Intel Planning To End Legacy BIOS Support By 2020, Report Says

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.

Force secure boot on unconditionally?

[ReluctantRefactorer]

As long as the user can always install their own platform key, so they retain ultimate control of their own computer, then this isn't such a big deal. But there needs to be a standardised interface for installing platform keys in the UEFI settings.

Re:Force secure boot on unconditionally?

[Junta]

Well, one, SecureBoot is not mandated. Been UEFI booting since before SecureBoot existed.

Two, *if* it were mandated, using UEFI settings menu interactively isn't going to cut it, as large deployments need less manual attention. Some automation friendly mechanism is needed. The challenge being that it's hard to make an automation friendly capability that isn't also malware friendly.

I would have liked the mechanism to ship unlocked until an OS vendor installs, which would then have optionally locked the platform to that vendors or enduser keys. But instead we get the joy of Microsoft's keys being the arbiter of the whole SecureBoot platform.

Re:Force secure boot on unconditionally?

[Rockoon]

a standard interface probably means it can be hacked by malware - careful what you wish for

Re:Force secure boot on unconditionally?

[butzwonker]

Looks like a false dichotomy to me. Why can't they make chipsets/motherboards that allow me to change UEFI settings (incl. installing my own keys for secure boot or switching it off) and switch off/on Intel ME by flipping physical switches, while at the same time offering chipsets/motherboards with less secure, but corporate-friendly automated mechanisms?

My guess is that they don't want to allow the first option because someone asked them not to allow it. In fact, I have no other explanation. Adding two jumpers and adjusting the firmware in an appropriate way doesn't seem like a major price point or technical obstacle that Intel just can't afford or solve.

As expected...

Deliberately limiting customer choice and putting the machine that much closer to just being outright owned by the manufacturer, no matter who paid for it.

And as per usual, it's in the name of "security." The current UEFI standard means that the manufacturer doesn't have to let you add boot signature keys to the firmware, either. While there will be machines that can bypass this "upgrade," they'll be sure to slowly be priced sky high.

Let's see how long it takes Microsoft to try to cram Windows 10 S down all our throats and choke out any programs they can't control, and pay off the manufactures not to include facilities to add keys by end users except for an ever-increasingly expensive high end. After that, who knows what they'll try to force you into? They've already been talking about forbidding users from accessing websites they don't like. Or the "anti-cheating" features they're adding? You'll be able to turn them off... just like you could turn off UEFI secure boot, in the beginning.

Completely Untrue

'Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies,

Don't twist the wording - tell the truth.

Last time I looked I have NEVER seen a bios attack, excluding published NSA exploits.
The correct wording would be obsoleting older devices and pathways that support unconditional video decoding, and preventing other means to turn off underhanded telemetry and back door audits.

UEFI has plenty of proven security risks including a back door management interface that cannot be turned off. UEFI is flawed by design, and is pandering to Hollywood generally.

The sad thing is that Raspberry Pi or similar will soon be capable of 4K video processing, as are some streaming boxes now, so Hollywood has already lost out to sub $80 boxes.

and give AMD the server market?

[Joe_Dragon]

and give AMD the server market?

Why does it matter?

[thogard]

BIOS and EFI should only hand the boot loader an bit of RAM and boot image and enough extra stuff to load anther few megabytes off the boot source. I don't care if you call the BIOS something else like UEFI . Everything else should be up to the boot loader and the OS. I don't need the BIOS (or its successors) to test all the memory, just the 1st gig or so. If it is booting off disk, I don't need it to know about the network. I don't need it to know about the video or even the keyboard unless there is a problem. I only need it to know about NVE if I'm booting off that. The OS should rescan all the hardware and ignore anything provided by the BIOS.

Excessively complicated BIOS is a security risk not matter what it is called.