Microsoft Announces Project Mu, an Open-Source Release of the UEFI Core

Mark Wilson writes: Microsoft has a new open source project -- Project Mu. This is the company's open-source release of the Unified Extensible Firmware Interface (UEFI) core which is currently used by Surface devices and Hyper-V. With the project, Microsoft hopes to make it easier to build scalable and serviceable firmware, and it embraces the idea of Firmware as a Service (FaaS). This allows for fast and efficient updating of firmware after release, with both security patches and performance-enhancing updates.

FaaS is something that Microsoft has already enabled on Surface, but the company realized that TianoCore -- the existing open-source implementation of UEFI -- was not optimized for rapid servicing. This is where Project Mu can help, the company says. "Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners. For too long the industry has built products using a 'forking' model combined with copy/paste/rename and with each new product the maintenance burden grows to such a level that updates are near impossible due to cost and risk," the company said.

ALL OF THE SERVICES

[DarkRookie2]

So we can lock you in and not fix our shit
Why would we. We have your money and your balls.

Re:ALL OF THE SERVICES

You consider Open-Source a Lock-In? Fuck! There is just no pleasing you, is there?

Re:ALL OF THE SERVICES

Don't worry, they will never get your balls. Nothing to give.

Re:ALL OF THE SERVICES

[DarkRookie2]

More of the Firmware as a Service idea that I am not liking.

Re:ALL OF THE SERVICES

Cry baby nerd

Re:ALL OF THE SERVICES

[OrangeTide]

Do you miss the good old days of keying in the bootstrap routine on start up?

Re: ALL OF THE SERVICES

[Lije+Baley]

Keying? Hrrmph! True freedom comes only from entering it with toggle switches!

Re:ALL OF THE SERVICES

[jellomizer]

Open Source isn't as free as most people think it is.
Free and Open Specifications have far more value then Source Code does.
And No Open Source doesn't mean the specifications are Open automatically, There is a lot of ways to hide stuff in source code that would make comprehending the logic far more complex then just a normal reverse engineering of it. There is also a lot of system particular calls which may be the case as well.

For example a lot of old Legacy Applications will save data files by just dumping the memory structure into the file in raw binary format. I can take this code it will compile and work on a different platform but wouldn't be able to read the data files, Because how the system handled memory was different (such a using Big Endian vs Little Endian which is more common today) or just how an integer may be classified 16bit, 32bit, 64bit....

Open Source alone doesn't make it free or open. It just gives you the source code, which you may be able to alter some features without having to do a full rewrite.

Re:ALL OF THE SERVICES

[dittbub]

Why would anyone want to monetize their work!?

Re:ALL OF THE SERVICES

Slashdot in 1998: omg why is all of Microsoft's stuff closed? Don't they know that open source is better?

Slashdot in 2018: omg why is Microsoft open sourcing their stuff? Stay away!!

Re:ALL OF THE SERVICES

Look up digital signing.

You can't sign this code and have it still work on your machine. Microsoft is fucking you up the arse while giving you a reach around.

Re: ALL OF THE SERVICES

I think you are misunderstanding what they mean. The service aspect is referencing update options, not a revenue stream.

Re: ALL OF THE SERVICES

[DarkRookie2]

I have no idea what you guys are talking about.

Re: ALL OF THE SERVICES

But you aint got what you want. No thanks

Re: ALL OF THE SERVICES

[WorBlux]

Toggle switches, my god are you lazy! A true electron cowboy configures the boot sequence via jumper wires!

Re:ALL OF THE SERVICES

[WorBlux]

Legacy is hard on closed or open, but at least with open there's a place to start. And thankfully CPU's uses to be slower, so emulation of the whole system isn't a terrible option.

Re: ALL OF THE SERVICES

[Cmdln+Daco]

No sir! A true expert bootstraps by cutting the appropriate diodes out of the diode array with a wire cutter! You only have to do it once!

Re: ALL OF THE SERVICES

It's because they have a history of bad behavior, so when we get Microsoft news we try to guess what is the catch that will turn this seemingly good news into just another nightmare.

What is different about this Mu that they couldn't achieve with an existing project? Hmm... Let's talk about "control". They are not being benevolent to anyone but their bottom line. This is not about you.

Re:ALL OF THE SERVICES

If your machine doen't consider your signature to be the number one most-trusted signature, then it's not really your machine.

Blame Microsoft for any pressure they placed on your firmware maker for the purpose of keeping your machine that you bought from ever being yours. But don't blame them for releasing software under a Free license.

Give 'em shit for the right reasons. Don't say stupid shit and then just assume everyone knows what you meant to say instead.

Re:ALL OF THE SERVICES

[Kjella]

Open Source isn't as free as most people think it is. Free and Open Specifications have far more value then Source Code does. (...) For example a lot of old Legacy Applications will save data files by just dumping the memory structure into the file in raw binary format.

