Unified Extensible Firmware Interface

history

The original PC BIOS appeared in 1981 with the first IBM PC . For some time now, despite many later extensions, it has no longer met the requirements of modern hardware and operating systems. In particular, it is not suitable for 64-bit, and hardware manufacturers (such as Intel or AMD) no longer seem to be able to carry out other temporary measures to compensate for this flaw.

The decisive factor behind the new development EFI was an initiative by Intel to find a replacement for the BIOS for use on the Itanium architecture ( Intel Architecture 64-Bit , IA-64 for short). In the 1998 founded Intel Boot Initiative (IBI) program , the idea was specified.

The actual successor to the BIOS is the Firmware Foundation Code , which is released under the conditions of the CPL ( Common Public License ) and implements the Extensible Firmware Interface.

Unified EFI (UEFI)

UEFI logo

The Unified EFI Forum was founded in 2005 to promote and develop EFI . In addition to Intel, AMD , Microsoft, Hewlett-Packard and many other PC and BIOS manufacturers are also involved, so that the interface now known as Unified EFI (UEFI) is no longer determined by Intel alone. EFI version 2.0 was released in January 2006.

Secure Boot

With the introduction of Windows 8 in 2012, the UEFI version 2.3.1 was increasingly introduced with a secure boot mechanism that restricts booting to previously signed bootloaders . This increases the security at system start, since it is made impossible for manufacturers of malware without suitable signatures to intervene in this process. This enables the secure start of an uninterrupted "chain of trust" from the hardware firmware to the user application. However, it does not prevent every link in the chain from loading “untrustworthy” software. For example, there is a boot loader signed by Microsoft called Shim , which can reload an uncertified GRUB and any other binaries via this.

Shim became necessary because many mainboard manufacturers only supply signatures for Microsoft products in their UEFI implementations and the installation of user-specific signatures on their hardware, e.g. B. for the installation of a Linux kernel, or at least not only possible with the UEFI on-board resources. Practically all current Linux distributions use Shim to start computers with the Secure Boot activated.

As researchers at Miter Corporation announced in mid-2014, the Intel reference implementation of UEFI also has a security vulnerability that allows malware to be infiltrated over and over again . A faulty update function is used for this, which leads to integer overflows and makes malicious code executable. Many use the Intel Reference Implementation code as the basis for their UEFI.

In 2016, a vulnerability in the Microsoft bootloader was also discovered that allowed the protection to be bypassed.

UEFI Security Response Team (USRT)

In 2017, the UEFI Security Response Team (USRT) was founded to act as an interface and contact person between IT security people, such as good hackers (so-called "white hats"), and companies using UEFI-based hardware produce. The aim is to facilitate and shorten the path that someone has to take to inform the industry about a security hole that they have found in UEFI, so that ultimately the industry can also react more quickly with security patches.

Implementations

Tianocore EDK2

With TianoCore EDK2, a reference implementation is available under the BSD license . This is based on a previous development by Intel .

The submarine

The UEFI API has been available in the Universal Boot Loader ( Das U-Boot ) since 2017. On the ARMv8 architecture, Linux distributions use the U-Boot UEFI implementation together with GNU GRUB for booting (e.g. SUSE Linux ). OpenBSD also uses the UEFI API to start from U-Boot.

Alternatives

Techniques and possibilities

Process of a system start with EFI

The EFI interface is intended to eliminate the disadvantages of the BIOS, which has been widespread since the 1980s, and to open up new possibilities. According to EFI specifications, these include:

Market penetration

The establishment of the Extensible Firmware Interface as a replacement for the BIOS initially failed in the PC sector due to resistance from computer and BIOS manufacturers. Only Apple used EFI exclusively from the entry into the x86 market with Intel-based Macs .

