Cheapskate's Guide

Home Contact

UEFI and why I Hate it so Much

2-22-19



UEFI stands for Unified Extensible Firmware Interface. It is the standard for the firmware that plays the role that the BIOS (Basic Input/Output System) most often filled before about the year 2012 of interfacing your computer's operating system with it's firmware. Firmware is the "software" in the chips (or microcontrollers) that control each piece of hardware in your computer.

Unlike a BIOS, a UEFI is its own mini operating system, so it has more flexibility and capabilities than a BIOS. One example is that a UEFI makes it possible to have hard drives larger than 2 TB. Another is that a UEFI prevents firmware from running until it has proven that it is the firmware that was loaded by the manufacturer and that it has not been modified after it left the factory. And there are many other examples of the superiority of UEFI over BIOS. All of this is great, but the problem is that, in my opinion, Microsoft has decided to use UEFI for evil.

Although UEFI and its predecessor, EFI, have existed since the year 2000, the debate did not begin to rage across the internet about UEFI and Microsoft's use of it until about 2010, when some began to see the writing on the wall. This was two full years before Microsoft announced in October of 2012 that Windows 8 would not run without UEFI. Some have said that UEFI is being used by Microsoft to prevent any operating system other than Windows from being run on modern PC's. Others say that the first group is just a bunch of conspiracy theorists who don't understand UEFI. I can see both points of view. However, since I have hardware that blocks my ability to load other operating systems, thanks to UEFI, I have to side with the group that sees UEFI as a good idea turned to the dark side by Microsoft.

Let me begin by telling you what Microsoft claims about its use of UEFI and follow this with the devil in the details that Microsoft probably doesn't want you to know about. When Microsoft decided to only allow Windows 8 to run on PC's with UEFI, they said this was to protect computer users from firmware malware that could take over their computers and that could not be defeated by or even detected by the antivirus programs of the day. To be fair, this is realistic. Firmware malware is a real threat, and this whole scenario is very scary to someone who needs to be secure online. It applies to anyone who does online banking, needs their email to be secure, or needs to communicate privately with anyone online for any reason. This is one of the major reasons that I warn people that there is no such thing as a secure computer, and that, in my opinion, it is just not safe to bank online. One doesn't even have to mention BadUSB, a threat that can turn the USB controllers in your computer into virus carriers. So, Microsoft was absolutely right to be concerned about firmware malware.

The problem is that Microsoft decided in its infinite wisdom to prevent any operating system that was dependent on a BIOS, and thus incompatible with a UEFI, from running on any PC anywhere. They did this with a part of UEFI know as "secure boot". Secure boot prevents a computer from booting if its drivers or operating system loader are not cryptographically signed by, guess who, Microsoft. And those cryptographic signatures, or "keys", can theoretically be revoked by Microsoft any time it wants. This means that Microsoft can absolutely control what operating system you are using on your PC. And if Microsoft finds that you have somehow been able to run an operating system that it doesn't approve of, it can fix that situation by revoking keys and/or modifying your UEFI. Clearly, there are people like me who want to be able to run other operating systems on their PC's for many very good reasons.

Soon after 2012 the complaints about Microsoft's use of UEFI began. Many people understandably didn't like Microsoft telling them that they couldn't run other operating systems on their own computers. Microsoft was forced to respond by changing the UEFI standard to make it possible for vendors to write UEFI firmware that allowed people to turn off secure boot. Vendors could choose not to do that, and many did, but Microsoft stopped forcing them to enable secure boot. Later, after the anger died down a bit, when Windows 10 came along, Microsoft went right back to requiring that secure boot be "enabled", meaning that computer users could no longer turn it off. Not only that, but in 2017 Intel announced that it would remove all BIOS support from all of its products by 2020.

I was first clued into the reality that I could be prevented from loading Linux onto a computer that I own when I bought a Winbook W700 tablet running Windows 8.1. I wanted to be able to run Linux on it for several reasons that I won't go into. But, I learned that the Winbook manufacturer had provided no way for me to turn off secure boot. That was despite all of Microsoft's assurances that there was absolutely no problem with anyone turning off secure boot on any new computer! Needless to say, I was annoyed.

Lest you think that UEFI has solved all the problems with BIOS and that everything is now great, let me explain the current situation. Almost as soon as UEFI came out, people started finding problems with it. A well-known principle in computer security is that code that is small in size is always more secure than large code. The reason is that the more code you have, the more bugs, and therefore the more potential security flaws you are likely to have in it. In the 1980's, BIOS's typically resided on a 32 or 64kB ROM chip. That eventually grew to a megabyte or two. That is for two copies of a BIOS on a chip, the running BIOS and a backup copy. UEFI's, on the other hand, typically reside on a 64 or 128 MB chip. So, a UEFI is something like a hundred to a thousand times as large as a BIOS. What this means is that the claim that UEFI's are more secure than BIOS's are very dubious. Not only that, but people have found ways of loading and running drivers and operating system loaders that have not been cryptographcially-signed by Microsoft onto computers with UEFI. Although it isn't common, some Linux distribution creators make their distributions run with UEFI by adding their own signing key to their distribution. But the vast majority of creators of Linux distributions don't have the time, resources,or interest to make their distributions run with UEFI. And by the way, why should Microsoft be able to force them to pay for the privilege of running on your PC? Microsoft doesn't own your PC. Who gave Microsoft the right to decide who can run what on it?

The fact that UEFI has flaws, just like BIOS's did, is underscored by the need for UEFI updates. There are so many updates required, in fact, that Microsoft has begun referring to its UEFI updates as "firmware as a service" and has made it part of it's Windows Update service. So, you most likely won't have a clue when your UEFI is updated. And if the UEFI update bricks your computer, you most likely will have no idea that it was because Microsoft updated your UEFI without telling you.

In case the significance of what I've said so far hasn't sunk in, let me say it plainly. UEFI and secure boot are just two more manifestations of the trend that I see in which we are losing the freedom to communicate securely with each other and without being surveiled over the internet. As I have already written about in another article, we had a brief window of freedom when consumer computers and the internet first appeared, but now that freedom is being taken from us. Once a company or organization has to power to determine what operating systems and what software we can run on our computers (as Microsoft does with OS's and software), they have the power to take away our freedom to communicate securely using those computers. I think it's a tragedy that we've allowed this to happen.

Comments


Required Fields *

*Name:

*Comment:
Comments Powered by Babbleweb

Copyright © 2018-2019 The Cheapskate's Guide to Computers and the Internet. All rights reserved.