EFI features

Phishfry · Mar 26, 2017

I have read about a Apple Mac EFI rootkit by a certain government agency.
I always knew in my heart that EFI was evil.

Does your computer boot faster with EFI?
What features from the EFI list above do you need and use?

SirDice · Mar 27, 2017

Phishfry said:
I have read about a Apple Mac EFI rootkit by a certain government agency.

A BIOS can be backdoored in pretty much the same way. Heck, even ACPI can be backdoored.

Contrary to popular belief, once a modern OS is booted nothing from the UEFI or BIOS is used. Both UEFI and the BIOS are only needed to initialize the hardware and boot the system. Nothing more, nothing less.

sko · Mar 27, 2017

SirDice said:
A BIOS can be backdoored in pretty much the same way.

Problem with UEFI over BIOS: It brings its own TCP/IP stack and several network services/utilities from http- and/or ftp-clients for downloading firmware to http-servers or REST-interfaces for remote configuration ("what could possibly go wrong?"). This _massively_ increases the attack surface of UEFI compared to a simple BIOS.

Phishfry said:
Does your computer boot faster with EFI?

My ASUS desktop board actually takes >10x longer to boot with UEFI because the bloated UEFI takes 30-40sec to finally hand over to the OS...

OTOH my laptop boots up quicker with EFI - it takes ~1sec until it hands over to the BSDloader vs ~5secs in legacy mode. Additionally, with EFI the display runs in native resolution right from the beginning instead of after the x-driver/modesetting has been loaded.

Big plus for EFI and the main reason I use it on all my servers if possible: it doesn't matter where you put your hard drives, it just boots. (except for really broken EFI implementations - ASRock is great at this...)

pkubaj · Mar 27, 2017

I recommend everyone to use Coreboot - it works with BSD, although it may be a hassle to install.

Fun fact: it seems OpenBSD works much better with Coreboot than FreeBSD.

asteriskRoss · Mar 27, 2017

SirDice said:
Contrary to popular belief, once a modern OS is booted nothing from the UEFI or BIOS is used. Both UEFI and the BIOS are only needed to initialize the hardware and boot the system. Nothing more, nothing less.

UEFI does provide "runtime services" that are available to the OS after it has booted (in contrast with "boot services"). This kind of service is useful for things like changing the boot order from within the OS. I believe it would therefore be possible for a UEFI BIOS to include a malicious runtime service. It is also possible for a UEFI device driver to be a "runtime driver", which remains loaded after the hand-off to OS boot loader. Such a driver could also be malicious. I'm sure tinfoil hats will help protect us all.
Reference: UEFI Specification 2.6 [PDF]

Phishfry · Mar 27, 2017

I use coreboot/FreeBSD on my APU1D and it works well. Only one option available. Pick your boot device.
Simple and easy.
So what if I have to use an OS to set the RTC.

I am concerned that there is an OS alive in my EFI bios now. It presents a command prompt and has an accompanying storage system.fs0

I deleted the big rant that I started with.

One thing I wrote which I stand by is this: "Network Boot features gone Bonkers"
I understand that the EFI network stack really came about because of network booting. Heck back in the day I flashed a rom chip on my network card to network boot so I am aware of the progression of the BIOS and BOOTP.
I also have an old AMD K6 board with a browser and media player in the BIOS+firmware.

I just have this uneasy feeling that Intel doesn't have our best interest in mind while promoting UEFI.(Like the subtle armtwisting RSA took)

I am worried we are all being penned in to something nasty and it will be too late once the discoveries come out.
What is the marketshare of coreboot/SeaBIOS. I would be surprised if over .01%.
This isn't Intel trying to kill off the floppy but something much more serious.

Who needs a database in their BIOS?

pkubaj · Mar 31, 2017

Phishfry said:
I use coreboot/FreeBSD on my APU1D and it works well. Only one option available. Pick your boot device.
Simple and easy.
So what if I have to use an OS to set the RTC.

I am concerned that there is an OS alive in my EFI bios now. It presents a command prompt and has an accompanying storage system.fs0

I deleted the big rant that I started with.

One thing I wrote which I stand by is this: "Network Boot features gone Bonkers"
I understand that the EFI network stack really came about because of network booting. Heck back in the day I flashed a rom chip on my network card to network boot so I am aware of the progression of the BIOS and BOOTP.
I also have an old AMD K6 board with a browser and media player in the BIOS+firmware.

I just have this uneasy feeling that Intel doesn't have our best interest in mind while promoting UEFI.(Like the subtle armtwisting RSA took)

I am worried we are all being penned in to something nasty and it will be too late once the discoveries come out.
What is the marketshare of coreboot/SeaBIOS. I would be surprised if over .01%.
This isn't Intel trying to kill off the floppy but something much more serious.

Who needs a database in their BIOS?

I think Coreboot alone has much bigger marketshare because of Chromebooks.

EFI features

Phishfry

SirDice

Administrator

sko

pkubaj

asteriskRoss

Phishfry

pkubaj