So what is all this UEFI about?

13_02-368px-Uefi-logo-svg

If you’re buying a new PC, you’ll see systems described as boasting a UEFI BIOS. If you’re building a computer from scratch you may notice mention of some motherboards feature a UEFI BIOS, while older models lack it. But exactly what does UEFI mean and do?

Why BIOS is being replaced

Anyone who has used a PC will be at least vaguely familiar with the BIOS – the Basic Input/Output System that’s stored in your PC’s motherboard firmware, which starts as soon as you turn on your PC. Way before the operating system loads, it is the BIOS that has the fundamental business of enumerating which hardware is installed, and having done so applying basic settings such as CPU frequencies and RAM timings. By accessing the BIOS’ built-in menu, a user can adjust various controls to make components run at different speeds (timings), or configure the PC to boot from a different device, such as a USB or external drive.

The role of the BIOS hasn’t changed in 20 years or so, and for most of that time it has done a sterling job. But as technology has advanced, more features requiring BIOS support have appeared, such as remote security management, temperature and power monitoring, and processor extensions such as virtualisation.

The BIOS was never designed to be extended ad infinitum in this way. At it’s core is a 16-bit system, with very limited integration with the hardware and operating system, and it can access a maximum of only 1MB of memory. It’s becoming increasingly difficult to accommodate everything we expect from a modern computer within the old BIOS framework. And so begins the next generation.

uefi_up

The UEFI generation

UEFI, the Unified Extensible Firmware Interface. UEFI is a far more sophisticated approach to low-level system management. It can be thought of as a miniature operating system that sits on top of the motherboard’s firmware, rather than being squeezed inside it like the BIOS is.

A modern UEFI lets you control low-level hardware settings via a graphical, mouse-driven interface.
Which means that UEFI can be just as powerful as a operating system. It can access all the memory installed in a system, and make use of its own little disk storage space – a sequestered area of onboard flash storage or hard disk space called the EFI System Partition. New modules can be easily added (hence “Extensible”); this includes device drivers for motherboard components and external peripherals, so user options can be presented in an attractive graphical front-end, controlled with the mouse. On touchscreen hardware, it’s possible to change system settings by swiping and tapping. It’s all a far cry from the clunky blue configuration screen of most BIOS implementations.

Since UEFI is a software environment, its high-level functions aren’t tied to any particular platform: UEFI works on ARM devices as well as regular PC hardware, and there’s no reason it can’t be compiled for any other architecture that may come along.

So who created UEFI?

UEFI has been under development for a long time which began when Intel first started work on a replacement for the classic PC BIOS back in 1998, to partner its nascent Itanium platform. In 2002, its fruits were formalised as the Extensible Firmware Interface (EFI).

Intel hasn’t kept the standard to itself and since 2005, the system has been managed and developed by a cross-industry working group, including not only Intel but also AMD, Apple, Dell, Lenovo and Microsoft. The organisation is called the Unified EFI Forum – hence the addition of the “U” to UEFI.

why didn’t UEFI catch on sooner?

In fact, the system in its various versions has been quietly gaining momentum for a long time. In 2006, Apple switched all new Macintosh hardware from PowerPC processors over to the Intel platform, and chose the original EFI for its pre-boot firmware, a system it uses to this day. Some Windows laptops have also started using UEFI in the past few years, in order to provide friendlier and more flexible pre-boot environments. This hasn’t attracted much attention, for the simple reason that it makes no visible difference to most end users. And in the cut-throat desktop market, PC motherboards have tended to stick with traditional BIOS rather than invest in the more sophisticated UEFI. Until now, that is.

A traditional BIOS is stored in a chip on your motherboard, whereas UEFI resides in its own hard disk partition.

UEFI and Windows 8/10

Historically, Windows hasn’t got along well with UEFI hardware. In fact, back in 2006, when enthusiasts tried installing Windows XP on the first Intel-based iMacs, they were stymied precisely because Windows XP – the current version at that time – has no ability to boot on an EFI system. The situation was resolved only when Apple issued a firmware update allowing Mac hardware to emulate a traditional BIOS (along with a driver pack enabling Apple’s hardware to work in Windows). This shows the power of UEFI’s open-ended design.

