Give EFI a chance!

Filed Under: Data loss

Many of us will upgrade their PCs soon to Windows 7, Microsoft's latest operating system available for 32-bit and 64-bit hardware. Although this version will deliver state-of-the art performance in many areas, most of its installations will still be made upon one of the last true dinosaurs (no, I'm not talking about the A20 gate of contemporary PC architecture, but the Basic Input Output System, more commonly known as BIOS.

BIOS has been around for over 25 years, initialising the hardware and providing early boot I/O functionality in the form of video, disk and keyboard access as well as some other low-level functions.

Without BIOS no operating system could even start on a PC, as its startup code would never be called.

However, BIOS really does look like its age: It starts out in a 16-bit memory model, divides memory in 640 KB conventional and some gigs of extended memory and has exasperated generations of low-level code programmers.

Writing BIOS code in a high-level language is difficult to impossible, and one has to be stingy with every byte, as memory is a scarce resource. System extensions have to restrict their code to 64 KB option ROM slots, so that they typically compress it to fit in, and expand it at boot time right before execution.

Last, but not least, hard disk partitions have a size restriction of about 2 TB.

Strangely enough, a designated successor to BIOS has been around for some 10 years. The Extensible Firmware Interface (also known as EFI) lifts these restrictions, and provides a bunch of new features, too.

EFI diagram

Hence, if developers had had to decide, we would have been using EFI PCs since the turn of the millennium. However, as with many new technologies, there is a classic chicken and egg problem here..

As long as EFI, or its actual incarnation called Unified EFI, is not yet broadly available on PC platforms, OS developers will be reluctant to adapt their code. At the same time, as long as UEFI is not supported by a majority of operating systems, hardware vendors see little motivation to boost their UEFI development.

Since Apple's move to Intel-based Macs in 2006, EFI has been getting more attention. Mac users can now see a fully graphical pre-boot phase, control the EFI boot manager with their mice and enjoy the slick integration of Windows via Boot Camp (which is basically another name for the BIOS-compatibility mode of EFI on the Intel Macs). In addition, they can boot their OS over the network without having to care whether their network adapter is PXE-compatible or not. In fact, a TCP/IP stack is a genuine part of EFI.

PC users are starting to become envious on their friends with a Mac, although the Macs are currently only facilitating a small part of the technical capabilities of the EFI platform. For instance, EFI provides a FAT hard disk partition of its own for maintenance purposes and also for third-party pre-boot and recovery tools.

So what's the situation of UEFI on the PC side? Currently it's not much more than a couple of HP notebooks and all new Intel motherboards that support UEFI.

On the OS side, it's Windows Vista, Windows 7 and Windows Server 2008, all in 64 bit mode, which can optionally be installed on UEFI. The same is true for Linux, although rumour has it that the community is still struggling with some compatibility problems. Intel pushes UEFI at its developer forums, where it has just been shown that firmware boot times of less than one second are possible.

Recently I was able to get my hands on one of the HP notebooks with UEFI support. I could install Windows 7 without any problems. I got really excited, though, when I installed the EFI modules for Mac Full Disk Encryption (FDE) that my colleagues from the Mac group are currently developing: The EFI code ran on the PC without re-compilation. Cool!

<img src="http://sophosnews.files.wordpress.com/2009/10/efi-sophos.jpg" alt="Photo of EFI pre-boot authentication on a notebook PC" title="Photo of EFI pre-boot authentication on a notebook PC"

So you may ask why I'm bothering you with details of Sophos's little excitements about low-level-programming on this data security blog?

The reason is because pre-boot code is a major component of basically every FDE solution (just think of pre-boot authentication, and because UEFI can help us a lot in the future to develop these solutions faster, with richer functionality and a high level of compatibility between Windows and Mac (and possibly Linux).

In addition, taking a look inside the crystal ball (i.e. the latest UEFI spec - I'm seeing features supported and standardised that I never had dared to dream of in a BIOS environment: A true, certificate-based integrity protection of the pre-boot process, standardized driver support for hardware-based authentication tokens (smart cards, fingerprint readers etc.) and so forth. PC management functionality, which is currently only available as part of the hardware platform, (e.g. Intel's Active Management Technology may come from independent software vendors in the future.

However, it also depends on you to make these expectations come true soon! Give UEFI a chance. Try an installation of an UEFI-based OS. Ask your hardware and software vendors for UEFI support. Programmers, install the EFI Developer Kit (EDK) play with the available tools and write new ones. PC vendors, integrate (the latest version of) UEFI in all your motherboards.

I can assure you that I'm not the only person at Sophos who'd get thrilled about any improvement in the coverage of UEFI. On the Intel Mac, we will deliver our part in the foreseeable future. And in the end, it may be you who will eventually benefit..

, , ,

You might like

About the author

Michael A Schmidt is the primary security contact within Sophos Data Protection Group (DPG) software development. He has been with Utimaco (the predecessor of the DPG) development for many years, filling various development- and security-related positions. Currently, he is harassing the other developers in the group with the promotion of a security-oriented software development process. Even more, Michael is forming a group of conspirators within Sophos to run a world-wide, 'Distributed Promotion of Secure Coding' attack.