And how many of those applications do you think have specifications that are actually current, correct and complete? Specifications are vital if you're trying to establish a standard. If you're trying to decipher a one-of-a-kind format created by proprietary software, custom-developed code or anything like that the source code is in 99.9% of the cases the only answer to what is really happening. Then you start looking through version control systems (if you're lucky), design docs, bug reports, ask the business users etc. to reverse engineer why it's happening. Sometimes we figure it out, sometimes it's still valid but often it's a solution to a problem we don't have anymore. Other times it's simply a bug or it does things differently that the users thought it did. And sometimes nobody can figure it out and you're told to just replicate it, warts and all. So if there's ever a choice between an implementation and a spec, I'll take the implementation any day.

That aside, almost any proper specification today ought to have a reference implementation and a compliance test suite both of which is code. So in order from best to worst I'd say it's:

1. Spec + code
2. Code
3. Spec
4. Binary

Unless it's a very known spec with lots of implementations and you just happen to be the 3142th FTP client ever written. But in that case get your head out of your ass and use a library. One implementation is bad but there's very few standards that benefit from more than say ten, then they're writing to the spec because the encoder x decoder or server x client matrix is too unmanageable for anything else.

Re: ALL OF THE SERVICES

[WorBlux]

Mercy me! You win.

Re: ALL OF THE SERVICES

[OrangeTide]

I assumed keying was the right verb for using any kind of switch. For what it's worth, in my head I was thinking of the front panel toggles on a minicomputer.

Once we had magnetic drums and terminals with paper tape things got a lot easier. Not better, but easier. But it did mean we could raid the bit bucket for an unlimited supply of confetti.

Re: ALL OF THE SERVICES

[Zero__Kelvin]

ACs on Slashdot in 1998: ... Saying stupid shit

ACs on Slashdot in 2018: ... Still saying stupid shit

Re:ALL OF THE SERVICES

open source doesn't matter if the entire system is designed to be signed/encrypted.

You have no idea what that binary does and you cannot change it - so what value open source?

Open source in these circumstances is a ruse. It's meant to mislead you into thinking it has any value. I often find myself disagreeing with Stallman... but not on this. There's a reason the GPL3 is written the way it is.

Maybe you should avoid saying stupid shit.

Re:ALL OF THE SERVICES

So we can lock you in and not fix our shit

Why would they need to release this as open source to accomplish that?

We have your money and your balls.

Maybe you shouldn't be so quick to just hand those over.

Re:ALL OF THE SERVICES

This is the problem with the whole free software movement, it's stuck right in the middle of the stack so you end up with free software running on non-free firmware and non-free hardware from CPUs, GPUs, chipsets, modems and other network interfaces. It's the illusion of control.

Re:ALL OF THE SERVICES

[arglebargle_xiv]

Exactly. Firmware is what's permanently flashed into your hardware to make it run, it's not a service, and if it was a service any availability issue would mean your hardware wouldn't work any more. Sheesh, what's next, DRAM as a Service? PSUs as a Service? Wall Socket as a Service?

Re:ALL OF THE SERVICES

[arglebargle_xiv]

I started to have a look, mostly to see how many new UEFI security holes I could spot in the first five minutes. Holy fuck, have you seen the size of that code base? There's an entire OS and supporting services hiding in there screaming to get out (and waiting to be exploited), the bloat is ridiculous. I stopped skimming after I don't know how many thousand lines of code, and I'd barely scratched the surface.

Re:ALL OF THE SERVICES

Stallman, bless his stinking filthy hippy cotten socks, knows this.

That's why he's been pushing consistently for Free BIOS, Free CPU etc.

And to be fair, these are coming. RISC V will be a big part of that.

Re: ALL OF THE SERVICES

ACs are a lot more respectable than Zero__Kelvin. ACs have often delivered insightful or informative comments. Zero__Kelvin just trolls people. That incel faggot really needs to get laid.

Open-source in name only.

Open-source in name only.

Re:Open-source in name only.

[Opportunist]

it's just a spelling mistake, it was meant to read "open sores".

Firmware as a service

No thanks.

Firmware as a SERVICE?!?

God help us all. Surely this an unmistakable sign that the End Times are nigh.

Need I remind all that

IT'S A TRAP!

Re:Need I remind all that

[WorBlux]

You bought your computer from Microsoft, what did you except?

Though if other OEM's followed suit, it might be interesting.

GET YOUR OWN NAMES MICROSOFT

[GameboyRMH]

At least they took the name of a company that makes brake parts instead of another computer-related thing this time.

Re:GET YOUR OWN NAMES MICROSOFT

I'm pretty sure the KLF, also known as the justified ancients of mu mu, furthermore known as the JAMMS have a pretty good claim to Mu.

Re:GET YOUR OWN NAMES MICROSOFT

Faggots like you always bitch about the stupidest shit. Grow the fuck up!

Re:GET YOUR OWN NAMES MICROSOFT

Well there's the Mu Editor for Python, if you want a computer-related thing. Though I can't say how well-known or popular it is.

Re:GET YOUR OWN NAMES MICROSOFT

It's appropriate. Seeing as Microsoft is always braking things.

