Linux

Untested buggy UEFI headed for prime-time

A leading Linux kernel developer says UEFI is big, bloated and bad for Linux.

BIOS, the archaic firmware that sits between a computer's hardware and the operating system, is set to be replaced by the Unified Extensible Firmware Interface (UEFI). The move is intended to improve security, but a leading kernel developer says UEFI is "awful" for Linux.

Red Hat's Matthew Garrett, speaking at the Linux.conf.au 2012 (LCA) conference in Ballarat last week, also believes that Intel's UEFI reference implementation, codenamed Tiano and upon which hardware vendors' UEFI implementations will be based, is bloated and buggy.

Tiano now consists of 7061 individual files totalling around 100 megabytes of code. That's roughly 10 per cent of the size of the entire Linux kernel.

However, Tiano is only the hardware-independent part of UEFI. It contains no device drivers. If you strip out the drivers from the Linux kernel, the device-independent remainder is smaller than Tiano. Compiled UEFI code may be "several megabytes", which is larger than many Linux kernels.

"Files contain code, [and] code, as we all know, contains bugs. Always. So from this we can conclude that UEFI contains bugs. This shouldn't surprise anyone, other than the Linux kernel which obviously contains no bugs at all ever," said Garrett, to audience laughter.

Some vendors' UEFI implementations have bugs that are so bad that they won't even install Windows via UEFI, let alone Linux.

"It indicates that nobody ever tested this code at all, ever," Garrett said.

UEFI's secure boot mode also presents problems.

According to the UEFI specification, the master platform key (PK) used to sign software modules as being trusted is under the control of the platform owner, which has subsequently been clarified as meaning the hardware vendor.

As a result, there's only one PK on any system --- which means problems when keys must be revoked because hackers have compromised them. A similar problem was at the heart of the RSA SecurID hack in early 2011.

It also means that Linux developers, who can't have every code change signed by the vendor's PK, must allow the kernel to load unsigned modules.

"In a secure boot environment, if you have a signed kernel that loads unsigned modules, your signed kernel is effectively a signed malware loader," Garrett said.

Microsoft's Windows operating system gets around this problem because the company has already been requiring driver signing for the past five years.

"Coincidentally, the UEFI-signing mechanism is completely identical to the Windows driver-signing mechanism --- to the extent that the structure members start with 'win'," Garrett said.

So is the only solution for Linux developers to build their own motherboards and as a result become vendors so they can generate their own PKs?

No, because at least for the x86 architecture Microsoft now requires manufacturers to allow the user to disable UEFI secure boot in order to add their own keys to the system.

Garrett doesn't see this as a particularly useful solution.

"It's fine for enthusiasts. If you're happy to be going into your firmware and changing options, that's great. You'll be able to do this," he said.

But UEFI doesn't specify the format the keys have to be in, nor the naming convention or the firmware's under interface.

"A vendor could require that [the keys] be in ROT-13 Base-64... To get into secure boot [and disable it] you need to get into your firmware, which requires you to hit a key on your keyboard, we're not sure which," Garrett said.

"Once you've done that and got into your firmware you're then going to need to find a menu which might be called 'Security', which might be called 'Boot', which might be called 'Advanced', which might be called 'Beware of the leopard'."

And apart form that, turning off secure boot defeats one of UEFI's primary goals: making bootkit malware impossible.

12 comments
todd_dsm
todd_dsm

It's just not appropriate everywhere. But, perhaps the kernel devs don't have the resources to hire QA people. I used to be a QA people; we are quite costly and tend to complain alot :-) Nobody likes to over-pay to be nagged.

.Martin.
.Martin.

on a Lenovo laptop. Installing Arch was a lot of fun, including a good period of no HDD detected after initial boot. Even as a near-expert with computers, even I wasn't 100% sure what I was doing when playing with the UEFI setting (it pretty much came down to try a setting, see what happened), I fear to imagine how someone less willing than I am, would go.

gak
gak

...this is why my TV is 20 years old and I have a dumb phone. We do not cry loud. We ignore, hack, some even pirate.

Justin James
Justin James

... yet no one is crying foul. Or a Mac, for that matter. If UEFI was an illegal monopolistic practice, Apple couldn't sell a single Mac. Being able to install an OS other than what came on your hardware isn't a "right" it is a "feature" and if you aren't happy with that, there isn't much you can do about it. There is no legal mandate for an OS to be installable on all compatible hardware either. If someone can point to a law or legal precedent to prove otherwise, I'd love to know I'm wrong. Until then, all of this uproar over "monopolistic practices" is simply factually incorrect. J.Ja

Slayer_
Slayer_

And we will all be importing motherboards from Europe. Maybe we should start calling them Big Brother Boards instead of Mother Boards.

