That the UEFI firmware should die in a fire and that its instigators for its adoption should hang their collective heads in shame at the abomination they have created has been confirmed yet again with the news that, on some brands of computers, it can be destroyed with a regular
rm -Rf /, bricking the device in the process.
It is high time the Free Software community put all its weight behind open firmwares like Coreboot and Libreboot.
For those of you who don’t know, UEFI widely substituted BIOS on new computers some years ago. The UEFI on your machine is a type of firmware (i.e. software that lives on a chip), a pre-operating system if you will, whose missions include doing some housework, initiating some low level hardware systems, and pulling in a bootloader from the hard disk that will allow the user to load their operating system proper. Harmless enough, right?
In fact UEFI has become the most insidious bane of Free Software operating systems and, what is worse, the most horrid way to abuse users’ rights since… well, since forever. No wonder Apple was so quick to adopt it in big way.
UEFI is a set of “open specifications” that dictates to manufacturers how to implement the firmware in their machines. But don’t let the “open” in the prior sentence confuse you: in no way does that mean the firmware installed on a laptop is open source. Also, that it is widely used, in no way makes it standard. In fact, each vendor can implement it very much as they please, as open source, as closed source, with wildly varied and all equally horribly garish user-interfaces, with malicious software blobs embedded within it… You name it, they’ve done it.
This has led to some egregious abuses and misuses, not least of which is the case mentioned above. If giving a user the power to erase the firmware from within the operating system, doesn’t strike you as shoddy beyond the pale, then you and I have different opinions of what shoddy looks like.
Firmware is meant to by read-only to a very high degree (see the video below on how tricky it is to overwrite a correctly implemented read-only firmware), and is so for a good reason: a writeable firmware opens up a machine to malware at the lowest level. We are talking about trojans and viruses that no antivirus would be able to wipe out. Ever.
So, let me repeat that: allowing the possibility of implementing some parts of UEFI as read/write from software is beyond bonkers.
But it gets worse…
If bricking your laptop and unkillable viruses don’t sound bad enough, how about unremoveable crapware and spyware installed by the manufacturers themselves? Or bloatware that, no matter how many times you purge it, it always comes back, because it’s right there, in the firmware?
And, despite many think this is flogging a dead horse, what else can be said at this stage about Microsoft’s Secure Boot, that gives the shady guys at Redmond the authority to decide what you can or cannot install on your own hardware? The situation with Windows 10 and the renewed hardware certification program, by the way, has made things worse, not better.
HOWTO Install Coreboot
It’s time to move the freedom closer to the hardware and get rid of all those proprietary, insecure and abusive firmwares. That’s what Libreboot and Coreboot are all about. (If you’re wondering why two projects, it wouldn’t be Free Software without at least a couple of competing teams working on the same thing, would it now?).
During FOSDEM 2016, we were able to see how things worked first hand. Vladimir Serbinenko, from the Coreboot project, after informing us that “UEFI is s**t” off camera (no kidding), was kind enough to walk us through a typical Coreboot installation on a Lenovo X220. He also clarified to our clueless reporter what Coreboot actually is and does and how it is very different from your traditional BIOS or UEFI.
As Vladimir explains, Coreboot has no human-facing interface whatsoever. It goes lower than that. What it does have is a container for a payload, though, and the payload can be anything: BIOS, UEFI, or GRUB — the latter being Vladimir’s choice, because “it bypasses all the old stuff” as he puts it, and loads the Linux kernel directly.