Re:GET YOUR OWN NAMES MICROSOFT

Mu is the 12th letter in the Greek alphabet. If you named your company after a letter and expect it to be unique, that's silly.

Re:GET YOUR OWN NAMES MICROSOFT

[GameboyRMH]

Well the company is called "Project Mu."

Re:GET YOUR OWN NAMES MICROSOFT

"My god, Microsoft uses device telemetry and ad profiles as wall covering for renovation purposes!"

Re:GET YOUR OWN NAMES MICROSOFT

Cows say "Mu." "Mu," cows, "mu!"

Firmware as a service?

Why? What possible reason do we need firmware as a service? Oh, I know. One more thing to generate recurring fees to fix the stuff that you already paid for. Plus the ability to plant stuff deep in your system when you aggravate the wrong people. Or how about exploitation by malicious parties? What a great idea.

Re:Firmware as a service?

[dittbub]

If you have an ecosystem with a wide variety of hardware it might be simpler to manage. Not sure, I only just heard of this so i can't come to a conclusion if its a good product or not

Firmware as a Service (FaaS)

This is a nightmare waiting to happen. The excuse is security and maintainability, but at it's core it's about you waiving even more control over stuff that supposedly is yours. In the end the real owner is a soulless big Corp and you are just a powerless user.

Re:Firmware as a Service (FaaS)

[dittbub]

I'd prefer my firmware updates to be as soulless as possible thank you

Re:Firmware as a Service (FaaS)

[sinij]

Please mod this up.

Re:Firmware as a Service (FaaS)

[WorBlux]

You already can't write your own firmware for these devices due to signing requirements. At least being able to audit a common codebase is a step up.

Re:Firmware as a Service (FaaS)

The excuse is security and maintainability, but at it's core it's about you waiving even more control over stuff that supposedly is yours.

If you're in the 0.000001% of people that want to maintain their own firmware then buy hardware that supports that. The only problem here is that people that pretend to care about the issue do nothing about it. For all the complaining about "control" the FOSS community has failed to come together and fund/donate time to develop a decent fully free computer.

It's not like there has even been any significant effort to legislate against something like this either.

If you really cared about the issue you'd stop whining anonymously about it and actually do something about it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not a Fan of UEFI

[BrendaEM]

Other than the wave of fancy graphics found on computer set-up screens, UEFI, has brought little to the table. As someone who has assembled over one-hundred computer, I think that the old BIOS, being a very minimal, compact, low-bug, text-based setup software was a idea better suited to reliable computers than "modern" bloated, bug-filled, UEFI.

Monopoly-wise, UEFI, has given Microsoft and unfair advantage to draw a circle around all (IBM Compatible) PCs and call them their own.

Re:Not a Fan of UEFI

[JBMcB]

Monopoly-wise, UEFI, has given Microsoft and unfair advantage to draw a circle around all (IBM Compatible) PCs and call them their own.

In what way? Pretty much every other x86-based OS can boot off of UEFI.

https://en.wikipedia.org/wiki/...

Re:Not a Fan of UEFI

[bws111]

As is normal on slashdot, 99% of the people complaining about UEFI appear to have absolutely no idea what it is or does. UEFI has nothing to do with 'fancy graphics set-up screens (although it may make creating such screens much easier). On all of the UEFI-based systems I have used, the setup screens look exactly like BIOS screens.

And WTF does UEFI have to do with giving Microsoft a monopoly? If anything, it does exactly the opposite. The access to firmware functions is provided by standardized UEFI calls, not proprietary drivers provided by a device manufacturer.

Re:Not a Fan of UEFI

Because they all need to petition redmond for a signature with the redmond key to be somewhat viable as a competitor to redmond. And, of course, it means supporting lots of redmond tech (fatshame32) just so you can boot. BIOS is crappy but so much simpler to deal with, that UEFI is not an improvement.

Re:Not a Fan of UEFI

And yet, you can still install BSD or a shitty Linux distro on any of them. What are you crying about again?

Re:Not a Fan of UEFI

[bws111]

Bullshit. We have our Linux images signed with our own key, and they work just fine. There is zero Microsoft involvement. FAT is 'lots of redmond tech'?

Re:Not a Fan of UEFI

If you manage desktops for a business, UEFI is both a pain in the but and a God-send.

A pain in the but because all these new-fangled UEFI machines broke your old imaging process. You've had to adapt to either learn to switch machines over to legacy boot more or (worst case) completely re-design your imaging process from the ground up with UEFI in mind.

A god-send because it enables some really cool new deployment scenarios, mainly through network booting. So you can set a machine to boot to a network location that will automatically deploy the OS. You can even configure the machine to reboot every night and re-image back to pristine, without any 3rd-party software.
A god-send because it enables some new security features: namely, validating the boot image, which makes it very difficult for root kits to take hold.

I remember the Slashdot reaction when MS first announced support for SecureBoot. So many comments about how MS would use it to lock out linux or other open source products. That was nearly 10 years ago, and nothing even close to that has happened, but we have seen a meaningful security benefit.

