Is a legacy BIOS preferable to UEFI for a secure system?
Stephen Moreno
I'm looking to build a new desktop system for Qubes. In an ideal world I would use a motherboard with a Libreboot open source BIOS, however this is currently not practical.
I am therefore intending to use a motherboard with an AMD AM3 chipset, to at least avoid the AMD PSP and Intel ME technologies. This would either contain a proprietary legacy BIOS or a newer UEFI BIOS. My question is, what would be most preferable for a secure Qubes system?
It is my current understanding that once a legacy BIOS has finished initializing the hardware, it hands off to the OS and no longer executes. In contrast, a UEFI BIOS has runtime services that continue to execute while the OS is running.
I was therefore coming to the conclusion that if the BIOS was compromised (and it could potentially be compromised before I received it), then a system that could only run a legacy BIOS would be preferable, as it could theoretically do less damage.
The Wikipedia page on UEFI also states, “UEFI can support remote diagnostics and repair of computers, even with no operating system installed”. (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)
This has me further concerned about UEFI in a proprietary form.
Are there any benefits of a UEFI BIOS that would outweigh my concerns?
Any input on this topic would be much appreciated.
grzegorz....@gmail.com
Bill Wether
>motherboards can update itself over Ethernet connection, reinstall itself from scratch and
>sometimes contains a built-in mini-linux. If you do not need such bonuses then legacy BIOS
>will do just fine.
Oh, joy, yet another threat vector. AMI mobos for yours truly.
Cheers
BillW
Marek Marczykowski-Górecki
Hash: SHA256
On Mon, Aug 01, 2016 at 12:41:06AM +0200, Stephen Moreno wrote:
> Hi,
>
> I'm looking to build a new desktop system for Qubes. In an ideal world I would
> use a motherboard with a Libreboot open source BIOS, however this is currently
> not practical.
>
> I am therefore intending to use a motherboard with an AMD AM3 chipset, to at
> least avoid the AMD PSP and Intel ME technologies. This would either contain a
> proprietary legacy BIOS or a newer UEFI BIOS. My question is, what would be
> most preferable for a secure Qubes system?
>
> It is my current understanding that once a legacy BIOS has finished
> initializing the hardware, it hands off to the OS and no longer executes. In
> contrast, a UEFI BIOS has runtime services that continue to execute while the
> OS is running.
running, as part of SMM:
https://en.wikipedia.org/wiki/System_Management_Mode
So there is no difference here.
> I was therefore coming to the conclusion that if the BIOS was compromised (and
> it could potentially be compromised before I received it), then a system that
> could only run a legacy BIOS would be preferable, as it could theoretically do
> less damage.
>
> The Wikipedia page on UEFI also states, “UEFI can support remote diagnostics
> and repair of computers, even with no operating system installed”. (https://
> en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)
> This has me further concerned about UEFI in a proprietary form.
>
> Are there any benefits of a UEFI BIOS that would outweigh my concerns?
>
> Any input on this topic would be much appreciated.
legacy or UEFI BIOS can contain bugs fatal to the system security.
On the other hand, many UEFI BIOSes contains bugs affecting Qubes OS.
Legacy BIOSes also have bugs, but those are much older and already have
workarounds in Xen/Linux.
In addition, Anti Evil Maid (which can detect some firmware
modifications) isn't compatible with UEFI.
In short: choose legacy BIOS (or at least a BIOS with legacy boot mode),
for better Qubes OS support.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXoQiqAAoJENuP0xzK19cs+7kIAIsFxRsVyQEFkFKFBvSjVSDF
5626k5Q1U/Jq6dyfAVXeRbqYTdaFg8cS0P+QtbIZKDAoXitQr7Xrs0LxQx5HNRey
cO3Ywx2u8Y3oc3ATRSysueqtZvFFWQVKn3FCOvoe4vts2bPpY+Odh5HdmzkLanPG
OF38lfX6OTiS9NScj/119yJ9mWQCI9QIyYQBhj3NFndzx5OPCrjQNOUqj1YYCkpd
ygJiCD31CCAKzKxIqYualJY0nU1vS8jh3DYiJMVujo8qMn7/E8a3LSZRaGwr0Rmw
qUQFjhliaJUhSa4f0jXmFOZZKqxaHOxbaynE5uXfFF3GBzFiziAMb9VjI3bOwKw=
=ds13
-----END PGP SIGNATURE-----
Manuel Amador (Rudd-O)
>
> Easier troubleshooting/updating/diagnostics. Modern UEFI installed on e.g gaming motherboards can update itself over Ethernet connection, reinstall itself from scratch and sometimes contains a built-in mini-linux. If you do not need such bonuses then legacy BIOS will do just fine.
>
--
Rudd-O
http://rudd-o.com/
grzegorz....@gmail.com
Funny story, few weeks ago I helped my friend put together a gaming PC. The motherboard didn't even POST correctly until we connected the ethernet cable so it could update itself. Utterly terrifying.
Stephen Moreno
>
> I think it doesn't really matter from security point of view. Either
> legacy or UEFI BIOS can contain bugs fatal to the system security.
>
> On the other hand, many UEFI BIOSes contains bugs affecting Qubes OS.
> Legacy BIOSes also have bugs, but those are much older and already have
> workarounds in Xen/Linux.
> In addition, Anti Evil Maid (which can detect some firmware
> modifications) isn't compatible with UEFI.
