Slashdot Mirror
Intel Planning To End Legacy BIOS Support By 2020, Report Says (phoronix.com)
Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.
Hopefully Coreboot will be more widespread by then and UEFI can just be a compatibility layer on top of Coreboot.
As long as the user can always install their own platform key, so they retain ultimate control of their own computer, then this isn't such a big deal. But there needs to be a standardised interface for installing platform keys in the UEFI settings.
RR
I doubt this would prevent someone from running a BIOS emulation layer through an EFI boot loader, just removing it from the EFI firmware. Can anyone confirm?
Intel has set deadlines for the death of BIOS and they came and passed and there was still BIOS.
This time they seem a bit more serious about it, but the UEFI vendors are planning to continue allowing CSM so long as they have customers.
Intel NICs may stop providing BIOS boot roms, new Intel storage devices may be only UEFI bootable. It will get harder and harder and more and more cases will require UEFI boot.
UEFI boot has gotten pretty normalized, it's a bit weird to formalize vfat as a required portion of the standard, but it is better than the MBR approach. UEFI runtime services are not as good as they should have been, but they do however take some memory away from the OS that BIOS and BIOS style boot of UEFI did not have to reserve.
Deliberately limiting customer choice and putting the machine that much closer to just being outright owned by the manufacturer, no matter who paid for it.
And as per usual, it's in the name of "security." The current UEFI standard means that the manufacturer doesn't have to let you add boot signature keys to the firmware, either. While there will be machines that can bypass this "upgrade," they'll be sure to slowly be priced sky high.
Let's see how long it takes Microsoft to try to cram Windows 10 S down all our throats and choke out any programs they can't control, and pay off the manufactures not to include facilities to add keys by end users except for an ever-increasingly expensive high end. After that, who knows what they'll try to force you into? They've already been talking about forbidding users from accessing websites they don't like. Or the "anti-cheating" features they're adding? You'll be able to turn them off... just like you could turn off UEFI secure boot, in the beginning.
so I Have to reflash my SAS cards to uefi mode? why do I really need a full GUI for a server that's only vga out is used for the impi card?
'Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies,
Don't twist the wording - tell the truth.
Last time I looked I have NEVER seen a bios attack, excluding published NSA exploits.
The correct wording would be obsoleting older devices and pathways that support unconditional video decoding, and preventing other means to turn off underhanded telemetry and back door audits.
UEFI has plenty of proven security risks including a back door management interface that cannot be turned off. UEFI is flawed by design, and is pandering to Hollywood generally.
The sad thing is that Raspberry Pi or similar will soon be capable of 4K video processing, as are some streaming boxes now, so Hollywood has already lost out to sub $80 boxes.
ok now force Vendor to give you impi bios updates with out needing to buy an addon key to unlock that.
Does this mean that from now on, just like apps on a mac, everything we run during boot time has to be signed by a corporate?
Avantgarde Hebrew science fiction
References?
Replace Your Exploit-Ridden Firmware with Linux
Google has already been thinking about switching to POWER chips. Maybe this UEFI thing will be the final push they need?
Does this mean x86 no longer has to support 16 bit mode? My understanding is that with EFI, the processor never enters real mode, and initializes directly in protected mode.
and give AMD the server market?
Yeah! FreeBSD for the win!
#DeleteFacebook
I just replaced my main home server with a RPI3. A little slower, but sufficient.
RPI3 for TV box too. (OSMC).
For Intel to come back into my home server, it would need to have competitive performance per power consumption (heat), be cheap and small (board), and have effortless Linux support (Linux is primary OS on RPI3 and other ARM boards, unlike most all shipped Intel devices).
UEFI isn't that secure anyway. It isn't that hard to break. Personally I think the only reasons for putting it in place was to give Linux a hard time (make i hard for people to move to Linux, thank you M$) while at the same time to give a false sense of security. Given that Intel (and AMD in some processors) have an OS on the CPU that can effective be a full privileged back door, I wouldn't be surprised if UEFI had elements of the same:
https://threatpost.com/cert-wa...
It would be nice if computer hardware was actually made to fully protect the purchaser rather than other interested parties. (In OS we have Linux)
"Imagination is more important than knowledge" - Einstein
I believe Redhat 5 (from 2007) had EFI support, and a quick Google search suggests people booted RHEL4 from EFI, but I don't know if that involved any hacks.
Windows 10 S has antitrust and eu browser choice issues. and no Linux on windows 10 s as well.
BIOS and EFI should only hand the boot loader an bit of RAM and boot image and enough extra stuff to load anther few megabytes off the boot source. I don't care if you call the BIOS something else like UEFI . Everything else should be up to the boot loader and the OS. I don't need the BIOS (or its successors) to test all the memory, just the 1st gig or so. If it is booting off disk, I don't need it to know about the network. I don't need it to know about the video or even the keyboard unless there is a problem. I only need it to know about NVE if I'm booting off that. The OS should rescan all the hardware and ignore anything provided by the BIOS.
Excessively complicated BIOS is a security risk not matter what it is called.
