A colleague and I attended the Spring 2014 UEFI Plugfest in Seattle earlier this month. It was well worth attending as we had the opportunity to test and have one on one conversations with: Microsoft, Intel, the PC OEMs including HP, Lenovo, Dell, and of course the BIOS companies AMI, Insyde, and Phoenix. It was my second year in a row attending, and the third for my colleague, so we are now getting to see how things develop and change over time.
Before I describe what we learned let me recap exactly what UEFI is. According to Wikipedia UEFI is:
a specification that defines a software interface between an operating system and platform firmware. UEFI is meant to replace the Basic Input/Output System (BIOS) firmware interface, present in all IBM PC-compatible personal computers. In practice, most UEFI images provide legacy support for BIOS services.
The UEFI specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.
This “standard environment” for pre-boot applications is the promise of UEFI that intrigues me.
UEFI is important to Full Disk Encryption (FDE) because a Pre-boot Authentication application (PBA) should run before the OS is booted in order to unlock the drive. Historically, at the time your computer powers on, Windows 7 BIOS code, which is built right into the device, reads the OS off the disk, loads it into memory and then runs it. Since WinMagic’s FDE software encrypts the OS, we have a Linux based PBA called Boot logon that runs before Windows 7 is loaded. Therefore, we can decrypt it as it is loaded into memory. We developed a native UEFI PBA for Windows 8.x, since Windows 8 computers started shipping in native UEFI boot mode.
In continuing with the Plugfest, here are a few impressions and things we picked up:
- Legacy support for BIOS services is not going away anytime soon because Windows 7 is going to be around for a long while yet
- Security is a major consideration for UEFI. Phoenix did a presentation on “UEFI Firmware Security Best Practices” http://www.uefi.org/sites/default/files/resources/2014_UEFI_Plugfest_06_Phoenix.pdf
To me the key observation is that “Firmware is software, and is therefore vulnerable to the same threats that typically target software”.
- Secure Boot is a lead security feature of UEFI. (With Secure Boot enabled only trusted / signed applications can run in the UEFI environment.)
- Almost all new UEFI implementations will leverage the EFI Developer Kit II (EDK2). This seems like a good thing to me because once a new feature or bug fix makes its way into EDK2 then all implementations will benefit.
- NIST, the US National Institute Of Standards And Technology has a draft out on BIOS Integrity Measurement Guidelines. Also a good thing.
Last year my colleague brought along a UEFI test application he wrote that we ran against the UEFI implementations of the PC OEMs and BIOS companies. The tests focused on BootOrder and DriverOrder and not all implementations passed our tests. This year we reran those tests and detected some good progress from last year. Our tests were also expanded and more sophisticated this year. We ran 8 separate tests on about 10 systems of the various OEMs and BIOS companies. Only one test passed on all systems and another test passed on only one system, but most tests passed on most systems. From this I conclude that the UEFI implementations are maturing, but there are still several years ahead of us to ironout the wrinkles of this new unified approach before the full promise of UEFI is met.