Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How Intel and PC makers prevent you from modifying your PC's firmware

Chris Hoffman | Feb. 16, 2015
The UEFI firmware that boots up your PC is a closed, proprietary blob of code—and you can't change it out even if you wanted to. Here's why.

haswell e

Even if you're rocking the most open of open-source operating systems, chances are your laptop isn't really that "free," betrayed by closed firmware binaries lurking deep within the hardware itself.

Modern UEFI firmware is a closed-source, proprietary blob of software baked into your PC's hardware. This binary blob even includes remote management and monitoring features, which make it a potential security and privacy threat.

You might want to replace the UEFI firmware and get complete control over your PC's hardware with Coreboot, a free software BIOS alternative--but you can't in PCs with modern Intel processors, thanks to Intel's Boot Guard and the "Verified Boot" mode PC manufacturers choose.

Why Coreboot won't support your new laptop

Coreboot was originally known as LinuxBIOS. It's a Free Software Foundation-endorsed project working on replacing the proprietary UEFI firmware and BIOS found in typical computers. Coreboot is designed to be lightweight and only provide the necessary functions so the computer can initialize its hardware and boot an operating system. This isn't just some fringe free software project--all modern Chromebooks ship with Coreboot, and Google helps support it.

When someone recently asked whether Coreboot would support new Intel Broadwell ThinkPads on the mailing list, the response was informative:

"New thinkpad's can't be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won't be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge.

For more details take a look at Intel Boot Guard architecture. It could be also confirmed by Secunet AG and Google."

Intel Boot Guard explained

Intel themselves have a quick little explanation of Boot Guard in this document about Haswell's new platform features. In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware.

Boot Guard has two separate modes, according to Intel. Every single PC OEM we know of configures it to work in "Verified Boot" mode. The PC manufacturer fuses their public key into the hardware itself. If the UEFI firmware isn't signed by the OEM--that is, created by the OEM--the computer will halt and refuse to boot. That's why you can't modify the UEFI firmware or change it to something else.

There's also a second option: "Measured Boot" mode, where the hardware securely stores information about the boot process in a trusted platform module (TPM) or Intel Platform Trust Technology (PTT). The operating system could then examine this information, and--if there was a problem--present an error to the user.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.