Re:Not a Fan of UEFI

[WorBlux]

Not true, quite a few computers, especially server and business grade allow a physically present user enter platform setup mode and upload the public portion of the PEK and then you can sign any KEK that you like.

Re:Not a Fan of UEFI

[WorBlux]

IF you add your own KEK, you can sign any bootloader, driver, or kernel that you'd like to use.

Re:Not a Fan of UEFI

Microsoft got a monopoly on uefi signing you moron

Re:Not a Fan of UEFI

Who is this "we" you speak of? A company running their own images on their own hardware? That's not really the same as trying to sell your distribution to the larger public, is it?

And yeah, having to support FAT just to boot is lots more tech than "the BIOS reads sector one and hands you control, take it from there".

Re:Not a Fan of UEFI

[JBMcB]

Because they all need to petition redmond for a signature with the redmond key to be somewhat viable as a competitor to redmond.

That's *ONLY* if you get a machine with secure-boot enabled by default and Windows pre-installed, and even then it's only a couple of manufacturers that only include Microsoft keys. I think it was only a *requirement* on WinRT devices, which are now dead and buried. My MSI motherboard from four years ago lets you add keys to UEFI to enable secure-boot for other OSes.

Re:Not a Fan of UEFI

[thegarbz]

I think that the old BIOS, being a very minimal, compact, low-bug,

Normally I'd say something like "found the millennial" but you must be Gen-Z as even millennial would laugh at that statement.

BIOSes have since the early 90s been a clusterfuck of horrendously poorly written workarounds, barely working code messing up half the OSes that required to use them. UEFI is no worse than the old ones, and arguably better since it has provided a means of a non-archaic way of applying bugfixes that didn't involve digging through your junk drawer to look for a floppy drive and hope that you don't brick your computer in the 10min it took to actually update the piece of crap.

You call modern BIOSes bloated? In what way? Because they provide functionality to control the thousands of parameters that a modern device can configure? Or are you only upset that you now have the option to navigate a screen via a mouse instead of a keyboard? God knows you're not talking about speed because anyone whose actually used a computer from the 90s or the 00s would attest to the fact that booting has gotten faster and leaner rather than slower.

Hell my favourite bug in my current BIOS is that with fastboot enabled the BIOS is not able to get a USB keyboard initialised before initiating the boot permanently locking you out (the bypass is to remove a RAM stick which forces a memory re-check giving you enough time to hit DEL).

Monopoly-wise, UEFI, has given Microsoft and unfair advantage

In what way? If you're talking about secure boot it's worth remembering that MS *requires* vendors to be able to disable secure boot in order to get approval through the Windows Certification program.

Re:Not a Fan of UEFI

[bws111]

Wrong again. Any distro can publish the public portion of their signing key, and anyone can install that key using the OS of their choice. If you chose a crappy vendor that does not allow installation of your own keys, that is on you, not MS.

Re:Not a Fan of UEFI

[Rob+Y.]

That may be technically true, but I think the original poster was mainly referring to off-the-shelf desktop computers, which come with only the Microsoft keys - and for which typical (and even fairly technical) desktop Linux users need to deal with a Microsoft-sanctioned shim to get a working installation (or disable encryption altogether - if the BIOS in question allows that).

I guess the bottom line question is - if an MS Surface does not allow you to install Linux on it, should we be wary of other boxes starting to use its UEFI implementation?

Re:Not a Fan of UEFI

[WorBlux]

You can install any Linux that uses the shim, or you can install your own KEK key. I not sure if you can take control of the PEK though and entirely block microsoft software from the device though. https://docs.microsoft.com/en-.... But the suface is largely business class, having a TPM that you can use to verify the boot chain.

All in all replacing consumer firmware with mu, may actually provide more control on average, giving more options than such M$ key on or secure boot off.

Re:Not a Fan of UEFI

[WorBlux]

Also having one codebase to pressure to enable PEK setup is still a better situation than trying to tie OEM's down on a thousand different codebases.

Re: Not a Fan of UEFI

[Zero__Kelvin]

So it's only if you buy pretty much any computer you are likely to find in a store then? Wow ... Good thing it is an exception and not the norm!

Re:Not a Fan of UEFI

UEFI: the only thing imaginable that could be worse than BIOS. Now, every computer has a shitty DOS-class OS burned into the firmware, which is permanently resident, and the perfect platform for back doors and spyware. That is on top of the IME, which reduces trust even further. Intel x86 considered harmful paints a vivid and damning picture of the modern x86 platform.

Any bootstrap mechanism should be simple and transparent, and leave the owner with full control of the machine. CoreBoot is a good starting point. Replacing x86 is a good next step, since Intel refuses to document the platform, and requires binary blobs to boot the platform.

There are worrying efforts which may also infect RISC-V platforms with UEFI and "secure" enclaves. It is ironic that open hardware efforts could help accelerate locked-down computing, if vendors widely adopt these user-hostile technologies.

Re: Not a Fan of UEFI

[Zero__Kelvin]

I have built Tianocore images and booted them in order to understand UEFI so I think it's fair to say I'm in that other 1% and I assure you UEFI is a clusterfuck.

