Embedded

April 3, 2013

UEFI: Boot, Boon, or Bane?

Linux Lawsuit Shines Uncomfortable LIght on UEFI Standard

by Jim Turley

My learned colleague Bryon Moyer pointed out to me a recent news item regarding a lawsuit by a Linux user group that is suing Microsoft for anticompetitive practices.

Now before we start, let’s take a moment here to check our preconceptions at the door. If, after reading the words “Linux” and “Microsoft” you’ve already decided who’s the good guy in this lawsuit, then shame on you. Engineering is supposed to be a data-driven profession. An honest engineer wouldn’t draw conclusions based on zero evidence. If we were as quick to judge other individuals, it would be called prejudice or racism, and those are not admirable characteristics in an engineer.

Moving on, the suit alleges that laptops preloaded with Windows 8 come with a UEFI-compliant boot loader burned into ROM, and that the ROM prevents owners from nuking Windows and installing another operating system, specifically Linux. Microsoft, for its part, says UEFI is an open standard that has been around for years, and that laptops and desktop PCs have been using UEFI boot code with no problems. In essence, Microsoft is asking, why raise this issue now?

For background, UEFI is the “unified extensible firmware interface” standard that was formed by the mellifluously named UEFI Forum. It’s meant to be a next-generation replacement for the pseudo-standard BIOS found in PCs since the Mesozoic Era. There are 11 major companies behind UEFI, including the usual assortment of PC makers such as Dell, Lenovo, HP, Intel, AMD, Phoenix, American Megatrends – and Apple. That last member should give conspiracy theorists pause.

Although UEFI has its roots in Windows/x86/PC boot loaders, it’s specifically designed to be CPU independent and OS neutral. For example, there are ARM-based UEFI boot loaders.

UEFI also has a “secure boot” feature, which is where our lawsuit enters the picture. To thwart hacking, UEFI can optionally be configured to load only operating systems that have the appropriate digital signature. That doesn’t mean you can never change the OS or update drivers; it just means you have to digitally sign them first.

While security is a laudable goal, it runs counter to the Linux mindset of openness. If you’re tweaking your Linux configuration every few days (or hours), you can’t be bothered to apply for a new signature with each build. But without an approved signature, the UEFI boot ROM in your machine won’t boot your code. What’s a Linux user to do?

The more militant Linux users in the crowd proclaimed that UEFI was “Microsoft’s Secret Plan to Take Over the World.” The vast majority of PC users are completely unaware of it. The few people who fall in between those extremes see UEFI as useful technology with some unintended side effects.

The Spanish user group that filed the lawsuit alleges – with some justification – that the security features reflect an agreement between hardware makers and Microsoft, not the hardware maker and the customer, and that this violates various European Union treaties regarding competition.  

As the disinterested third party in this dispute, the European Commission says, “… on the basis of the information currently available to the Commission it appears that the OEMs can decide to give the end users the option to disable the UEFI secure boot.” In other words, we don’t see a problem. Regardless of its first-blush analysis, however, the European Commission is required to investigate the complaint further.

Having never loaded an OS image onto a UEFI-equipped machine, I can’t say with any certainty that it’s easy to disable the ROM’s security. But that’s the prevailing wisdom. If you don’t want the secure boot feature, don’t use it. Your boot ROM will then happily boot whatever you tell it to, which is what boot ROMs have been doing since time immemorial. And which hackers have exploited for almost as long. If booting only approved code is important to you, then you probably don’t want to be repaving your hard drive every few days anyway.

I’m sure there are clever ways around this conundrum, but I can’t think of any offhand. The typical Linux user will want to load exactly one Linux image, just as most Windows users don’t reinstall their operating system very often. But updates present a problem. Windows updates (which Windows 8 pushes automatically, whether you want them or not) come with a pre-approved digital signature. Linux updates may not do that, especially if you’re hand-tuning your own Linux. In those cases, we’re back to disabling UEFI’s secure-boot feature, and you’ve lost an important anti-hacking device. C’est la vie.

While I can sympathize with the Linux group’s dilemma, I don’t find their argument compelling. UEFI is not Microsoft’s technology (or at least, not entirely Microsoft’s), and it does seem to be serving a useful purpose. Although UEFI can refuse to load unrecognized code, it does so only if the user/programmer asks it to. Given that UEFI’s secure-boot feature is easily disabled, I don’t see a problem.

It’s easy to jump to the defense of a group of Spanish volunteers working on Linux, and just as easy to declare Microsoft Corporation the Great Satan. But neither reaction does our industry any good, nor does it do credit to one’s individual character. I’m willing to give Microsoft a pass on this one and wait until the parties deliver more information before making up my own mind.

Channels

Embedded.

 
    submit to reddit  

Comments:


Dick Selwood

Total Posts: 107
Joined: Dec 2009

Posted on April 04, 2013 at 4:18 AM

I am afraid that the sort of open mind that m'learned friend is displaying is not common amongst PC users, or programmers in general. As early as the 1960s it was said "If this were the middle ages, programmers would be burning other programmers at the stake for heresy." And things have got worse.

Perhaps there is an opportunity for a re-write of the "Life of Brian" sketch - "What have the Romans done for us", only with Microsoft replacing the Romans.

reinz

Total Posts: 1
Joined: Nov 2012

Posted on April 04, 2013 at 8:27 AM

The logic seems flawed, if I buy a UEFI secure boot protected hardware I would want to install OSen that _I_ approve of.

