" UEFI and BIOS are low-level software that starts when you boot your PC before booting your operating system, but UEFI is a more modern solution, supporting larger hard drives, faster boot times, more security features, and—conveniently—graphics and mouse cursors.
The UEFI/BIOS loads when your computer starts up, and the BIOS is responsible for waking up your computer’s hardware components, ensures they’re functioning properly, and then runs the bootloader that boots Windows or whatever other operating system you have installed.
You can configure various settings in the BIOS setup screen. Settings like your computer’s hardware configuration, system time, and boot order are located here.
The BIOS goes through a POST, or Power-On Self Test, before booting your operating system. It checks to ensure your hardware configuration is valid and working properly."
Thanks for this. I had a generally good idea about this, but despite seeing the word for many years, never actually knew what POST stood for before this comment. I'm not even sure I knew that it was an acronym...
UEFI needs ~complete access to the machine so it can initialize hardware devices and pass control to the OS (which also has ~complete control of the hardware). How do you think sandboxing it would work, practically?
We've past this point with Intel ME, AMD's counterpart, and UEFI being an embedded OS which can run arbitrary binaries with free pass to everything on the system, almost ~10 years ago.
The processors and the platform is so complex now, even with a secure UEFI, there are many points into the system both with add-on cards and your Ethernet port and bowels of the platform which has many controllers with Ring -1 (and deeper) access, where Ring 0 is the OS kernel level access.
Yeah I really don't understand why this crap needs to be so capable.
You can already do all sorts of tricks with net booting, any HTTP stack needs can be deferred to run in the OS.
I worked extensively with UEFI in a past job and every implementation I could find had large bugs of some kind. It is fine at booting the system but managing it is a nightmare, and it seems like UEFI prompt is designed to be as obtuse as possible. And I didn't even know it could do HTTP calls!
Has anyone implemented audio output on a modern x64 machine under UEFI, e.g. using the typical Realtek on-board audio? If so, I'd like to get a GUI with a screen reader working under UEFI sometime, both for the challenge of getting into bare-metal programming, and because as far as I know, nobody has made a PC boot process and firmware setup UI (what we used to call BIOS setup) accessible to blind people.
It would be very interesting project, because UEFI also puts emphasis on unified UI stack - yes, you can do stupid bling setup interface still, but there's somewhat unified UI toolkit available + standardised ways to create configuration options for devices.
This way, a screenreader could hook into the UI toolkit and provide a good interface.
Now imagine a whole working set of software, and some encrypted storage, running in UEFI, while the "real OS" with some games and office apps is only loaded to plausibly deny the real use.
A few thoughts: yes, UEFI is a large attack surface. Secure Boot mitigates a lot of that - if it's turned on, the vast majority of UEFI functionality is only accessible to signed binaries. If you're running untrustworthy code in your boot environment then it's already in a position to just overwrite the firmware, there's no memory protection here. But UEFI doesn't entirely go away after the OS boots, there's some number of runtime services left that the OS depends on. http://blog.frizk.net/2017/01/attacking-uefi-and-linux.html is a demonstration that if you're able to modify those then you can compromise the OS. There's also, of course, all the code in SMM which can just do whatever and may have been audited but possibly hasn't been.
But honestly overall BIOS was a bigger concern than UEFI. It's easy to forget, but a lot of the BIOS hooks are still available at runtime - https://github.com/mqudsi/lrmi is an interface that lets you call them from Linux. It's reasonable to worry about the attack surface exposed by UEFI runtime services, but BIOS software interrupts are frankly even weirder. The reason we largely didn't worry about them is that you normally have to be root to call them, which is also the case for UEFI runtime services and most SMM interfaces. And SMM definitely predates UEFI, so getting away from UEFI complexity wouldn't save us there.
And there's been plenty of meaningful security work done in the UEFI space lately. There's support for proper IOMMU setup so that you can boot off Thunderbolt without any Thunderbolt device just being able to DMA all over your firmware. The NX bit is supported. There's support for stack canaries. There are best practices for SMM behaviour. https://uefi.org/sites/default/files/resources/UEFI%20Firmwa... covers a bunch of this.
If we were designing firmware for maximum security then I don't think anyone would argue we'd come up with UEFI. That doesn't mean that we should be nostalgic about BIOS, which was a smaller attack surface but provided no meaningful security.
UEFI made it quite simpler by making it so that network cards only have to bring a driver in OPROM instead of whole stack as before, and this allowed important improvements into boot process (like HTTPS instead of TFTP)
> TIL: It's possible for UEFI code to access the internet.