Except you wouldn't know and can't do anything about it. Thanks ME.
This will stop 7 users which already don't get supported updates anymore. This will continue 10's spyware regime with the alternatives being $ystemD infected Linux, obscure BSDs or having to go to Macs or Chromebooks, which won't have the games and business apps. Otherwise people will have to use old hardware which will go up in price.
Captcha: hooked.
Intentionally Myopic. Always Useful.
A five-cent component, a simple switch on the mobo wired inline with the flash WP/ line, would give us a secure unhackable BIOS. It's unbelievable how much BS the industry is creating in order to craft a corporate lockdown on boot firmware.
The fact that Microsoft weaseled its way into being the gatekeeper for UEFI boot is just ridiculous. If it gets bad enough we'll have to start using OpenCore/Wishbone based systems made in people's garages to truly have systems we can audit, control and trust. Back to the homebrew days I guess, assuming it isn't outlawed by then.
The above statement is b.sheet. UEFI is everything except secure.
In computing, simpler systems are ALWAYS easier to secure.
Imagine you having a RAID 6 array. To which of the drive do you install the EFI partition? Current UEFI implementations do not allow multiple such partitions, as far as I know.
If at Intel they are really concerned about security they should destroy their AMT & IME ecosystem.
Surface Laptop is a Windows 10S device -- AFAIK, Secure Boot can be turned off on it, though it has compatibility issues with its keyboard and Linux.
Do people really run OS on iron still?
I always put virtualization OS on first, and then Install the OS on top. Yes, even when the Guest OS is the only one. Makes for moving to another hardware platform easy.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Short answer: yes. Long answer: there are many legacy applications that require the high transaction processing while maintaining near perfect accuracy like in banks.
Once again we're left at the mercy of a multinational corporation who doesn't give a shit about anything except maximizing profits. Intel and google like to peddle their vendor lock-in as security features. They're so dishonest, but that's good. Every so often you have to remind yourself that despite the nice talk, they're not your friend. Just pretending.
Before everyone gets worked up, this Brian Richardson guy is a dumbass. He is supposed to be doing "UEFI Marketing." He does not have the authority to make these type of decisions, he pulled this out of his ass, hoping it would stick so he has something to put on his performance review this year. Most of the senior UEFI people within Intel don't listen to him.
It just so happens that most of the product teams decided that they weren't going to put CSM in to their reference firmware implementations by year 2020, just to reduce the amount of effort Intel spends on the reference firmware implementations. The rationale there was pragmatic... we aren't using CSM really, and it really complicates the UEFI implementation. There is usually at least one tricky bug every year in the CSM. All it takes is one big customer saying they still want CSM and its back regardless of what Brian says. Nothing is being done to prevent AMI, Phoenix, Insyde, etc. from shipping 2020+ systems with CSM.
Thanks Intel, you traitorous whores!
https://firmware.intel.com/sit... OS X /macOS has been IFI /UEFI for Decades so if you need a UNIX for Intel UEFI.... Look no futher/
shared USB bus for networking and disk limits the over all use.
How about dropping everything except 64 bit mode. Boot straight to 64 bit, no turning back, no legacy, no compability?
How many CPUs actually ever run anything than 64 bit today?
(I do understand many windows desktops do, but apart from that: servers, linux computers, chromebooks should never need anything less than 64 bit mode)
Many Linux distributions support UEFI and secure boot now.
SUSE Linux Enterprise Server
openSUSE
Redhat Enterprise Linux
CENTOS
Fedora
Ubuntu Server
Oracle Linux
Short answer: yes. Long answer: there are many legacy applications that require the high transaction processing while maintaining near perfect accuracy like in banks.
That's a long answer? We really have become the twitter generation...
There are people who still run on big iron, i.e., mainframes.
Mainframes are resilient, fault tolerant, upgradable without downtime (many have hot-swapable RAM, CPUs, etc.), and in general fucking reliable.
Even with HA / fault tolerant VM systems, you're relying on communication between external systems to identify failure, recover/transition automatically, and rectify any data inconsistencies. For many transactional systems, that's a no go. Many systems use distributed databases, fault tolerant / HA VMs, etc. behind the front-end, but transactions won't be considered truly confirmed until they hit the mainframe.
We have open software. The entrenched vendors don't like it.
It is time that we start producing low cost open hardware platforms from the BIOS on up. No ARM does not count.
UEFI has not solved anything just created new problems and broken compatibility. To be honest it's essentially garbage. I would much rather have something like coreboot (I run libreboot on this laptop and it's great!).
Who here actually has gained anything from UEFI anyway?
The real problem is not UEFI but Intel's ME.
Virtualization has about a 10% performance overhead. When turn around time is important, 10% matters. None of our compute servers are virtualized.
Also, concerning a thought from another comment that UEFI is malicious by design, there is an economic pressure that major OS vendors would have on Intel and motherboard manufacturers to keep things in their court, but there is also pressure from consumers (both retail and business) that wish to maintain control of their systems.
Yes, and this unfortunately shows which side is winning.