In February 2008 the first "normal" x86 mainboard (P35 Neo3 from MSI ), which is based on the P35 chipset from Intel, should appear with EFI. However, it never appeared. However, MSI planned the market launch of EFI for P45 boards in July 2008. Contrary to what this news suggested, MSI did not plan the release of a mainboard with an EFI installation from the factory, but has an EFI as public for the mainboards mentioned there Beta, i.e. test version released. In 2009, various manufacturers committed to (U) EFI (including Insyde , Intel and Phoenix ). The reasons for this are the x86_64 compatibility and the reduced loading time of the respective system. At the end of 2010, manufacturer Asus delivered the first motherboards for Socket 1155 with EFI.

EFI is mainly funded by Intel and - with some restrictions - also by Microsoft . Intel's Itanium systems ran exclusively with EFI from the start, and Apple started using EFI with Intel chips in 2006 . Windows versions for IA ‑ 64 servers with EFI have been around since Windows 2000 . Windows Vista (x64) has supported UEFI 2.0 since SP1, as does Windows Server 2008 (same development basis as Vista with SP1), but not the older EFI standard 1.3, which has been used in Intel Macs so far.

Operating systems

With most operating systems, a 64-bit kernel can only use 64-bit drivers, including (U) EFI drivers, and a 32-bit kernel can only use drivers that are also 32-bit. This often means that only a 32-bit operating system can be started from 32-bit (U) EFI firmware and only a 64-bit operating system can be started from 64-bit (U) EFI firmware ( e.g. with Microsoft Windows and most Linux distributions). Nevertheless, a 32/64 bit (U) EFI does not in principle prevent the start of a 64/32 bit operating system; For example, the bootloader of the popular Linux distribution Fedora can start a 64-bit Linux on a system with only 32-bit UEFI.

Itanium (IA-64)

The Itanium architecture from Intel and HP, also known by the abbreviation IA-64 (" Intel Architecture 64-Bit"), was the first computer architecture on which EFI was used as firmware. Operating systems that run on Itanium computers therefore support at least the part that is used to load the operating system itself. This includes the IA-64 versions of FreeBSD , HP-UX , Linux , NetBSD , OpenVMS and Windows ( Windows 2000 to Server 2008 R2 ).

x86 (IA-32)

The x86 processor was retronymously referred to by Intel with IA-32, which stands for " Intel Architecture 32-Bit". However, this was the processor architecture to the x64 - instruction set in 2003 also for 64-bit architecture.

Windows

For end users, Windows (U) supports EFI primarily in the 64-bit versions from Windows Vista with integrated Service Pack 1 or Windows Server 2008; some Windows 32-bit versions also support UEFI 32-bit.

For the Windows 7 successor Windows 8 , EFI 2.x is recommended. Systems with system disks larger than 2 terabytes and systems with an ARM processor require EFI.

All Windows versions prior to Vista for the x86 architecture only work on (U) EFI mainboards if a BIOS Compatibility Layer (CSM) is present. This is z. B. provided by Macintosh computers with Intel processors, but is also part of most current UEFI on PC mainboards.

Linux

EFI is also supported by Linux . As of version 2.6.25, the stable branch of the Linux kernel also offers support for EFI for the x86 architecture.

HP has been developing the elilo boot loader since the first Itanium systems appeared . This was initially only designed for IA-64 (Itanium), but was then ported to IA-32 (x86) and x86-64 (x64). GRUB 2 also supports EFI PCs.

Fedora supports EFI as of version 17 in the installation and sets up the system accordingly in order to be able to work with EFI. Debian supports EFI from version 7.0 Wheezy with its own boot loader. The Fedora boot loader can still install and start a 64-bit Linux on a 64-bit capable system with only 32-bit UEFI, which most other Linux distributions cannot do.

macOS (Mac OS X)

The Apple Macintosh computers with macOS (originally called “Mac OS X” and from 2012 to 2016 “OS X”), which were presented in January 2006 and all subsequent ones , based on Intel processors, use EFI as firmware. This makes them - together with some media center PCs such as the Gateway 610 from 2003 - the first EFI-based mass market computers. The exclusive use of the EFI without the optional BIOS compatibility layer CSM initially prevented Windows XP from booting on Intel-based Macintosh computers. Soon, however, a BIOS emulation was implemented by the xom project , which enabled Windows to be started.

