The old BIOS had firmware that controlled the processor mainly provided by Intel but also Microsoft can write to the processor after an agreement with Intel. This bit would probably belong under Hardware. There is no open source about flashing (updating) the BIOS; this firmware has always been closed.
The BIOS aka Basic Input and Output System is more than 30 years old and Intel started to play with the alternative - EFI - in 1998.due to BIOS limitations. Originally this was called the "Intel Boot Initiative" and later EFI.
In the interest of standardization there was a need to get a unified version so EFI was handed over to a consortium in 2005. This consortium had AMD, Apple, IBM, Intel, and Microsoft as members and has been extended since as you can see here
Since then it is called UEFI.
The goal is to replace the BIOS that is a solid piece of firmware, with UEFI that is a programmable software interface that sits on top of a computer’s hardware and firmware.
UEFI is a piece of software that lays on top of the BIOS and this software does control the BIOS + a lot more.
Rather than all of the boot code being stored in the motherboard’s BIOS: UEFI is stored in a directory on the HD or in the NAND on the motherboard.
The directory is called /EFI/
Intel and Microsoft present it like this:
UEFI is pretty much a light weight OS (Operating System) that loads a set of drivers and the real OS:
A computer boots into UEFI, a set of actions are carried out, and then it triggers the loading of an operating system. Further reinforcing its "OSness", the UEFI spec defines boot and runtime services, protocols for communication between services, device drivers (UEFI is designed to work across all platforms - in theory), extensions, and even an EFI shell, where you can run EFI applications. On top of all this is the boot loader, which executes an operating system’s boot loader.
UEFI can access all the hardware on your computer.
And you can perform "OS tasks" like surfing the Internet or backup your hard disk. it even has a mouse driven GUI:
Via the /EFI/directory on your NAND flash memory or on your HD the Computer maker can control every aspect of the PC including only loading Windows 8. It is not possible to run Linux under UEFI secure boot even if the UEFI consortium does claim this:
UEFI specifications enable cross-functionality between devices, software and systems. By design, UEFI technology lends itself to utility and applicability across a range of platforms. Including UEFI Secure Boot in Linux-based distributions allows users to boot alternate operating systems without disabling UEFI Secure Boot. It also allows users to run the software they choose in the most secure and efficient way possible, promoting interoperability and technical innovation.
I dare them to go into a computer shop - any computer shop - and buy a laptop with UEFI secure boot and install Linux on it.
They will not find any computer that can do it - without deactivating UEFI secure boot.
And that is the great downside to UEFI - Microsoft is the most important partner for any OEM and demands that they put MS code in there. In fact they demand that they put Windows 8 on every computer too.
MS code that does exclude Linux or forces Linux to buy MS certificates.
And that is where all security is gone - when you have to trust a third competing party.
Anyway let us do some quick Q&A on what UEFI can do:
- Can UEFI update my "BIOS" online?
Yes
Can Microsoft update my BIOS online?
Yes
Can Intel update my BIOS online?
Yes
Can the maintainers of my Linux distro update my BIOS online?
No
Can UEFI detect and prevent malware?
Yes
Can UEFI be used to exclude any software?
Yes
Can an UEFI update place an undetectable keylogger on my system?
Yes
So basically you need to trust the guys that can access it 100%
Those guys are Intel and Microsoft
Intel has encrypted all updates and refuses to answer if they have shared encryption keys with the NSA
In many ways the old method of downloading a file and flashing your BIOS was safer, but UEFI offers a lot of protection against "third party" malware.
Sadly it is not so much the third parties we worry about these days.