Quite surprising to see lots of tech-oriented users here finally discovering UEFI having access to the internet after years of even the basics like "Internet Recovery" being used on Apple Macs or even sysadmins using netbooting on diskless systems.
There is always a IP/Net stack section in the UEFI menu on nearly every modern PC which gives you this hint, but it isn't useful for the 95% of users, except for sysadmins, recovery, security and even malware writers.
> What could possibly go wrong?
Indeed. A lot can go wrong. I bet someone will do a Wordle clone in UEFI next.
Exploitable via network, no user interaction and no special privileges required. Scores 9.8 on a scale of 10 for severity from NIST. That's what happens when this stuff is done in such a highly privileged environment - simple bugs become security nightmares.
Secure boot and signed firmware won't save you, and in fact it could make things worse since it means even well-informed and capable users won't be able to fix it on their own. They're utterly helpless until their vendor fixes it and publishes an update.
If this allows me to use “latest tweets” chronological view as default instead of the brain dead “home” view I’m totally setting up a laptop with this. The official twitter clients are more atrocious each day (spaces? Home by default? 95% promoted tweets in my timeline? List suggestions I don’t care about?)
/s
Gather around children. Let me tell you a story from long long time ago.
Two one eyed giants, Intel and Microsoft got together and decided that they should be in control of your machine, not the other half giants, like AMI, Award,Phoenix, DTK, and even a full giant but nobody cared about her, IBM.
So they convinced everyone there was no space on the BIOS any more, and they had to shift much of the code outside onto a boot device, usually an HDD. 'Think about all the speed and ability to update quickly' they said to the peasants, and the local magistrates in the form of media gobbled it up, and continue to spread this news. There were some peasants that freaked out, pointed out the problem, but quickly were shouted down and jeered at by the crowd. 'We want faster! Stop spreading misinformation.'
And, the two giant indeed forced the development of EFI then UEFI. There is nothing Unified about it. But, guess what? That was not good enough either, because some peasants figured it out how to manipulate the UEFI, and the two giant didn't like that. So they went back to the half giants and discussed what to do.
And, lo they came up with an brand new idea! What if we put all this information into a chip, and make it hard to read! We will call it, BIOS! For good measure, for peasants that want more power, we will even throw in another one, and we will call it Baseboard Management Controller, but we will let you call that all kinds of different names! To make it even more entertaining, in larger cities where peasants are promoted to the rank of "enterprise", some host board adapters will also run OSes themselves for the fun of it.
And this is how we got to today. When your computer runs, the BIOS with a full OS can be running, next to it, the BMC with a full OS could be running, on top of the BIOS you can have UEFI running, the HBA OSes running, and finally your very safe and secure OS running.
/story
I have taken artistic liberty (like UEFI most often runs on the same CPU,while BMC & HBA run on their own, and such), but the gist is true.
An enterprise class host can be running many fully functional OSes, potentially with full network stack. This is why "zero trust" network implementation is so important.
Ya'll ain't seen nothing yet. For a time the leading UEFI vendor, Phoenix Technologies, had a web browser in their UEFI BIOS. Some photos from WinHEC 2005 can be seen here: https://www.anandtech.com/show/1670/8
tl;dr version: UEFI can download software from the internet, copy it to the Windows partition, edit the registry, and even add desktop icons and IE bookmarks. Phoenix sought to productize this.
If you've ever seen a Windows PC where you just couldn't get rid of certain pieces of software or icons, it may have been eBetween at work. This is effectively the same thing as the persistent malware attacks described in numerous security blogs. Phoenix has since rebranded their UEFI codebase to (irony alert!) SecureCore.
It's not really a good option, however SMM mode could be (you'd need to figure how to do network calls, though). The only thing changed by UEFI in this case is unified interface to register SMM components (You can have UEFI system with no SMM).
Why would you want qemu running in UEFI, rather than have qemu booted from UEFI? (more specifically run qemu on xen booted from UEFI, I think is what you'd want).
[+] [-] ctxc|4 years ago|reply
" UEFI and BIOS are low-level software that starts when you boot your PC before booting your operating system, but UEFI is a more modern solution, supporting larger hard drives, faster boot times, more security features, and—conveniently—graphics and mouse cursors.
The UEFI/BIOS loads when your computer starts up, and the BIOS is responsible for waking up your computer’s hardware components, ensures they’re functioning properly, and then runs the bootloader that boots Windows or whatever other operating system you have installed.
