 32-bit systems.[32]

Concerns

Other developers concerned about the issues of implementing support for Secure Boot on Linux systems in general. Former Red Hat developer Matthew Garrett noted that conditions in the GNU General Public License version 3 may prevent the use of the GNU GRand Unified Bootloader without a distribution's developer disclosing the private key (however, the Free Software Foundation has since clarified its position, assuring that the responsibility to make keys available was held by the hardware manufacturer),[33][34] and that it would also be difficult for advanced users to build custom kernels that could function with Secure Boot enabled without self-signing them.[31] Other developers suggested that signed builds of Linux with another key could be provided, but noted that it would be difficult to persuade OEMs to ship their computers with the required key alongside the Microsoft key.[3]

Other implementations

Several major Linux distributions have made different implementations for Secure Boot. Garrett himself made a minimal bootloader that allows the user to individually trust keys provided by Linux distributions.[35] Ubuntu 12.10 uses an older version of shim[which?] pre-configured for use with Canonical's own key that verifies only the bootloader and allows unsigned kernels to be loaded; developers believed that the practice of signing only the bootloader is more feasible, since a trusted kernel is effective at securing only the user space, and not the pre-boot state for which Secure Boot is designed to add protection. That also allows users to build their own kernels and use custom kernel modules as well, without the need to reconfigure the system.[34][36][37] Canonical also maintains its own private key to sign installations of Ubuntu pre-loaded on certified OEM computers that run the operating system, and also plans to enforce a Secure Boot requirement as well—requiring both a Canonical key and a Microsoft key (for compatibility reasons) to be included in their firmware. Fedora also uses shim,[which?] but requires that both the kernel and its modules be signed as well.[36]

Disputes

It has been disputed whether the operating system kernel and its modules must be signed as well; while the UEFI specifications do not require it, Microsoft has asserted that their contractual requirements do, and that it reserves the right to revoke any certificates used to sign code that can be used to compromise the security of the system.[37] In Windows, only the WHQL kernel driver is allowed if Secure Boot is enabled. In February 2013, another Red Hat developer attempted to submit a patch to the Linux kernel that would allow it to parse Microsoft's authenticode signing using a master X.509 key embedded in PE files signed by Microsoft. However, the proposal was criticized by Linux creator Linus Torvalds, who attacked Red Hat for supporting Microsoft's control over the Secure Boot infrastructure.[38]

On 26 March 2013, the Spanish free software development group Hispalinux filed a formal complaint with the European Commission.It said that Microsoft's Secure Boot requirements on OEM systems were "obstructive" and anti-competitive.[39]

Reports

At the Black Hat conference in August 2013, a group of security researchers presented a series of exploits in specific vendor implementations of UEFI that could be used to exploit Secure Boot.[40]

In August 2016 it was reported that two security researchers had found the "golden key" security key Microsoft uses in signing operating systems.[41] Technically, no key was exposed. However, an exploitable binary signed by the key was exposed. This allows any software to run as though it was genuinely signed by Microsoft and exposes the possibility of rootkit and bootkit attacks. This also makes patching the problem impossible, since any patch can be replaced (downgraded) by the (signed) exploitable binary. Microsoft responded in a statement that the vulnerability only exists in ARM architecture and Windows RT devices, and has released two patches; however, the patches do not (and cannot) remove the vulnerability, which would require key replacements in end user firmware to fix.[source?]