Re:Not a Fan of UEFI

[exomondo]

Because they all need to petition redmond for a signature with the redmond key to be somewhat viable as a competitor to redmond.

No, you're confused. You're talking about the SecureBoot feature of UEFI, which you can turn off even on Microsoft's own Surface computers. Even then the only motherboards that even have any requirement for the SecureBoot feature at all are ones that want the "Certified for Windows 10" sticker on them.

Re:Not a Fan of UEFI

[exomondo]

I guess the bottom line question is - if an MS Surface does not allow you to install Linux on it, should we be wary of other boxes starting to use its UEFI implementation?

But they do, they always have. Despite all the fear-mongering over the years of how SecureBoot will kill Linux on the desktop.

You can add your own keys (if the OEM adds that feature), you can turn SecureBoot off altogether or you can use the shim. Even then that all only applies to hardware that has gone through the "Certified for Windows 10" program.

Re: Not a Fan of UEFI

No, he's saying it's no computers you're likely to find in any store. Exactly the opposite of what you said.

Re: Not a Fan of UEFI

[exomondo]

So it's only if you buy pretty much any computer you are likely to find in a store then? Wow ... Good thing it is an exception and not the norm!

Is there any system that doesn't have a switch to turn SecureBoot off? Even Microsoft's own Surface devices have a switch for it.

Re:Not a Fan of UEFI

[jittles]

Because they all need to petition redmond for a signature with the redmond key to be somewhat viable as a competitor to redmond. And, of course, it means supporting lots of redmond tech (fatshame32) just so you can boot. BIOS is crappy but so much simpler to deal with, that UEFI is not an improvement.

This is FUD. The UEFI Forum solicited proposals for companies to provide the root of trust for Secure Boot and all of the big security companies wanted a lot of money to host this. Microsoft offered to host it for free. Any other company could make the same offer the UEFI Forum would gladly accept it and add another root of trust. Not to mention that a requirement to get a system certified for OEM sale of Windows requires that the end user be able to install their own Secure Boot key. This means that anyone can sign their own boot loaders. You only need to have a signing key from the Microsoft authority if you want your boot loader, driver, etc, to run with secure boot enabled without having to load a key into the keystore on the machine.

Re:Not a Fan of UEFI

[jittles]

Not true, quite a few computers, especially server and business grade allow a physically present user enter platform setup mode and upload the public portion of the PEK and then you can sign any KEK that you like.

Any OEM machine that ships with Windows is required to allow a physically present user to install their own key. The only OEM that can get around this? Microsoft. They do not follow that rule with the Surface, as an example. At least not the ARM ones. I don’t know what they do with the x86 ones.

Re: Not a Fan of UEFI

[jittles]

I have built Tianocore images and booted them in order to understand UEFI so I think it's fair to say I'm in that other 1% and I assure you UEFI is a clusterfuck.

That depends entirely on what you are trying to accomplish. TianoCore provides drivers for just about everything. Way more than is needed to boot most systems. THat’s because UEFI is designed to work for everybody in just about every use case imaginable. You could use something like CoreBoot but the feature set is much smaller. Sometimes that is a good thing and sometimes that is a bad thing. It depends entirely on what you’re trying to accomplish.

Re:Not a Fan of UEFI

[jittles]

If you manage desktops for a business, UEFI is both a pain in the but and a God-send.

A pain in the but because all these new-fangled UEFI machines broke your old imaging process. You've had to adapt to either learn to switch machines over to legacy boot more or (worst case) completely re-design your imaging process from the ground up with UEFI in mind.

A god-send because it enables some really cool new deployment scenarios, mainly through network booting. So you can set a machine to boot to a network location that will automatically deploy the OS. You can even configure the machine to reboot every night and re-image back to pristine, without any 3rd-party software. A god-send because it enables some new security features: namely, validating the boot image, which makes it very difficult for root kits to take hold.

I remember the Slashdot reaction when MS first announced support for SecureBoot. So many comments about how MS would use it to lock out linux or other open source products. That was nearly 10 years ago, and nothing even close to that has happened, but we have seen a meaningful security benefit.

You should not be using legacy boot in an enterprise situation. The only exception to that would be if you have some old operating system that does not work except in legacy mode. If you’re booting in legacy mode then your system’s security is about as solid as a slice of swiss cheese.

Re:Not a Fan of UEFI

[jittles]

UEFI: the only thing imaginable that could be worse than BIOS. Now, every computer has a shitty DOS-class OS burned into the firmware, which is permanently resident, and the perfect platform for back doors and spyware. That is on top of the IME, which reduces trust even further. Intel x86 considered harmful paints a vivid and damning picture of the modern x86 platform.

Any bootstrap mechanism should be simple and transparent, and leave the owner with full control of the machine. CoreBoot is a good starting point. Replacing x86 is a good next step, since Intel refuses to document the platform, and requires binary blobs to boot the platform.

There are worrying efforts which may also infect RISC-V platforms with UEFI and "secure" enclaves. It is ironic that open hardware efforts could help accelerate locked-down computing, if vendors widely adopt these user-hostile technologies.

