Unified Extensible Firmware Interface
The Unified Extensible Firmware Interface (short UEFI , English for Unified Extensible Firmware Interface ) is a published by Intel in 1998 interface definition for computer firmware for the Intel at the same time a reference implementation imagined. UEFI has established itself as the successor to the BIOS and as such forms the central interface between the platform firmware and the operating system .
Originally, Intel was for the 64-bit - Itanium architecture developed firmware as Extensible Firmware Interface , short EFI referred. EFI came up with the x86 architecture around the same time as the instruction set extension x64 , with which the then 32-bit x86 architecture IA-32 also became a 64-bit architecture. However, EFI was initially only implemented as 32-bit firmware. a. with Intel Macs from Apple , which from 2006 onwards used EFI version 1.10 as firmware. From EFI version 2.0 there is officially a 64-bit implementation on x86.
In order to remain compatible with existing software on x86 systems , a BIOS compatibility layer is integrated with the English Compatibility Support Module , or CSM for short, with which UEFI remains fully backwards compatible with the BIOS. Since around 2010, UEFI has been gradually replacing the BIOS, which is therefore also referred to as legacy (German: heritage / legacy). However, since 2020 the CSM, the BIOS compatibility mode, has been omitted by individual manufacturers.
Because UEFI has replaced the previous firmware - the BIOS - on the IBM PC and compatible computers , UEFI is also often referred to as UEFI BIOS and its firmware setup is (still) often referred to as BIOS setup.
Essential features of UEFI are the use of the GUID partition table , which remains partially compatible with the master boot record used by the BIOS , frame buffer- based graphics support, network functionality and, since UEFI version 2.3.1, Secure Boot , a function that enables booting on previously signed bootloader limited and so malware or other unwanted programs to prevent it from starting.
In contrast to the old BIOS system, UEFI contains interfaces and data tables with platform information as well as boot and runtime services that are available to the operating system loader and, consequently, the operating system. The UEFI firmware offers various technical advantages over the BIOS system:
- UEFI is independent of the type of CPU and different types of systems, including ARM architecture and x64 , can be booted with it.
- Large hard drives over 2 TB with a GUID partition table (GPT) introduced as part of UEFI can be used.
- All data and programs for UEFI are kept in the form of conventional files in their own partition, which must be in the VFAT format . In contrast to the BIOS, no data, such as that of the operating system loader, is kept in certain fixed and unchangeable memory areas such as the Master Boot Record (MBR).
- Network capable. In contrast to the older BIOS standard Preboot Execution Environment (PXE), which requires the appropriate drivers in the BIOS of the network card, UEFI is network-compatible and, based on the procedure as with PXE, allows booting directly via the network.
- Generally modular, expandable design in the structures. For example, it is possible to call up a UEFI shell similar to the Unix shell during the boot process.
- The permanent storage of certain data, for example the boot sequence of different media, takes place in NVRAM according to procedures that are specified in the UEFI standard.
The original PC BIOS appeared in 1981 with the first IBM PC . For some time now, despite many later extensions, it has no longer met the requirements of modern hardware and operating systems. In particular, it is not suitable for 64-bit, and hardware manufacturers (such as Intel or AMD) no longer seem to be able to carry out other temporary measures to compensate for this flaw.
The decisive factor behind the new development EFI was an initiative by Intel to find a replacement for the BIOS for use on the Itanium architecture ( Intel Architecture 64-Bit , IA-64 for short). In the 1998 founded Intel Boot Initiative (IBI) program , the idea was specified.
The actual successor to the BIOS is the Firmware Foundation Code , which is released under the conditions of the CPL ( Common Public License ) and implements the Extensible Firmware Interface.
Unified EFI (UEFI)
The Unified EFI Forum was founded in 2005 to promote and develop EFI . In addition to Intel, AMD , Microsoft, Hewlett-Packard and many other PC and BIOS manufacturers are also involved, so that the interface now known as Unified EFI (UEFI) is no longer determined by Intel alone. EFI version 2.0 was released in January 2006.
With the introduction of Windows 8 in 2012, the UEFI version 2.3.1 was increasingly introduced with a secure boot mechanism that restricts booting to previously signed bootloaders . This increases the security at system start, since it is made impossible for manufacturers of malware without suitable signatures to intervene in this process. This enables the secure start of an uninterrupted "chain of trust" from the hardware firmware to the user application. However, it does not prevent every link in the chain from loading “untrustworthy” software. For example, there is a boot loader signed by Microsoft called Shim , which can reload an uncertified GRUB and any other binaries via this.