Support

Many Linux distributions support Secure Boot now, such as RHEL (RHEL 7 and later), CentOS (CentOS 7 and later[42]), Ubuntu, Fedora, Debian (Debian 10 and later[43]), OpenSUSE, and SUSE Linux.[44]

Firmware problems

The increased prominence of UEFI firmware in devices has also led to a number of technical problems blamed on their respective implementations.[45]

Following the release of Windows 8 in late 2012, it was discovered that certain Lenovo computer models with Secure Boot had firmware that was hardcoded to allow only executables named "Windows Boot Manager" or "Red Hat Enterprise Linux" to load, regardless of any other setting.[46] Other problems were encountered by several Toshiba laptop models with Secure Boot that were missing certain certificates required for its proper operation.[45]

In January 2013, a bug surrounding the UEFI implementation on some Samsung laptops went public, which caused them to be bricked after installing Linux in UEFI mode. While potential conflicts with a kernel module designed to access system features on Samsung laptops were initially blamed (also prompting kernel maintainers to disable the module on UEFI systems as a safety measure), Matthew Garrett discovered that the bug was actually triggered by storing too many UEFI variables to memory, and that the bug could also be triggered under Windows under certain conditions. In conclusion, he determined that the offending kernel module had caused kernel message dumps to be written to the firmware, triggering the bug.[20][47][48]

Unified Extensible Firmware Interface Media

Notes

  1. Large disk support and features such as Advanced Configuration and Power Interface (ACPI) and System Management BIOS (SMBIOS) were subsequently implemented in BIOS-based systems.

