Skip Links

UEFI president: We need more key providers

UEFI Forum chief Mark Doran explains how UEFI works and addresses the criticisms around Microsoft's use of UEFI Secure Boot

By Joab Jackson, IDG News Service
February 28, 2013 04:08 PM ET

IDG News Service - Since its introduction, the Unified Extensible Firmware Interface has created a fair amount of controversy. UEFI was created through an industry consortium as an evolutionary step up from BIOS, the simple firmware long used when starting a computer to initialize all the components and load the operating system. Among its advanced features, UEFI includes an option called Secure Boot, which requires that any software used before the operating system starts, or after it shuts down, has been signed by a certificate authority.

For Windows 8, Microsoft required OEMs (original equipment manufacturers) to support Secure Boot in their machines. This immediately created a problem for other operating systems, most notably Linux-based ones, that many users routinely install on machines in place of Windows. Many viewed Microsoft's embrace of Secure Boot as anticompetitive behavior because it makes it more difficult for users to install other operating systems on a machine with Secure Boot enabled.

IDG News Service spoke with the UEFI Forum President Mark Doran, who is also an Intel senior principal engineer, about what UEFI does, how Secure Boot works, and the reaction that Microsoft has gotten from its use of UEFI.

IDGNS: What is UEFI? And how is it different from BIOS?

Doran: A BIOS initializes the machine components, and transfers control of the machine to the operating system. An implementation of the UEFI specification does the same thing. But with UEFI, we wanted to evolve the state of platform, and the firmware that supports it.

We wanted to decouple the development of the firmware from the operating system. So if we change the way the firmware is screwed together, it should be transparent to the operating system. And that has allowed us to go through and re-engineer all of the code that implements that pre-OS environment. As a result, operating systems have to do a whole lot less work to understand platform specifics that affect boot today than they would have had to do in previous generations.

In conventional BIOS you can't make assumptions about what the operating system does or doesn't know. It initializes everything in the platform, because the operating system might need it. In the UEFI spec, we ask the operating system to indicate -- through a persistent environment variable -- how to boot. Typically, operating systems do their own device initialization once they are run. So as a means to avoid duplication of work, in the pre-OS, all the platform touches is the set of devices it needs to boot.

IDGNS: What is the UEFISecure Boot option?

Doran: We're were trying to figure out a way to armor the platform against attack in that pre-OS space.

There have been a number of documented instances of people trying to introduce [code] that usurps control of the platform before the operating system gets in to run. The operating system thinks it is on a pristine platform, when in fact there is malware lurking between the platform and the operating system. It could be either persistent in the shape of a virtual machine living between the operating system and the hardware, or the malware could be a boot loader that introduces malware into the pre-OS space.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News