> In short: choose legacy BIOS (or at least a BIOS with legacy boot mode),
> for better Qubes OS support.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
>
Thanks for your reply.
After some further research it looks like my choice for an AM3 board is
either:
older 760G chipset with legacy BIOS but no IOMMU
OR
newer 970 chipset with IOMMU but also a UEFI BIOS
I would be really interested in your views regarding this choice. Which
option would you go for?
(I will need to use bluetooth with this system, in case that sways you
towards a board with IOMMU.)
Regards,
Stephen
Marek Marczykowski-Górecki
Hash: SHA256
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
l54iIL9OvZwclfGbA3cYr9mKlzhaX9uFSLCTKokY5WZoXWse3sWSOCe419J8OAYK
fzG6oQm/O4NOsv+HpErJipmAjolhNED1jExzIYQUDBkPb1FTQPW3yoY7Dkf4hWEt
9dCwsObggwsvJCYpb0Xf8WF9HcWRvQp9ZVe5p2A8QtnU1NR/bf16ApgozQczv9D6
e1MoO6GMBQ/xijYksXQpExbpqHT02AAwab7kC3B8NrhNr0uB3PEhqpb/qmUzhhsA
8R7f2wWRpFlKfkOEkV6y9rl1cYQNPnDNUl/mCJs6sShUp1PBqlI36JwwHb4DDw==
=zg97
-----END PGP SIGNATURE-----
vel...@tutamail.com
Yuraeitha
> Is legacy BIOs still preferred and likely compatible with 4.0 when final?
You're seeing it backwards, flipping it around and you might see where the problem is.
Instead ask, is UEFI reliable/secure now? In short, no, and probably not for a long time unless some big changes arrive in the mainstream market, which is unlikely to happen any time soon.
As I understand it, the LegacyBIOS is so slowly updated, or not updated at all, that Xen/Kernel updates can keep up to speed with it and fix issues not fixed in the LegacyBIOS. But UEFI is another story altogether, not to forget a highly fragmented distribution of different releases, which is impaired in many ways (briefly mentioned further below). This is why UEFI under current schemes, will never catch up to high quality the way it works now, and it will never become anything "reliable" that you might want.
In other words, it requires a shift in politics, business ethics, laws, or even the appearance of a strong competitor which provides open and high quality motherboard firmware which becomes distributed mainstream. And none of that is happening, hence we're locked in with poor UEFI updates.
Every motherboard provider update their own motherboards, and they are all tailored for each model of motherboard released. In a sense, this is similar to how updates are distributed on Android, or upstream/downstream Linux updates, it can be a major issue, especially if not enough attention is put to it. The problem with motherboard companies though, is that they rarely do much effort to maintain their firmware, especially on the cheap motherboards, but not exclusively so. Some cheap boards can be decent too, but it's like a needle in a haystack without someone buying it and reviewing the motherboard for you first, or just trying your luck...
Some motherboards will never even get properly updated, they'll just ignore the customers who bought it. And this issue won't go away, because there are little better competition to be found when all of them are doing the same careless act.
Just look at the printer or router industry, they all are ignoring costs required to keep it up to date, reliable and secure. Thereby increasing their profits by reducing costs, trying to hide the fact from customers that they are doing so. If enoguh customers were aware and was annoyed by it, then a new better business taking customers needs into consideration may easier appear, but that hasn't happened yet. Not to forget, there are big muscles on the market, it isn't so easy for a new company to emerge without some serious funding.
These existing companies do not want to make something needlessly more expensive to increase the quality, just to satisfy a customer, who has little or no better alternative on the market anyway. You're locked in, you can't pick much better, at least not at that price or if you go look for reviews. And even then, expensive doesn't mean it'll be good either.
Combine this corruption of businessses with the security implication Marek explanation up above, and you'll quickly see why this is going nowhere anytime soon. UEFI is no quality, and is very slowly updated and maintained.
Quite a few motherbord companies even discourage you to update the motherboard unless something is explicitely broken and an update may fix it. In other words, they're saying: "if it works, don't update". This is just absurd... and it isn't ard to make a double BIOS/UEFI motherboard to secure it against failed updates either. They are just trying to maximize profits, ignoring customer needs, and they're especially happy the less people know about this business model they're using, because then it's easier to maintain buggy hardware/software at little cost, and keep the profits coming in.
But there is a big problem with that in terms of quality and customer needs, since this way you don't get the few security or other updates you may want.
You could get other motherboard firmware's though, like
https://www.coreboot.org/
https://libreboot.org/
and
https://www.reddit.com/r/opensource/comments/4lu2l0/open_source_bios/
Some people here are pretty good with alternative motherboard firmware's, maybe you're lucky that some will post here to get some more detailed answers on how to go about it if you want to go down that road. If no one posts here, then try search old posts here in the qubes mail threads, or make a new thread asking if they do not answer your questions.
Tai...@gmx.com
Although both are insecure vs a libre BIOS such as select coreboot
boards (ex: KCMA-D8/KGPE-D16) and the OpenPOWER TALOS 2 (only $2.5K now
for board/cpu - which is less than x86_64 server hardware with equiv
performance)
I highly suggest getting one ASAP, especially as the D8 and D16 are the
last best owner controlled x86_64 boards and they will stop being
available soon (the libre firmware has more features than the closed
source firmware, there is also OpenBMC which is so much better than the
exploit filled OEM BMC firmware) and are capable of playing modern games
in a VM via IOMMU-GFX.
Building and flashing firmware is very easy on these boards.