Shim became necessary because many mainboard manufacturers only supply signatures for Microsoft products in their UEFI implementations and the installation of user-specific signatures on their hardware, e.g. B. for the installation of a Linux kernel, or at least not only possible with the UEFI on-board resources. Practically all current Linux distributions use Shim to start computers with the Secure Boot activated.
As researchers at Miter Corporation announced in mid-2014, the Intel reference implementation of UEFI also has a security vulnerability that allows malware to be infiltrated over and over again . A faulty update function is used for this, which leads to integer overflows and makes malicious code executable. Many use the Intel Reference Implementation code as the basis for their UEFI.
In 2016, a vulnerability in the Microsoft bootloader was also discovered that allowed the protection to be bypassed.
UEFI Security Response Team (USRT)
In 2017, the UEFI Security Response Team (USRT) was founded to act as an interface and contact person between IT security people, such as good hackers (so-called "white hats"), and companies using UEFI-based hardware produce. The aim is to facilitate and shorten the path that someone has to take to inform the industry about a security hole that they have found in UEFI, so that ultimately the industry can also react more quickly with security patches.
The UEFI API has been available in the Universal Boot Loader ( Das U-Boot ) since 2017. On the ARMv8 architecture, Linux distributions use the U-Boot UEFI implementation together with GNU GRUB for booting (e.g. SUSE Linux ). OpenBSD also uses the UEFI API to start from U-Boot.
The platform- and processor-independent Forth -based industry standard Open Firmware (IEEE-1275) was specified for PowerPC and SPARC computers in 1994 for Unix workstations and servers . Significant technical advantages of Intel's in-house development EFI compared to Open Firmware, apart from the significantly increased execution speed (comparison between Mac with Open Firmware and Mac with EFI of the same year), are not known.
Another alternative is the coreboot firmware (formerly LinuxBIOS ) , which is under the GPL license . Coreboot is a minimal system that only initializes the hardware to such an extent that another program (a so-called payload ) can be called, such as a Linux kernel, a bootloader such as GRUB , Open Firmware or various others.
Techniques and possibilities
The EFI interface is intended to eliminate the disadvantages of the BIOS, which has been widespread since the 1980s, and to open up new possibilities. According to EFI specifications, these include:
- Easy expandability (e.g. for digital rights management )
- Embedded network module (for remote maintenance)
- Preboot Execution Environment (universal network boot system)
- Support for high-resolution graphics cards at the start of the computer
- optionally a BIOS emulation through the "Compatibility Support Module" (CSM) to ensure compatibility with existing operating systems that do not support UEFI and require a BIOS
- a shell via which, for example, EFI applications (* .efi) can be called
- Drivers can be integrated into the EFI as a module so that they no longer have to be loaded by the operating system. As with Open Firmware , system-independent drivers are possible.
- The system can operate in a sandbox mode, with network and storage management running on the firmware instead of the operating system.
- The EFI offers a selection option for the operating systems installed on the system and starts them; This means that boot loaders (upstream of the operating systems) are superfluous.
- With the GUID Partition Table (GPT) it introduces a more flexible successor for partition tables based on the master boot record . The GPT is necessary to be able to boot from a hard disk > 2 TB or to create and manage partitions > 2 TB.
The establishment of the Extensible Firmware Interface as a replacement for the BIOS initially failed in the PC sector due to resistance from computer and BIOS manufacturers. Only Apple used EFI exclusively from the entry into the x86 market with Intel-based Macs .
In February 2008 the first "normal" x86 mainboard (P35 Neo3 from MSI ), which is based on the P35 chipset from Intel, should appear with EFI. However, it never appeared. However, MSI planned the market launch of EFI for P45 boards in July 2008. Contrary to what this news suggested, MSI did not plan the release of a mainboard with an EFI installation from the factory, but has an EFI as public for the mainboards mentioned there Beta, i.e. test version released. In 2009, various manufacturers committed to (U) EFI (including Insyde , Intel and Phoenix ). The reasons for this are the x86_64 compatibility and the reduced loading time of the respective system. At the end of 2010, manufacturer Asus delivered the first motherboards for Socket 1155 with EFI.
EFI is mainly funded by Intel and - with some restrictions - also by Microsoft . Intel's Itanium systems ran exclusively with EFI from the start, and Apple started using EFI with Intel chips in 2006 . Windows versions for IA ‑ 64 servers with EFI have been around since Windows 2000 . Windows Vista (x64) has supported UEFI 2.0 since SP1, as does Windows Server 2008 (same development basis as Vista with SP1), but not the older EFI standard 1.3, which has been used in Intel Macs so far.