After a few months, Apple upgraded the “BIOS Layer” (CSM) with a firmware update and until mid-October 2007 offered a free solution called “ Boot Camp ”, which made it possible to have Mac OS X and Windows XP on two partitions of the same To install the computer and to switch back and forth between the operating system by restarting ( booting ) (“dual boot solution”). Since the release of Mac OS X Leopard (10.5, 2007), Boot Camp has been preinstalled on all Intel Macs by default. The beta version of Boot Camp, which also ran on Mac OS X Tiger (10.4, 2005), can no longer be officially run.

With EFi-X , upgradable firmware for PCs was released in summer 2008, with which the installation of OS X from an unmodified, commercially available original DVD on selected hardware from other manufacturers is made possible, which is mainly made up of a combination of gigabyte motherboards with certain Nvidia - and ATI graphics cards. The EFi-X firmware is housed on a USB dongle, which is plugged into an internal USB slot on the motherboard. When the system is started, an EFI emulation and a "multiboot manager" are loaded, which can be used to start OS X as well as Windows XP, Vista or Linux.

Meanwhile, there is also the bootloader Chameleon with which the macOS - kernel can be loaded directly, or Clover , which is a Macintosh -EFI completely software-emulated.

There is also Ozmosis firmware, which is a platform driver for macOS. A dual BIOS like on Gigabyte mainboards is recommended, since there the risk of " bricking " is minimized. macOS can be started directly from such a PC.

criticism

EFI has been criticized for adding more complexity to the system without offering significant advantages and for making complete replacement with an open source BIOS such as OpenBIOS and coreboot impossible. It does not solve one of the longstanding problems with the BIOS - namely, that most hardware requires two different drivers. It is not clear why it would be useful to have two completely different operating systems running at the same time, which basically do the same tasks, or why a new operating system would have to be written from scratch.

According to a developer at coreboot, EFI is considered a potential security risk in security-critical environments - such as banks - because the implemented network stack would theoretically allow data to be sent to any address unnoticed by the operating system. The own network stack for TCP / IP, which runs "below" the operating system directly and independently on the motherboard, enables the system to be manipulated, infected or monitored without being able to control or restrict it from the operating system side. EFI could also be used for DRM purposes, for example to monitor the I / O data stream for digital watermarks. For these reasons, some users advocate an open source system such as coreboot (formerly LinuxBIOS ).

Web links

Commons : Extensible Firmware Interface  - collection of pictures, videos and audio files

• Website of the UEFI Forum (English)

• Open Firmware (IEEE-1275 Standard) Website of the Open Firmware Working Group (English)
• Article WinTotal: UEFI - the BIOS successor: Basics and assistance
• UEFI Secure Boot and alternative operating systems (ADMIN magazine)