MTsyko
MTsyko

So, how is this not a monopolistic practice...which are SUPPOSED to be illegal in the USA?!

beaverusiv
beaverusiv

Different things have different models. That is why 'real world' anolgies of IT/digital stuff are so stupid and don't make sense. Just because I can't (shouldn't) change my phone (which is primarily because it interferes with my carrier's service of me) doesn't mean someone should have that control over my pc (which they have no business caring about after I've bought it).

Justin Huffman
Justin Huffman

@Justin James My problem isn't that UEFI exists, or that secure boot exists.  My problem is that it took me roughly 2 hours of fenagling to get my motherboard to BOOT FROM DISK. Everytime I reboot my machine the firmware sees fit to mess around with my settings: reordering my boot order, losing boot options, etc.. This isn't a matter of legality or 'rights', this is a matter of the firmware being buggy as hell.

Also, the argument that I have no 'right' to install an operating system other than what came with my hardware is invalid because it didn't COME WITH ONE.

I appologize for the overuse of caps, I'm a little frustrated at the moment.

david.hunt
david.hunt

Australia's Trade Practices Act makes anti-competitive behaviour illegal in the lucky country ;-) Your analogy with the TV and SmartPhone is invalid, as these are "appliances" by virtue of having a fixed, defined function (albeit that is becoming much broader), and it is only in recent times that they have contained a "computer". As much as there are now Internet connected fridges and TVs, I can't see myself using them to update the accounting system, develop applications or compile code. The intent of the manufacturers is to use that capability to deliver services, not to turn them into general purpose computing devices. The PC has always been a general computing device and for those of us who have been around prior to its inception, was originally sold sans operating system and the buyer then either wrote their own or purchased one of several alternatives. While true that practice pre-dates usage by non-nerds, it sets the scene. There has always been a choice of operating system for PCs, even if we go back to the DR-DOS / MS-DOS days. In addition to the more recent history of retail chain stores selling PCs, there are still a lot of businesses that sell parts and you can either buy the parts and build it yourself or for a small fee, pick the parts and they will build it for you. In either of these latter scenarios, purchase of an operating system is optional. There was a legal case (my memory suggests it was in South Australia), some time back (maybe 5 years ago), where Dell offered a PC with Windows pre-installed and priced it as a package with no option to just buy the hardware. The case against Dell was successful and subsequently they had to offer the option of just hardware purchase. In this case the buyer wanted to load Linux and while Dell tried to make the case (undoubtedly prompted by M$) that purchase of hardware without an operating system was likely to result in a purchaser loading a pirated copy of Windows, the buyer proved that was not necessarily the case, as he wanted to load Linux. Forcing him to buy an operating system we neither wanted or would use was seen as anti-competitive by the court and as a contravention of the Trade Practices Act. These days, Dell provide the alternate option of pre-loaded RHEL on a reasonable range of their PCs and all servers. Indeed, on qualified servers there is also the option of pre-loaded VMware and thus no user O/S. P.S. I'm a self confessed Nerd. I designed and built my first computer. Bought the chips and designed, etched, drilled soldered, wrote the firmware, wrote the O/S. That was back in the early 1970's and pre-dated the PC.

lord_beavis
lord_beavis

If it you have a screwdriver and a little bit of time, I really don't see why you can not. I requested the source code for my TV and Blu-ray player as it was stated in the manuals I could under the GPL. Don't know what I'll do with them, but I have them. The thing about Macs is that they work A LOT better than a Windows PC. Your argument holds no water. UEFI is Microsoft's "Magic Bullet" in so much as they will make it difficult for users of Linux (private and enterprise alike) to upgrade their hardware. And yes, the is something you can do about it. Nobody has the b@ll$ to stand up and do it though. It is the same thing that we can do against the movie/music industry to put them in their place. Don't buy their products.

cg0def
cg0def

Get your story straight! Ever since the first x86 Mac you CAN install Windows on it. Going even further back, Macs have always had at least one Linux distro that supports them and quit a few BSD derivatives. Nowadays you can install pretty much anything on them since they have more or less an off the shelf x86 architecture. Oh and one other thing, all Intel based Macs use EFI yet there is no requirement for an insane PK or any other stupidity like that. The reason why EFI works on Macs is that you have a limited hardware base and EFI gets a very extensive testing. Is that the case for any of the Taiwanese manufacturers ... hell no! And yet even the Apple EFI gets updates as there are in fact bugs ...

radleym
radleym

You been hiding under a rock?

Editor's Picks