The UEFI Initiative was a joint effort by many companies to minimize the risks of BIOS attacks from malware that may compromise the system. It was started by Intel and termed as Extensible Firmware Interface (EFI) for its Itanium-based systems since BIOS lacked the inherent capability to secure vulnerable firmware.
One of the aforementioned BIOS attacks was the Mebromi rootkit, a class of malware that focused on planting itself in the BIOS. Similar to the BIOS, the UEFI is the first program in the booting process and is installed during the manufacturing process of the hardware. UEFI has the inbuilt capability for reading and understanding disk partitions and different file systems.
UEFI has several advantages, including the ability to boot from large hard disks of around 2TB with a GUID Partition Table, excellent network booting, CPU-independent architecture and drivers. It uses the GUID partition table with globally unique identifiers to address partitions and has the ability to boot from hard disks with capacity of around 9.4 ZB (1024x1024x1024 GB). Secure boot is a UEFI Protocol to ensure security of the pre-OS environment.
The security policy integrated in the UEFI works on the validation of authenticity of components. UEFI has a modular design that gives system architects and hardware designers greater affability in designing firmware for cutting edge computing and for the demand for higher processing capabilities. The sequence of booting remains the same and a computer boots into the UEFI followed by certain actions and ultimately the loading of the operating system.
Furthermore, the UEFI controls the boot and runtime services and various protocols used for communication between services. The UEFI resembles a lightweight operating system that has access to all the computer’s hardware and various other functions. The transition from EFI to UEFI continues with Itanium 2 systems followed by System x machines and now we have the new Intel and AMD Series with inherent UEFI capabilities.
Once we power on a UEFI-capable computer, the code execution starts, and configures the processor and other hardware and gets ready to boot the operating system. As of this date, UEFI has been used with 32/64 bit ARM, AMD and Intel chips and for each of these platforms, there had to be a specific compilation of the boot code for the target platform. UEFI offers support for older extensions like ACPI, which makes it backward compatible with components that are not dependent on a 16-bit runtime environment. Once a system gets powered on, the firmware checks the signature of the firmware code that exists on hardware components like hard disks, graphic cards and network interface cards.
Next Option ROMs work by preparing and configuring the hardware peripherals for handoff with the operating system. It is during this process that the firmware checks for embedded signatures inside the firmware module against a database of signatures already in the firmware. If a match is found, that particular hardware module is allowed to execute. Hence, it works on a checklist of matching the integrity of signatures from the firmware database and denies further action if a particular component signature is found in the Disallowed list, which means that it may be infected with malware.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.