CoreBoot has its place but it does not natively provide the security of the UEFI specification and also does not handle all of the potential use cases that the UEFI specification does as well. And how many exploits have you seen recently that revolve around issues in the firmware and not issues in the secure processor? I can tell you right now that most computers that have shipped in the last year or two, while potentially containing exploitable flaws, have generally not had any issue that allows an attacker to compromise the flash part unless they exploited a security issue in a BMC or through a secure processor such as ME or PSP.

Re:Not a Fan of UEFI

[WorBlux]

ARM's always been an exception unfortunately, and the whole embedded space is a mess generally.

Re:Not a Fan of UEFI

Some of the people complaining about UEFI may be clueless, but despite that they're not wrong. UEFI is overcomplicated, bloated, design-by-committee, buggy garbage (see also: ACPI).

OpenFirmware is BIOS done right. But sadly, people don't appreciate Forth so it died.

Re:Not a Fan of UEFI

[jittles]

ARM's always been an exception unfortunately, and the whole embedded space is a mess generally.

True. It's a lot easier to use non UEFI firmware with ARM, though. In fact, it is rarely used on ARM. AFAIK the only phone manufacturer to use UEFI is Apple, but I could be wrong. Though in the ARM server world there is a lot more UEFI firmware. If you have a very limited set of hardware requirements, CoreBoot is probably a better choice. But if you need to support expansion slots and a very configurable boot process then UEFI is way more mature. I know the Siemens uses CoreBoot to load up Intel based hardware on their industrial computers and UEFI firmware for their laptops and other home user products.

Call them by one name

The combined name for all services from Microsoft is called FUaaS, Fuck you as a service

UFIA or UEFI?

You decide.

Re:Feeling cooler in here

I am super surprised at some of the positive changes and contributions MIcrosoft has been making in the past year. Fix Windows 10 (no spying, no forced reboots) and fix their customer support and I might even warm up to them. Really, I never thought I'd say that.

Re:Feeling cooler in here

There are no forced reboots except for idiots. It tell's you of an update requires a reboot and gives you chance to postpone, giving you a chance to save everything you're working on. The reboot MUST be done eventually, which is YOUR responsibility. Otherwise, the internet is polluted by stupid dumbass idiots like you haven't patched your machine against exploits. There is also no spying. Telemetry is useful because it lets the developer know just how stupid you are and gives them the data necessary to make improvements. Now, shup up, stop browsing inforwars.com, and chill out.

So, the author has no clue whatsoever

[whitroth]

UEFI is a replacement for the "beloved" BIOS, that's there in firmware, before your system boots.

It's been on *EVERY* workstation and server for years.

M$ tried to lock in Windows by making "secure boot" with UEFI... and only they had the cryptographic signing that was accepted. That didn't fly very long....

And for anyone who thinks "firmware as a service" is a good idea, instead of running away screaming, here, let me hijack your system, and install my own firmware on your system....

Re:So, the author has no clue whatsoever

[nine-times]

I don't think I understand what's intended by "Firmware as a service". What, is the idea that we pay Microsoft a subscription fee to run firmware now?

Re:So, the author has no clue whatsoever

No no. It's only, that they update it when it serves them best. Simply put, they give you the latest and "greatest", meaning, you are their beta testers. That's the big secret after XX as a service, roll out updates early and often and have your customers do the testing for you.

Re:So, the author has no clue whatsoever

[thegarbz]

M$ tried to lock in Windows by making "secure boot" with UEFI... and only they had the cryptographic signing that was accepted. That didn't fly very long...

Actually it never flied at all. Despite how much you revise history, the very first requirements for UEFI mentioned in any Windows certification (specifically when Windows 8 was released) was that for a vendor to get the Microsoft certification for their product they *had* to provide a software switch to disable secure boot, something that Microsoft's own devices do despite them having no incentive or requirement to do so.

And for anyone who thinks "firmware as a service" is a good idea, instead of running away screaming, here, let me hijack your system, and install my own firmware on your system....

You can come and try, but may I suggest you go for my desktop first? You see my device which does have FaaS gets regular updates and bug fixes, but my desktop motherboard with it's horrendously written and buggy UEFI BIOS hasn't had a patch since about a month after the product was released. Go for the low hanging fruit mate.

Re:So, the author has no clue whatsoever

[bws111]

Seriously? Firmware as a service has nothing to do with subscriptions or fees. It means that an OS gets access to firmware functions by an architected interface (ie a service) to the UEFI. That is as opposed to BIOS, which provided no such functions, so every device manufacturer had to provide their own interface to their firmware via proprietary drivers.

Re:So, the author has no clue whatsoever

[nine-times]

I think my confusion should be understandable. SaaS = You rent software by a subscription. IaaS = You rent infrastructure by a subscription. FaaS = ???

I'm still not sure what "Firmware as a Service" means from your description. How is Project Mu more of a "service" than existing UEFI?

Re:So, the author has no clue whatsoever

UEFI is a replacement for the "beloved" BIOS, that's there in firmware, before your system boots.