You can configure various settings in the BIOS setup screen. Settings like your computer’s hardware configuration, system time, and boot order are located here.
The BIOS goes through a POST, or Power-On Self Test, before booting your operating system. It checks to ensure your hardware configuration is valid and working properly."
Source: https://www.howtogeek.com/56958/htg-explains-how-uefi-will-r...
[+] [-] silisili|4 years ago|reply
[+] [-] diego_sandoval|4 years ago|reply
[+] [-] shrimp_emoji|4 years ago|reply
[deleted]
[+] [-] jotm|4 years ago|reply
Having been the go to guy for fixing anything remotely computer related, I got sick of it and I just wish everyone could fix their own stuff :D
[+] [-] lizardactivist|4 years ago|reply
Call me crazy, but security means doing only what is necessary and no more, in particular in this early part of starting up a computer system.
[+] [-] ______-_-______|4 years ago|reply
[+] [-] khaledh|4 years ago|reply
[+] [-] bayindirh|4 years ago|reply
The processors and the platform is so complex now, even with a secure UEFI, there are many points into the system both with add-on cards and your Ethernet port and bowels of the platform which has many controllers with Ring -1 (and deeper) access, where Ring 0 is the OS kernel level access.
[+] [-] tomc1985|4 years ago|reply
You can already do all sorts of tricks with net booting, any HTTP stack needs can be deferred to run in the OS.
I worked extensively with UEFI in a past job and every implementation I could find had large bugs of some kind. It is fine at booting the system but managing it is a nightmare, and it seems like UEFI prompt is designed to be as obtuse as possible. And I didn't even know it could do HTTP calls!
[+] [-] sva_|4 years ago|reply
https://github.com/Cacodemon345/uefidoom/
[+] [-] bonzini|4 years ago|reply
A friend of mine ported QEMU in order to run x86 boot ROMs on ARM systems.
[+] [-] MaceOutWindu|4 years ago|reply
[+] [-] mwcampbell|4 years ago|reply
[+] [-] poisonborz|4 years ago|reply
[+] [-] p_l|4 years ago|reply
This way, a screenreader could hook into the UI toolkit and provide a good interface.
[+] [-] nine_k|4 years ago|reply
[+] [-] mjg59|4 years ago|reply
But honestly overall BIOS was a bigger concern than UEFI. It's easy to forget, but a lot of the BIOS hooks are still available at runtime - https://github.com/mqudsi/lrmi is an interface that lets you call them from Linux. It's reasonable to worry about the attack surface exposed by UEFI runtime services, but BIOS software interrupts are frankly even weirder. The reason we largely didn't worry about them is that you normally have to be root to call them, which is also the case for UEFI runtime services and most SMM interfaces. And SMM definitely predates UEFI, so getting away from UEFI complexity wouldn't save us there.
And there's been plenty of meaningful security work done in the UEFI space lately. There's support for proper IOMMU setup so that you can boot off Thunderbolt without any Thunderbolt device just being able to DMA all over your firmware. The NX bit is supported. There's support for stack canaries. There are best practices for SMM behaviour. https://uefi.org/sites/default/files/resources/UEFI%20Firmwa... covers a bunch of this.
If we were designing firmware for maximum security then I don't think anyone would argue we'd come up with UEFI. That doesn't mean that we should be nostalgic about BIOS, which was a smaller attack surface but provided no meaningful security.
[+] [-] secondcoming|4 years ago|reply
[+] [-] p_l|4 years ago|reply
UEFI made it quite simpler by making it so that network cards only have to bring a driver in OPROM instead of whole stack as before, and this allowed important improvements into boot process (like HTTPS instead of TFTP)
[+] [-] rvz|4 years ago|reply
Quite surprising to see lots of tech-oriented users here finally discovering UEFI having access to the internet after years of even the basics like "Internet Recovery" being used on Apple Macs or even sysadmins using netbooting on diskless systems.
There is always a IP/Net stack section in the UEFI menu on nearly every modern PC which gives you this hint, but it isn't useful for the 95% of users, except for sysadmins, recovery, security and even malware writers.
> What could possibly go wrong?
Indeed. A lot can go wrong. I bet someone will do a Wordle clone in UEFI next.
[+] [-] base20|4 years ago|reply
Exploitable via network, no user interaction and no special privileges required. Scores 9.8 on a scale of 10 for severity from NIST. That's what happens when this stuff is done in such a highly privileged environment - simple bugs become security nightmares.