What I miss in the article an explanation of why it is OK that Microsoft can sign OSen that will pass UEFI security but I (having bought and paid the UEFI rom) cannot...

walkerjian

Total Posts: 5
Joined: Oct 2010

Posted on April 07, 2013 at 6:12 PM

why not talk about the real issue... where national security and the war on terror have become synonymous with corporations making money at all costs...

the fact is that i literally cannot get a secure os - i either have to toe the party line with all its bloaty backdoors and plausible deniability, or i have to disable a key security feature - and leave myself open to rootkits... and the rest

if i go cloud then i can revel in the fact that any unique ip will be directly handed over to the 'right sorta people', with templated and scripted provenance ready for the patent trolls...

i have tested this, in a sucker punchy way...

ironic that those mouthiest about 'freedom' are the ones doing their level best to destroy it... and for no more lofty motivation than greed.

Jim Turley

Total Posts: 79
Joined: Dec 2009

Posted on April 09, 2013 at 1:07 PM

> What I miss in the article an explanation of why it is OK that Microsoft can sign OSen that will pass UEFI security...

My understanding is that anyone can create an OS, sign it, and UEFI will boot it.

Microsoft already does this, obviously. But there's nothing to prevent any other OS vendor from doing it, too. In fact, they should do it. But the nature of Linux is such that there's nobody around to do that signing. Who's going to guarantee that an open-source operating system hasn't been tampered with?

Jim Turley

Total Posts: 79
Joined: Dec 2009

Posted on April 09, 2013 at 1:09 PM

> ...where national security and the war on terror have become synonymous with corporations making money at all costs...

You've completely lost me. Perhaps you're thinking of another article, or another site. Or your tinfoil hat has come loose?

NicholasLee

Total Posts: 8
Joined: Dec 2010

Posted on April 09, 2013 at 3:56 PM

Dear Jim,
Good article, but if you had done a little more research you would have spotted the actual basis for the complaint.

Quote: "OEMs can decide to give the end users the option to disable the UEFI secure boot"

Note the use of the word 'CAN' rather than 'MUST', as it is very significant.

However, if an OEM is getting lots of money from Microsoft in an OEM OS-pre-loading deal then they will be highly inclined to decide NOT to give end-user access to disabling the secure-boot.

i.e. Microsoft can then say it is "not our fault", whilst simultaneously locking the platform to Windows.
It's quite a clever business strategy once you spot what they have done.

Because Microsoft specify the secure boot system, but only use indirect financial pressures to get the OEMs to lock it for them, they hope to circumvent the anti-competition laws.

Anyway Jim, thanks for the heads-up as I will now be sure to carefully check the specification of the next PC kit I buy to make sure it is not secretly locked to a single OS vendor.

Regards,
Nicholas Lee

ReAl

Total Posts: 4
Joined: Oct 2011

Posted on April 09, 2013 at 11:40 PM

Jim,
> My understanding is that anyone can create an OS,
> sign it, and UEFI will boot it.

But how?

"Anyone" MUST sign an self-made OS _before_ he install it on his PC.
But "anyone" can't sign not-ready-yet OS.
So, "anyone" even can't do compile-install-test cycle for new OS.

Except (agree with NicholasLee) "OEM MUST give the ned users the option to disable the UEFI secure boot"

Otherwise, Microsoft CAN decide that Win*** will refuse installation on PC with disablable secure boot — sure, worrying about the safety of user, not for own commercial interests...

Deus

Total Posts: 1
Joined: Apr 2013

Posted on April 10, 2013 at 2:43 AM

Or try to boot from your self created CD/DVD/USB tools drive to fix a broken or infected system.

Allready had one in not allowing to boot anything else.
Even after changing necessary bios/windows settings.
Wouldn't even boot without or from another HDD.

So, I should create a "SIGNED" CD/DVD/USB boot tool or offline virus scanner?

Ok, and how do I sign it?
And next week I want to update it with some newer versions of software.
Do I have to sign it again then?

Wait, some are still dos based.
Can I boot these to on an UEFI system?

walkerjian

Total Posts: 5
Joined: Oct 2010

Posted on April 12, 2013 at 6:44 PM

To Jim Turley

> ...where national security and the war on terror have become synonymous with corporations making money at all costs...

You've completely lost me. Perhaps you're thinking of another article, or another site. Or your tinfoil hat has come loose?


I tend to bind my tinfoil hat quite tight these days - and shame on you, because in EE journal you should know why. I have been known to wrap a mobile or a credit card in same. To act as a Faraday Cage y'know. Of course this is silly isn't it. NFR chips don't get hacked. And mobile phones either... And that emotive eeg headset on my desk is just a toy...
You should do an article on why tinfoil hats have never been more necessary...

Amazing how the 'fight against malware' means MS takes planned obsolescence and 'creative destruction' to commanding new heights. Plainly stated - MS - and apple and others directly benefit from malware not the least from coercing people to 'upgrade'. UEFI boot will lock out rootkits (betcha it doesn't really) and also lock out the unholy unsigned spawns of shaitan - the FOSS anti-capitalist devils...

Funny that.

Amazing how the 'fight against terror' has created the greatest machine for tyranny the world has ever seen. And just think - all that juicy original IP that gets sieved out from all around the world by the surveillance corporations is just discarded isn't it? No new patents for the corps from that 'eh - that just wouldn't be ... nice ... would it?

Meh... I think you knew exactly what I meant...

mewilson777

Total Posts: 1
Joined: May 2014

Posted on May 08, 2014 at 11:56 AM

This is not OS specific issue. Any OS can be signed and booted to in a secure environment, but may not be convenient.

My concern is in the future will it be required to boot to a secure OS? Will it become onerous to meet the requirements to be able to sign a boot loader?
You must be logged in to leave a reply. Login »
  • Feature Articles RSS
  • Comment on this article
  • Print this article

Login Required

In order to view this resource, you must log in to our site. Please sign in now.

If you don't already have an acount with us, registering is free and quick. Register now.

Sign In    Register