Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Planning To End Legacy BIOS Support By 2020, Report Says (phoronix.com)

Posted by msmash on from the up-next dept.

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.

20 of 122 comments (clear)

  1. Force secure boot on unconditionally? by ReluctantRefactorer · · Score: 5, Insightful

    As long as the user can always install their own platform key, so they retain ultimate control of their own computer, then this isn't such a big deal. But there needs to be a standardised interface for installing platform keys in the UEFI settings.

    --
    RR
    1. Re:Force secure boot on unconditionally? by Junta · · Score: 5, Insightful

      Well, one, SecureBoot is not mandated. Been UEFI booting since before SecureBoot existed.

      Two, *if* it were mandated, using UEFI settings menu interactively isn't going to cut it, as large deployments need less manual attention. Some automation friendly mechanism is needed. The challenge being that it's hard to make an automation friendly capability that isn't also malware friendly.

      I would have liked the mechanism to ship unlocked until an OS vendor installs, which would then have optionally locked the platform to that vendors or enduser keys. But instead we get the joy of Microsoft's keys being the arbiter of the whole SecureBoot platform.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:Force secure boot on unconditionally? by butzwonker · · Score: 5, Insightful

      Looks like a false dichotomy to me. Why can't they make chipsets/motherboards that allow me to change UEFI settings (incl. installing my own keys for secure boot or switching it off) and switch off/on Intel ME by flipping physical switches, while at the same time offering chipsets/motherboards with less secure, but corporate-friendly automated mechanisms?

      My guess is that they don't want to allow the first option because someone asked them not to allow it. In fact, I have no other explanation. Adding two jumpers and adjusting the firmware in an appropriate way doesn't seem like a major price point or technical obstacle that Intel just can't afford or solve.

    3. Re:Force secure boot on unconditionally? by omnichad · · Score: 3, Funny

      installing my own keys.....by flipping physical switches

      You want to have 2048 dip switches for entering your secure boot key? I'd rather use a GUI for that.

  2. From the motherboard by omnichad · · Score: 2

    I doubt this would prevent someone from running a BIOS emulation layer through an EFI boot loader, just removing it from the EFI firmware. Can anyone confirm?

  3. As one who works at a vendor.... by Anonymous Coward · · Score: 5, Interesting

    Intel has set deadlines for the death of BIOS and they came and passed and there was still BIOS.

    This time they seem a bit more serious about it, but the UEFI vendors are planning to continue allowing CSM so long as they have customers.

    Intel NICs may stop providing BIOS boot roms, new Intel storage devices may be only UEFI bootable. It will get harder and harder and more and more cases will require UEFI boot.

    UEFI boot has gotten pretty normalized, it's a bit weird to formalize vfat as a required portion of the standard, but it is better than the MBR approach. UEFI runtime services are not as good as they should have been, but they do however take some memory away from the OS that BIOS and BIOS style boot of UEFI did not have to reserve.

    1. Re:As one who works at a vendor.... by wierd_w · · Score: 5, Informative

      Low memory is also significantly less important on a UEFI system, because it boots straight into protected mode. Eventually, Intel will completely do away with trappings like v86 mode and pals, because they wont really be needed or useful, and will just be gobbling up die space.

      What complicates intel's master plan, is that DOS (especially since the freedos project is very mature and has no licensing fees) is a very approachable target for many applications even in the modern era (Many things, from airport metal detectors to vinyl cutters, to industrial robots and pals), and that requires BIOS to operate. That you do not need to lug around a huge OS stack (DOS lives comfortably in less than 1mb of RAM), and dont have to contend with hundreds of multitasking processes (So your single task-oriented solution does not end up competing for resources or hardware events, because it is operating at realtime instead of time slices or having to wait for spin locks to disengage, etc) makes DOS a very approachable platform even today.

      Intel just does not like that. It sees UEFI and their management processor security device model being the future in modern computing, and much like AMD, probably will only give up the keys to the management engine's castle after the vandals storm the place. (Meaning CoreBoot and pals will have to find ways to smash down the custom minix's doors and take over by force to overcome the designed security features of the processor, and hand them over to proper user control.) This is because the premise of the technology defacto asserts that the end user is not capable of being trusted with the security of the platform, and that only trusted persons or entities (orgs) can be vested with that responsibility. (This is at odds with GNU's philosophy.) Intel has many deep-pocketed orgs demanding this level of digital lordship, (microsoft *AND* apple being among the big ones), so the money is in giving the big pocketed groups what they want, which is mutually exclusive to projects like coreboot.

    2. Re:As one who works at a vendor.... by TheRaven64 · · Score: 2

      Eventually, Intel will completely do away with trappings like v86 mode and pals, because they wont really be needed or useful, and will just be gobbling up die space.

      I'd be very surprised if they weren't entirely microcode today. Who cares if every real mode instruction takes 10 cycles to complete - no customers large enough to care about have performance critical real-mode code, and the few that do are probably happy if it's a few thousand times faster than their 80286. If it's in microcode, it's taking a trivial amount of die space and none in performance-critical parts.

      --
      I am TheRaven on Soylent News
  4. As expected... by Anonymous Coward · · Score: 3, Insightful

    Deliberately limiting customer choice and putting the machine that much closer to just being outright owned by the manufacturer, no matter who paid for it.