True

It's been on *EVERY* workstation and server for years.

False. It started out mostly on laptops and later managed to find traction in desktop workstations. Servers only started UEFI in the last 1-2 generations of the hardware.

M$ tried to lock in Windows by making "secure boot" with UEFI... and only they had the cryptographic signing that was accepted. That didn't fly very long....

False. Microsoft continues to offer secure boot and only supports it with UEFI. This code is not going anywhere, though not everyone uses it. This technology is popular among the "Trusted Computing" crowd.

And for anyone who thinks "firmware as a service" is a good idea, instead of running away screaming, here, let me hijack your system, and install my own firmware on your system....

This argument would be like arguing that Microsoft's automatic updates are bad. This has been used to hijack systems, but security experts still believe that patching is better than not patching and having unmitigated, known vulnerabilities.

Re:So, the author has no clue whatsoever

[bws111]

I take it as meaning they want to use the 'firmware as a service' aspects of UEFI (all UEFIs), but their current UEFI (TianoCore) is a bloated mess that is too difficult to maintain.

Re: So, the author has no clue whatsoever

[Zero__Kelvin]

BIOS always had a standardized set of calls. I don't know where you got the idea that it didn't.

Re: So, the author has no clue whatsoever

[Zero__Kelvin]

There is no such thing as a UEFI BIOS. Perhaps you are referring to UEFI CSM (Compatibility Support Module.)

Re: So, the author has no clue whatsoever

[bws111]

Haha! Good one! The original BIOS (circa 1981) provided a small set of 'standard' calls for text-mode video, serial port, parallel port, diskette drive, cassette tape, and not much else. By the time DOS 2.0 came out they were already starting to use device drivers, as the BIOS calls were simply not sufficient. When the 386 was released with 'protected mode', BIOS usage dropped to 0, as you could not even access it in protected mode. There are NO modern OS's that use BIOS.

Re: So, the author has no clue whatsoever

[Zero__Kelvin]

So you do know they had a standard set of int based calls. Good to know you were just *pretending* to be clueless. Excellent job at it too ... You *still* have me fooled into thing you are a moron!

Re:So, the author has no clue whatsoever

[whitroth]

Sorry, but I have five year old servers - real servers, rackmount Dells and rebranded Supermicro, and they all have UEFI. I think I started seeing it before them, tool

Re:So, the author has no clue whatsoever

[exomondo]

M$ tried to lock in Windows by making "secure boot" with UEFI... and only they had the cryptographic signing that was accepted.

SecureBoot is not a Microsoft feature, there's no reason you can't add your own signing keys to it and there's no reason you can't just disable it altogether, even on Microsoft's own Surface computers. Not sure how you manage to be "locked in" by that situation. At the time they even put in a provision to OEMs that if you wanted certification they forced you put in a switch to turn SecureBoot off entirely. That's the exact opposite of being locked in.

Re:So, the author has no clue whatsoever

>gets regular updates and bug fixes

How about getting it right the first time, *before* they sell the motherboard? A BIOS is not exactly rocket science. Sigh...

They can't get it right the first time? How about they stop making it so needlessly complicated, then?

Re:So, the author has no clue whatsoever

[jittles]

I take it as meaning they want to use the 'firmware as a service' aspects of UEFI (all UEFIs), but their current UEFI (TianoCore) is a bloated mess that is too difficult to maintain.

Microsoft basically wants the ability for the firmware image on the flash part to have multiple signatures. The ME or PSP portion of the flash part would be signed by the silicon vendor. Same with microcode, etc etc. UEFI allows modules. So if a generic module is being deployed then it can be signed by the developer of that module. This would allow security fixes to be pushed down to the flash without worrying about whether the OEM or ODM has decided to roll a new firmware image. This is actually the real issue in firmware security right now. A fix gets made available and many manufacturers choose not to pick it up for cost reasons. And it has nothing to do with TianoCore being too difficult to maintain and everything to do with the fact that changing the firmware has risks involved. This is a far more difficult problem than MIcrosoft cares to admit. Since they have a limited set of hardware they deal with it is not a problem for them. But if you look at a company such as Quanta they may be supporting dozens of boards for different customers.

Re:So, the author has no clue whatsoever

[thegarbz]

How about getting it right the first time, *before* they sell the motherboard?

There's only so much you can get "right" then you also need to rely on everyone else's stuff working too. The vast majority of bug fixes are kludges to support edge cases or hardware pushed to the absolute limit.

Re:Feeling cooler in here

Awww, did someone piss in your sandbox and shatter your worldview?

https://windowsable.com/windows-10-will-stop-forcing-reboots-for-updates-with-creators-update/

https://www.computerworld.com/article/2968288/microsoft-windows/windows-10-makes-diagnostic-data-collection-compulsory.html

If you can read, I suggest you go ahead and do so.