With most operating systems, a 64-bit kernel can only use 64-bit drivers, including (U) EFI drivers, and a 32-bit kernel can only use drivers that are also 32-bit. This often means that only a 32-bit operating system can be started from 32-bit (U) EFI firmware and only a 64-bit operating system can be started from 64-bit (U) EFI firmware ( e.g. with Microsoft Windows and most Linux distributions). Nevertheless, a 32/64 bit (U) EFI does not in principle prevent the start of a 64/32 bit operating system; For example, the bootloader of the popular Linux distribution Fedora can start a 64-bit Linux on a system with only 32-bit UEFI.
The Itanium architecture from Intel and HP, also known by the abbreviation IA-64 (" Intel Architecture 64-Bit"), was the first computer architecture on which EFI was used as firmware. Operating systems that run on Itanium computers therefore support at least the part that is used to load the operating system itself. This includes the IA-64 versions of FreeBSD , HP-UX , Linux , NetBSD , OpenVMS and Windows ( Windows 2000 to Server 2008 R2 ).
The x86 processor was retronymously referred to by Intel with IA-32, which stands for " Intel Architecture 32-Bit". However, this was the processor architecture to the x64 - instruction set in 2003 also for 64-bit architecture.
For end users, Windows (U) supports EFI primarily in the 64-bit versions from Windows Vista with integrated Service Pack 1 or Windows Server 2008; some Windows 32-bit versions also support UEFI 32-bit.
All Windows versions prior to Vista for the x86 architecture only work on (U) EFI mainboards if a BIOS Compatibility Layer (CSM) is present. This is z. B. provided by Macintosh computers with Intel processors, but is also part of most current UEFI on PC mainboards.
EFI is also supported by Linux . As of version 2.6.25, the stable branch of the Linux kernel also offers support for EFI for the x86 architecture.
HP has been developing the elilo boot loader since the first Itanium systems appeared . This was initially only designed for IA-64 (Itanium), but was then ported to IA-32 (x86) and x86-64 (x64). GRUB 2 also supports EFI PCs.
Fedora supports EFI as of version 17 in the installation and sets up the system accordingly in order to be able to work with EFI. Debian supports EFI from version 7.0 Wheezy with its own boot loader. The Fedora boot loader can still install and start a 64-bit Linux on a 64-bit capable system with only 32-bit UEFI, which most other Linux distributions cannot do.
macOS (Mac OS X)
The Apple Macintosh computers with macOS (originally called “Mac OS X” and from 2012 to 2016 “OS X”), which were presented in January 2006 and all subsequent ones , based on Intel processors, use EFI as firmware. This makes them - together with some media center PCs such as the Gateway 610 from 2003 - the first EFI-based mass market computers. The exclusive use of the EFI without the optional BIOS compatibility layer CSM initially prevented Windows XP from booting on Intel-based Macintosh computers. Soon, however, a BIOS emulation was implemented by the xom project , which enabled Windows to be started.
After a few months, Apple upgraded the “BIOS Layer” (CSM) with a firmware update and until mid-October 2007 offered a free solution called “ Boot Camp ”, which made it possible to have Mac OS X and Windows XP on two partitions of the same To install the computer and to switch back and forth between the operating system by restarting ( booting ) (“dual boot solution”). Since the release of Mac OS X Leopard (10.5, 2007), Boot Camp has been preinstalled on all Intel Macs by default. The beta version of Boot Camp, which also ran on Mac OS X Tiger (10.4, 2005), can no longer be officially run.
With EFi-X , upgradable firmware for PCs was released in summer 2008, with which the installation of OS X from an unmodified, commercially available original DVD on selected hardware from other manufacturers is made possible, which is mainly made up of a combination of gigabyte motherboards with certain Nvidia - and ATI graphics cards. The EFi-X firmware is housed on a USB dongle, which is plugged into an internal USB slot on the motherboard. When the system is started, an EFI emulation and a "multiboot manager" are loaded, which can be used to start OS X as well as Windows XP, Vista or Linux.
There is also Ozmosis firmware, which is a platform driver for macOS. A dual BIOS like on Gigabyte mainboards is recommended, since there the risk of " bricking " is minimized. macOS can be started directly from such a PC.
EFI has been criticized for adding more complexity to the system without offering significant advantages and for making complete replacement with an open source BIOS such as OpenBIOS and coreboot impossible. It does not solve one of the longstanding problems with the BIOS - namely, that most hardware requires two different drivers. It is not clear why it would be useful to have two completely different operating systems running at the same time, which basically do the same tasks, or why a new operating system would have to be written from scratch.