References

  1. Pronounced as an acronym or as /ˈɪf/.
  2. Kinney, Michael (1 September 2000). "Solving BIOS Boot Issues with EFI" (PDF). pp. 47–50. Archived from the original (PDF) on 23 January 2007. Retrieved 14 September 2010.
  3. 3.0 3.1 MS denies secure boot will exclude Linux. The Register. 23 September 2011. https://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/. Retrieved 24 September 2011. 
  4. "The 30-year-long Reign of BIOS is Over: Why UEFI W... - Input Output". HP.com. Archived from the original on 26 June 2013. Retrieved 6 March 2012.
  5. IBM PC Real Time Clock should run in UT. Cl.cam.ac.uk. Retrieved on 30 October 2013.
  6. 6.0 6.1 Garrett, Matthew (19 January 2012). "EFI and Linux: The Future Is Here, and It's Awful". linux.conf.au 2012. Archived from the original on 13 November 2021. Retrieved 2 April 2012.
  7. 7.0 7.1 Emulex UEFI Implementation Delivers Industry-leading Features for IBM Systems. Emulex. http://www.emulex.com/artifacts/757d23e7-8acb-41a7-872a-afb733ab0688/elx_tb_all_uefi_ibm.pdf. Retrieved 14 September 2010. 
  8. Extensible Firmware Interface (EFI) and Unified EFI (UEFI), Intel, archived from the original on 5 January 2010
  9. Wei, Dong (2006), "foreword", Beyond BIOS, Intel Press, ISBN 978-0-9743649-0-2
  10. "1.10 Specification overview", Extensible Firmware Interface, Intel
  11. About, Unified EFI Forum, Q: What is the relationship between EFI and UEFI? A: The UEFI specification is based on the EFI 1.10 specification published by Intel with corrections and changes managed by the Unified EFI Forum. Intel still holds the copyright on the EFI 1.10 specification, but has contributed it to the Forum so that the Forum can evolve it. There will be no future versions of the EFI specification, but customers who license it can still use it under the terms of their license from Intel. The license to the Unified EFI Specification comes from the Forum, not from Intel
  12. "Unified Extensible Firmware Interface (UEFI) Specification Version 2.9" (PDF). www.uefi.org. March 2021. Retrieved 23 May 2021.
  13. "GitHub - tianocore/Edk: Git mirror of EDK". GitHub. 19 March 2019.
  14. "GitHub - tianocore/Tianocore.github.io: Tianocore website". GitHub. 8 August 2019.
  15. "What is TianoCore?".
  16. "UEFI and Windows". Microsoft. 15 September 2009. Retrieved 14 September 2010.
  17. "Installation". 3.4 BIOS installation. GNU GRUB. Retrieved 25 September 2013.
  18. "Non-boot disks can use a GPT partition table even with no UEFI bios".
  19. "What is efifb? — The Linux Kernel documentation". www.kernel.org. Retrieved 24 November 2020.
  20. 20.0 20.1 "Samsung UEFI bug: Notebook bricked from Windows". The H. Retrieved 27 February 2013.
  21. UEFI specification, section 7.3
  22. "Intel Embedded Graphics Drivers FAQ: BIOS and firmware". Intel. Retrieved 19 May 2014.
  23. "PI Boot Flow · tianocore/Tianocore.github.io Wiki". GitHub.
  24. "Engineering Services" (PDF).
  25. "The Unified Extensible Firmware Interface (UEFI) — The Linux Kernel documentation". www.kernel.org. Archived from the original on 25 October 2020. Retrieved 7 November 2020.
  26. "Interview: Ronald G Minnich". Fosdem. 6 February 2007. Retrieved 14 September 2010.
  27. Doctorow, Cory (27 December 2011), The Coming War on General Purpose Computation, retrieved 25 September 2013
  28. "coreboot (aka LinuxBIOS): The Free/Open-Source x86 Firmware". YouTube. 31 October 2008. Retrieved 14 September 2010.
  29. "Welcome", TianoCore, SourceForge, archived from the original on 23 April 2012
  30. "Windows 8 Secure Boot: The Controversy Continues". PC World. Retrieved 9 September 2012.
  31. 31.0 31.1 "Is Microsoft Blocking Linux Booting on ARM Hardware?". Computerworld UK. Retrieved 6 March 2012.
  32. "Windows 10 to make the Secure Boot alt-OS lock out a reality". Ars Technica. 20 March 2015. Retrieved 21 March 2015.
  33. "Free Software Foundation recommendations for free operating system distributions considering Secure Boot — Free Software Foundation — working together for free software". Free Software Foundation. Retrieved 18 March 2020.
  34. 34.0 34.1 "Ubuntu will use GRUB 2 for its Secure Boot implementation". The H Online. Retrieved 28 October 2012.
  35. "Shimming your way to Linux on Windows 8 PCs". ZDNet. Retrieved 26 February 2013.
  36. 36.0 36.1 "Ubuntu details its UEFI Secure Boot plans". Linux Weekly News. Retrieved 11 September 2012.
  37. 37.0 37.1 "No Microsoft certificate support in Linux kernel says Torvalds". The H. Retrieved 26 February 2013.
  38. "Linus Torvalds: I will not change Linux to "deep-throat Microsoft"". Ars Technica. 26 February 2013. Retrieved 26 February 2013.
  39. Exclusive: Open software group files complaint against Microsoft to EU. Reuters. 26 March 2013. https://www.reuters.com/article/us-microsoft-eu-idUSBRE92P0E120130326. Retrieved 26 March 2013. 
  40. "Researchers demo exploits that bypass Windows 8 Secure Boot". IT World. Retrieved 5 August 2013.
  41. MENDELSOHN, Tom (12 August 2016). Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open [Updated]. Ars Technica. http://arstechnica.co.uk/security/2016/08/microsoft-secure-boot-firmware-snafu-leaks-golden-key/. Retrieved 12 August 2016. 
  42. "HowTos/UEFI - CentOS Wiki". wiki.centos.org. Retrieved 10 November 2020.
  43. "SecureBoot - Debian Wiki". wiki.debian.org. Retrieved 10 November 2020.
  44. "SUSE Linux Enterprise Server 15 SP1: Chapter 13. UEFI (Unified Extensible Firmware Interface) (Administration Guide)". documentation.suse.com. Retrieved 10 November 2020.
  45. 45.0 45.1 "Linux on Windows 8 PCs: Some progress, but still a nuisance". ZDNet. Retrieved 26 February 2013.
  46. "Lenovo UEFI Only Wants To Boot Windows, RHEL". Phoronix. Retrieved 26 February 2013.
  47. "Linux acquitted in Samsung laptop UEFI deaths". Bit-tech. Retrieved 26 February 2013.
  48. "Booting Linux using UEFI can brick Samsung laptops". The H. Retrieved 26 February 2013.

Further reading

Other websites