Re:Feeling cooler in here

Awww, did someone piss in your sandbox and shatter your worldview?

https://windowsable.com/windows-10-will-stop-forcing-reboots-for-updates-with-creators-update/

https://www.computerworld.com/article/2968288/microsoft-windows/windows-10-makes-diagnostic-data-collection-compulsory.html

If you can read, I suggest you go ahead and do so.

Thanks for proving GP's point that you can postpone the reboot and that the telemetry is only for diagnostic purposes.

Solve the forking problem by... forking???

[nateman1352]

I fully agree with Microsoft that UEFI has a forking problem. But that is caused by the fact that BIOS vendors take tianocore as a baseline and extend it. The root of the issue is that tianocore itself does not provide a complete UEFI firmware implementation, it gets about 40% of the way there and expects the Silicon vendors (Intel, AMD, NVidia, Qualcomm, etc.) and BIOS vendors (AMI, Phoenix, Insyde, Biosoft, etc.) to fill in the rest with proprietary code. This problem is actually almost identical to the Android fragmentation problem. But really what Microsoft has done here is create another fork for their Surface products.

The good thing is that Microsoft has open sourced a lot of that fork and have pushed the percentage forward from 40% to maybe 50 or 60%. If you look at what they have released though it is very customized for Surface... they have come up with their own answers for a lot of stuff that the UEFI specification already has answers for; the BIOS setup menu/HII database being the most notable. The percentage gained could be much higher if they didn't insist on duplicating code already in tianocore just because they think they know better. Separately, the tianocore guys are also trying to solve the fragmentation problem. A complete open source UEFI firmware implementation is under development right now: https://github.com/tianocore/edk2-platforms/tree/devel-MinPlatform I am one of the active contributors to tianocore. It is my hope that if Microsoft is truly interested in trying to solve the fragmentation problem that they are willing to work with tianocore and contribute to it instead of building their own competing open source community.

The one thing that all of us should keep an eye on is the potential for a Microsoft attempt to use the Windows Hardware Compatibility Program to force every PC on the planet to use MU. Creating a firmware mono-culture would give Microsoft much more control over the PC industry than Windows itself already affords them. They could turn every PC into nothing more than a Surface with a different OEM logo on the lid. It's certainly one way of solving UEFI's forking issue, but it would significantly strengthen the walled garden they are trying to build with Windows 10 at the same time.

Re: Solve the forking problem by... forking???

[BcNexus]

Your point that MS reinvented the wheel several times for their Surface products is a very important one because they fscked up on the Surface firmware and drivers so many times. Iâ(TM)m on mobile right now otherwise Iâ(TM)d find the links. That said, one example was when MS utterly failed to get the 7th gen Intel core chips to perform as well as other manufacturers because MS wrote some of their own drivers instead of using the ones from Intel. MS said to Fujitsu or some other company, âoeThe latest gen core chips are problematic, arenâ(TM)t they?â Fujitsu said, âoeWhat do you mean?â And then the MS engineers had to fess up to the higher ups that they were having trouble because they wrote their own power management drivers instead of using Intelâ(TM)s.

Re:Solve the forking problem by... forking???

they have come up with their own answers for a lot of stuff that the UEFI specification already has answers for

In other words: Embrace, Extend Extinguish

Re: Feeling cooler in here

Even better than the forced reboot is the fresh start when instead of letting you use your damn computer you are greeted with some "please wait, updating stuff" BS.

Seriously. Win 10 needs just a "baby sitter mode off" on this shitty OS, then thing would start to improve.

Why EFI at all

[sjames]

Has anyone actually gotten anything from EFI but pain? Anything that would justify the whole new debacle rather than just an update to the old BIOS to understand bigger drives?

Re:Why EFI at all

[bws111]

You do know there are NO OSs that use BIOS, right? Not a single one. It would take one hell of a lot more than 'understand bigger drives' to make BIOS useful, starting with running in other than real mode, and continuing with support of all the device types that have appeared in the last 35 years or so.

Re:Why EFI at all

[sjames]

Yes, I do know that all OSes take over once they are loaded. Another reason why EFI is of questionable benefit.

Since all EFI and old BIOS seem to be good for is initializing the system, finding, and loading a boot loader, why do we even need to invite the new bugs and new pain from EFI? I've seen plenty of old BIOS that can load from iSCSI, USB, FC, etc.

EFI seems to suffer very much from second system syndrome as well as kitchen sinkism.

Improve the toolchain

The original UEFI compiler by Intel doesn't really cut it for building applications that run in the UEFI shell anymore. Add support and documentation for UEFI to Visual Studio and it will be very much appreciated.

Everything as a service.

[Your_spleen]

I'm putting my money on Toilets as a Service, TaaS.

Firmware as a Service

[ewhac]

The only appropriate response to proposing firmware as a service.

No 'firrmware as a service"

[Rick+Schumann]

Nope. I want all my firmware to be in OTP (one time programmable) hardware chips, in sockets, that have to be physically changed out to upgrade firmware, so jackass companies can't brick devices with shitty 'upgrades', and if they give me a bad upgrade anyway, I can just go back to the old OTP ROM.

Re:Feeling cooler in here

[q4Fry]

They'd have to reopen Bug #1