According to a developer at coreboot, EFI is considered a potential security risk in security-critical environments - such as banks - because the implemented network stack would theoretically allow data to be sent to any address unnoticed by the operating system. The own network stack for TCP / IP, which runs "below" the operating system directly and independently on the motherboard, enables the system to be manipulated, infected or monitored without being able to control or restrict it from the operating system side. EFI could also be used for DRM purposes, for example to monitor the I / O data stream for digital watermarks. For these reasons, some users advocate an open source system such as coreboot (formerly LinuxBIOS ).
Faulty implementations of UEFI have caused irreparable damage to systems at several manufacturers. In June 2013, Samsung notebooks were frozen during the boot process with Linux as soon as the operating system had write access to the UEFI firmware. This blocked the mainboard inextricably . The same problem occurred with Lenovo devices in early 2014 and Asus devices in late 2015 .
- Website of the UEFI Forum (English)
- Open Firmware (IEEE-1275 Standard) Website of the Open Firmware Working Group (English)
- Article WinTotal: UEFI - the BIOS successor: Basics and assistance
- UEFI Secure Boot and alternative operating systems (ADMIN magazine)
- Christoph Pfisterer: A Brief History of Apple and EFI. December 29, 2008, accessed March 14, 2020 .
- Christof Windeck: Farewell to the PC BIOS. In: Heise online . June 3, 2011 . Retrieved March 14, 2020.
- Christof Windeck: Intel: UEFI-BIOS will lose BIOS compatibility in 2020. In: Heise online . 15th November 2017 . Retrieved March 14, 2020.
- UEFI - Unified Extensible Firmware Interface. In: Elektronik-Kompendium.de. Retrieved March 14, 2020 : “(Section: BIOS and UEFI) The terms UEFI firmware and BIOS are often used interchangeably. Although a motherboard has UEFI firmware, one still speaks of the BIOS setup if one wants to change settings. "
- Installation . In: 3.4 BIOS installation . GNU GRUB . Retrieved September 25, 2013.
- http://www.chip.de/news/Intel-will-BIOS-Nach freigeben_13728343.html
- BIOS Extreme Privilege Escalation ( Memento from December 22, 2014 in the Internet Archive )
- https://www.heise.de/security/meldung/Kardinal 3291946.html
- UEFI-BIOS gets a team of security experts
- What is TianoCore . Retrieved September 12, 2018.
- Marrying U-Boot UEFI and GRUB . Retrieved September 12, 2018.
- UEFI on Top of U-Boot . Retrieved September 12, 2018.
- Installing OpenBSD 6.3 on Raspberry 3 . Retrieved September 12, 2018.
- ComputerBase: MSI brings EFI to P45 boards in July
- What is UEFI BIOS ( Memento from August 15, 2009 in the Internet Archive )
- Intel Developer Forum: Notebook firmware boots less than 1 second heise.de, September 29, 2009
- Asus LGA1155 motherboard preview . bit-tech.net. November 16, 2010. Retrieved March 28, 2011.
- Windows Vista Service Pack 1 is ready heise.de, on February 4th, 2008
- Farewell to the PC BIOS - Report to the C't , June 3, 2011
- heise open: Kernel 2.6.25 now also supports the designated BIOS successor EFI on the x86 architecture
- Fedora x64 on 32-bit UEFI: C't No. 23/2018 p.144
- Liane M. Dubowy: Linux Mint 19.2 published: A lot of fine-tuning and a faster desktop. In: Heise online . August 1, 2019 . Retrieved March 12, 2020 .; Quote: “The ISO image is available for both 32 and 64-bit x86 systems. Only the latter boots with UEFI. ".
- http://developer.apple.com/documentation/MacOSX/Conceptual/universal_binary/universal_binary_diffs/chapter_3_section_10.html ( Memento from January 3, 2009 in the Internet Archive )
- http://www.efi-x.com/index.php?option=com_content&view=article&id=23&language=english efi-x.com product info
- Clover EFI bootloader
- http://kerneltrap.org/node/6884 ( Memento of October 8, 2006 in the Internet Archive )
- Interview: Ronald G Minnich
- http://blog.thesilentnumber.me/2009/01/efi-hidden-threat-to-computing-freedom.html ( Memento from January 10, 2015 in the Internet Archive )
- c't: Firmware Damage , 6/2013
- heise.de: Faulty UEFI firmware: Linux kills Thinkpads , February 5, 2014
- superuser.com: UEFI-Implementation-Issue (can lead to a hard-brick) - ASUS Zenbook UX303LA-R4342H (English), October 5, 2015