    And as per usual, it's in the name of "security." The current UEFI standard means that the manufacturer doesn't have to let you add boot signature keys to the firmware, either. While there will be machines that can bypass this "upgrade," they'll be sure to slowly be priced sky high.

    Let's see how long it takes Microsoft to try to cram Windows 10 S down all our throats and choke out any programs they can't control, and pay off the manufactures not to include facilities to add keys by end users except for an ever-increasingly expensive high end. After that, who knows what they'll try to force you into? They've already been talking about forbidding users from accessing websites they don't like. Or the "anti-cheating" features they're adding? You'll be able to turn them off... just like you could turn off UEFI secure boot, in the beginning.

  5. Completely Untrue by Anonymous Coward · · Score: 4, Insightful

    'Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies,

    Don't twist the wording - tell the truth.

    Last time I looked I have NEVER seen a bios attack, excluding published NSA exploits.
    The correct wording would be obsoleting older devices and pathways that support unconditional video decoding, and preventing other means to turn off underhanded telemetry and back door audits.

    UEFI has plenty of proven security risks including a back door management interface that cannot be turned off. UEFI is flawed by design, and is pandering to Hollywood generally.

    The sad thing is that Raspberry Pi or similar will soon be capable of 4K video processing, as are some streaming boxes now, so Hollywood has already lost out to sub $80 boxes.

    1. Re:Completely Untrue by thegarbz · · Score: 4, Informative

      Last time I looked I have NEVER seen a bios attack

      Found a millennial. Those of us with a few more grey hairs on our beards remember BIOS modifying related malware basically showing up as one of the originals during the birth of PC malware.

      That's to say nothing of the fact you've had your eyes closed to multiple cases over the past few years, to say nothing of the several that have been discussed on Slashdot in the past.

  6. ok now force Vendor to give you impi bios updates by Joe_Dragon · · Score: 2

    ok now force Vendor to give you impi bios updates with out needing to buy an addon key to unlock that.

  7. Mere Mortal question by McLae · · Score: 3, Interesting
    OK, so what does this mean for me? Too much jargon to decipher. And this is new systems, right?

    References?

    1. Re:Mere Mortal question by Narcocide · · Score: 2

      The short version is that now all your new computers will be capable of contracting viruses that you can't get rid of just by reformatting all drives and reinstalling your OS.

  8. Will Google end Intel support? by Anonymous Coward · · Score: 2, Funny

    Replace Your Exploit-Ridden Firmware with Linux

    Google has already been thinking about switching to POWER chips. Maybe this UEFI thing will be the final push they need?

  9. Re:Coreboot by Anonymous Coward · · Score: 5, Funny

    You should stick to secure MINIX, as Intel intended.

  10. and give AMD the server market? by Joe_Dragon · · Score: 3, Insightful

    and give AMD the server market?

  11. Why does it matter? by thogard · · Score: 5, Insightful

    BIOS and EFI should only hand the boot loader an bit of RAM and boot image and enough extra stuff to load anther few megabytes off the boot source. I don't care if you call the BIOS something else like UEFI . Everything else should be up to the boot loader and the OS. I don't need the BIOS (or its successors) to test all the memory, just the 1st gig or so. If it is booting off disk, I don't need it to know about the network. I don't need it to know about the video or even the keyboard unless there is a problem. I only need it to know about NVE if I'm booting off that. The OS should rescan all the hardware and ignore anything provided by the BIOS.

    Excessively complicated BIOS is a security risk not matter what it is called.

  12. Re:End 16 bit real mode mode? by Hal_Porter · · Score: 2

    My understanding is that with EFI, the processor never enters real mode, and initializes directly in protected mode.

    All current x86/x64 chips start in real mode. So EFI has to make a switch to protected mode with long mode enabled.

    However Intel has sold chips which boot up in protected mode in the past. E.g.

    https://en.wikipedia.org/wiki/...

    The Intel 80376, introduced January 16, 1989, was a variant of the Intel 80386SX intended for embedded systems. It differed from the 80386 in not supporting real mode (the processor booted directly into protected mode) and having no support for paging in the MMU. The 376 was available at 16 or 20 MHz.

    Of course so long as the PC standard includes the Bios, such a chip can't be PC compatible. Actually the 376 is a perhaps a bad example because it didn't have an MMU. However suppose you had a legacy free x64 chip which booted up in long mode and didn't support real mode. Such a device would be able to run EFI. And since v86 mode isn't supported in long mode - the reason 64 bit Windows can't run Dos or Win16 applications whereas 32 bit Windows can - it would be possible to disable v86 mode too.

    I'm not sure how you'd handle running 32 bit applications on a 64 bit OS - presumably a legacy free chip would either implement bits of the normal protected mode architecture - the GDT for example so it could distinguish 32 bit code segments from 64 bit ones - or it might have some sort of mode bit in a register to decide.

    Or you could rip out 32 bit mode support too, and just handle it via JITting the code to 64 bit.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  13. Pure 64? Ever? by Zo0ok · · Score: 2

    How about dropping everything except 64 bit mode. Boot straight to 64 bit, no turning back, no legacy, no compability?
    How many CPUs actually ever run anything than 64 bit today?
    (I do understand many windows desktops do, but apart from that: servers, linux computers, chromebooks should never need anything less than 64 bit mode)