For comparison, Heartbleed scored a 7.5: https://nvd.nist.gov/vuln/detail/CVE-2014-0160
Secure boot and signed firmware won't save you, and in fact it could make things worse since it means even well-informed and capable users won't be able to fix it on their own. They're utterly helpless until their vendor fixes it and publishes an update.
[+] [-] selfhoster11|4 years ago|reply
[+] [-] dheera|4 years ago|reply
[+] [-] nih0|4 years ago|reply
[+] [-] loloquwowndueo|4 years ago|reply
[+] [-] jeromegv|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] antifa|4 years ago|reply
[+] [-] WaitWaitWha|4 years ago|reply
Two one eyed giants, Intel and Microsoft got together and decided that they should be in control of your machine, not the other half giants, like AMI, Award,Phoenix, DTK, and even a full giant but nobody cared about her, IBM.
So they convinced everyone there was no space on the BIOS any more, and they had to shift much of the code outside onto a boot device, usually an HDD. 'Think about all the speed and ability to update quickly' they said to the peasants, and the local magistrates in the form of media gobbled it up, and continue to spread this news. There were some peasants that freaked out, pointed out the problem, but quickly were shouted down and jeered at by the crowd. 'We want faster! Stop spreading misinformation.'
And, the two giant indeed forced the development of EFI then UEFI. There is nothing Unified about it. But, guess what? That was not good enough either, because some peasants figured it out how to manipulate the UEFI, and the two giant didn't like that. So they went back to the half giants and discussed what to do.
And, lo they came up with an brand new idea! What if we put all this information into a chip, and make it hard to read! We will call it, BIOS! For good measure, for peasants that want more power, we will even throw in another one, and we will call it Baseboard Management Controller, but we will let you call that all kinds of different names! To make it even more entertaining, in larger cities where peasants are promoted to the rank of "enterprise", some host board adapters will also run OSes themselves for the fun of it.
And this is how we got to today. When your computer runs, the BIOS with a full OS can be running, next to it, the BMC with a full OS could be running, on top of the BIOS you can have UEFI running, the HBA OSes running, and finally your very safe and secure OS running.
/story
I have taken artistic liberty (like UEFI most often runs on the same CPU,while BMC & HBA run on their own, and such), but the gist is true.
An enterprise class host can be running many fully functional OSes, potentially with full network stack. This is why "zero trust" network implementation is so important.
[+] [-] Sophira|4 years ago|reply
That's the one running on the Intel Management Engine, right? Or at least Intel would like to believe that's the case.
Jokes aside, I may be missing something. The BIOS came way before UEFI did. What am I missing here?
[+] [-] _HMCB_|4 years ago|reply
[+] [-] BitLit|4 years ago|reply
[+] [-] rageandchaos|4 years ago|reply
[+] [-] pabs3|4 years ago|reply
This is potentially not the best idea in the world...
[+] [-] base20|4 years ago|reply
This was part of their "eBetween" UEFI BIOS that enabled them to show ads during boot-up (seriously) and also install software to Windows with what they called "Virtual Bundling Technology": https://indexarticles.com/business/business-wire/phoenix-tec... and https://www.cnet.com/tech/tech-industry/phoenix-jumps-on-web...
tl;dr version: UEFI can download software from the internet, copy it to the Windows partition, edit the registry, and even add desktop icons and IE bookmarks. Phoenix sought to productize this.
If you've ever seen a Windows PC where you just couldn't get rid of certain pieces of software or icons, it may have been eBetween at work. This is effectively the same thing as the persistent malware attacks described in numerous security blogs. Phoenix has since rebranded their UEFI codebase to (irony alert!) SecureCore.
[+] [-] eatonphil|4 years ago|reply
[+] [-] stjohnswarts|4 years ago|reply
Also this might be helpful: https://pete.akeo.ie/2015/01/easily-create-uefi-applications...
and if you choose edk2: https://www.tianocore.org/
[+] [-] aesh2Xa1|4 years ago|reply
There are several pages here under the UEFI tag. There are also some application guides and a few polished bootloader documents.
[+] [-] KSPAtlas|4 years ago|reply
[+] [-] hackettma|4 years ago|reply
[+] [-] p_l|4 years ago|reply
[+] [-] belkarx|4 years ago|reply
[+] [-] amelius|4 years ago|reply
[+] [-] masklinn|4 years ago|reply
[+] [-] ranger_danger|4 years ago|reply
[+] [-] stjohnswarts|4 years ago|reply