Individual evidence

1. ^ Christoph Pfisterer: A Brief History of Apple and EFI. December 29, 2008, accessed March 14, 2020 . 
2. ↑ Christof Windeck: Farewell to the PC BIOS. In: Heise online . June 3, 2011 . Retrieved March 14, 2020.
3. ↑ Christof Windeck: Intel: UEFI-BIOS will lose BIOS compatibility in 2020. In: Heise online . 15th November 2017 . Retrieved March 14, 2020.
4. ↑ UEFI - Unified Extensible Firmware Interface. In: Elektronik-Kompendium.de. Retrieved March 14, 2020 : “(Section: BIOS and UEFI) The terms UEFI firmware and BIOS are often used interchangeably. Although a motherboard has UEFI firmware, one still speaks of the BIOS setup if one wants to change settings. " 
5. ↑ Installation . In: 3.4 BIOS installation . GNU GRUB . Retrieved September 25, 2013.
6. ↑ http://www.chip.de/news/Intel-will-BIOS-Nach Nahrungsmittel-als-Open-Source- freigeben_13728343.html
7. ↑ BIOS Extreme Privilege Escalation ( Memento from December 22, 2014 in the Internet Archive )
8. ↑ http://winfuture.de/news,93558.html
9. ↑ https://www.heise.de/security/meldung/Kardinal Fehler-Microsoft-setzt-aus-Versehen-Secure-Boot-schachmatt- 3291946.html
10. ↑ UEFI-BIOS gets a team of security experts
11. ↑ What is TianoCore . Retrieved September 12, 2018.
12. ^ Marrying U-Boot UEFI and GRUB . Retrieved September 12, 2018.
13. ↑ UEFI on Top of U-Boot . Retrieved September 12, 2018.
14. ↑ Installing OpenBSD 6.3 on Raspberry 3 . Retrieved September 12, 2018.
15. ↑ http://www.intel.com/technology/framework/overview4.htm
16. ↑ https://www.computerbase.de/2008-01/msi-beerdigt-das-bios-mit-dem-p35-neo3/
17. ↑ ComputerBase: MSI brings EFI to P45 boards in July
18. ↑ What is UEFI BIOS ( Memento from August 15, 2009 in the Internet Archive )
19. ↑ Intel Developer Forum: Notebook firmware boots less than 1 second heise.de, September 29, 2009
20. ↑ Asus LGA1155 motherboard preview . bit-tech.net. November 16, 2010. Retrieved March 28, 2011.
21. ↑ Windows Vista Service Pack 1 is ready heise.de, on February 4th, 2008
22. ↑ http://www.microsoft.com/whdc/system/platform/firmware/UEFI_Windows.mspx
23. ↑ Farewell to the PC BIOS - Report to the C't , June 3, 2011
24. ↑ https://shop.heise.de/katalog/neuer-untätze
25. ↑ https://shop.heise.de/katalog/maskierte-ablosung
26. ↑ heise open: Kernel 2.6.25 now also supports the designated BIOS successor EFI on the x86 architecture
27. ↑ Fedora x64 on 32-bit UEFI: C't No. 23/2018 p.144
28. ↑ Liane M. Dubowy: Linux Mint 19.2 published: A lot of fine-tuning and a faster desktop. In: Heise online . August 1, 2019 . Retrieved March 12, 2020 .; Quote: “The ISO image is available for both 32 and 64-bit x86 systems. Only the latter boots with UEFI. ".
29. ↑ http://developer.apple.com/documentation/MacOSX/Conceptual/universal_binary/universal_binary_diffs/chapter_3_section_10.html ( Memento from January 3, 2009 in the Internet Archive )
30. ↑ http://www.efi-x.com/index.php?option=com_content&view=article&id=23&language=english efi-x.com product info
31. ↑ Chameleon
32. ↑ Clover EFI bootloader
33. ↑ ^{a b} http://kerneltrap.org/node/6884 ( Memento of October 8, 2006 in the Internet Archive )
34. ↑ Interview: Ronald G Minnich
35. ↑ ^{a b} https://www.youtube.com/watch?v=X72LgcMpM9k
36. ↑ https://www.youtube.com/watch?v=QsW88Efgmlk&feature=related
37. ↑ http://blog.thesilentnumber.me/2009/01/efi-hidden-threat-to-computing-freedom.html ( Memento from January 10, 2015 in the Internet Archive )
38. ↑ c't: Firmware Damage , 6/2013
39. ↑ heise.de: Faulty UEFI firmware: Linux kills Thinkpads , February 5, 2014
40. ↑ superuser.com: UEFI-Implementation-Issue (can lead to a hard-brick) - ASUS Zenbook UX303LA-R4342H (English), October 5, 2015