Windows Vista and 7 didn’t fully support UEFI either, but there were good reasons for this. A 32-bit operating system can boot only from 32-bit UEFI firmware, while a 64-bit OS requires 64-bit firmware. When Microsoft introduced Windows Vista in both 32- and 64-bit flavours, nobody wanted to tell users they’d have to reprogram their motherboards to match their Windows edition – and motherboard manufacturers didn’t want to support two parallel versions of their UEFI firmware anyway. So Microsoft settled on a compromise: UEFI was supported natively by 64-bit editions of Vista, and latterly Windows 7, while 32-bit editions continued to require a BIOS, either real or emulated.

In Windows 8 & 10, the situation has changed, and Microsoft has wholeheartedly embraced UEFI. Its certification standards require that all new desktops, laptops and tablets sold with Windows 8 & 10, and bearing the Windows 8 & 10 sticker, must use a UEFI BIOS. You can still upgrade an older non-UEFI system to Windows 8 & 10, however – you’ll simply miss out on a handful of useful features, as I will describe below.

I have  mentioned that UEFI lets motherboard manufacturers provide a friendly graphical interface to system settings, and that may be reason enough to switch. Once you’ve used a handy dropdown menu to configure your hard disks and tweak the frequency settings on your CPU, the old business of moving back and forth with the cursor keys feels quite primitive.

However, UEFI provides more far-reaching benefits, too. A major one is the ability to work better with modern hard disks. The original PC BIOS system was designed to work with the Master Boot Record (MBR) partitioning system, which only supports disks of up to 2TB, and no more than four partitions per disk. This may have seemed like plenty of headroom back when the system was introduced in 1983, but today it feels restrictive.

UEFI brings full support for the newer GUID Partition Table (GPT) partitioning scheme. This system can accommodate up to 128 partitions per disk, with a total capacity of 8ZB – equivalent to eight billion terabytes. Some modern BIOS implementations can handle GPT disks, but with limitations: many are unable to boot from very large disks, limiting the usefulness of the latest 3TB drives.

UEFI also allows a generally closer degree of integration between the operating system and the pre-boot environment – something Windows 8 & 10 takes advantage of in its Advanced Startup Options. If you’re using a UEFI system, you can select a device to boot from directly within the Windows 8 & 10 interface. (This option also appears if Windows 8 & 10 fails to start up properly, and takes you to the Troubleshooting screen.) If you’re using non-UEFI hardware, this option won’t be available: to boot from a device other than the default, you’ll have to jump in when the computer restarts and configure your BIOS directly.

nxp-speedway-Security-header-v1

UEFI and Secure Boot

The most significant UEFI feature related to Windows 8 is Secure Boot – a system that ensures only authorised operating systems can start up on your PC. It works by reading a cryptographic signature embedded in the OS bootloader and verifying it against a database of authorised keys stored within the UEFI firmware. When you buy a new Windows 8 or 10 PC, laptop or tablet, the relevant key is preinstalled by the manufacturer, so you won’t even know Secure Boot is active. However, if you try to start a different operating system, the UEFI platform will refuse to boot.

This may not sound like a good thing. Indeed, when it was first announced that all new Windows 8 & 10 hardware would come with Secure Boot enabled, there was uproar among the technorati. Microsoft was accused of shutting out competing operating systems such as Ubuntu Linux, and of limiting customers’ ability to run whatever software they wanted on their PCs.

However, Secure Boot brings real benefits, as we’ll discuss below. And on regular Windows 8 & 10 laptop or desktop systems it doesn’t stop you from doing anything. Although it’s enabled on all new Windows 8 & 10 systems, you can always go into the UEFI settings and turn it off with a click. Once this is done, you can boot whichever operating system you like. If you’re upgrading older hardware to Windows 8 or 10 then it’s likely that Secure Boot won’t even be an issue, as it requires the latest version of UEFI to function.

You can also leave Secure Boot enabled and manually authorise other operating systems’ bootloaders, in addition to the Windows 8 or 10 one. For example, you might add a key for Ubuntu to the Secure Boot database, enabling both Windows and Ubuntu to start, while continuing to disallow other, unknown operating systems. The precise process for generating a Secure Boot key should be detailed in the manual for your motherboard or laptop, or in the installation instructions for the operating system.

What’s more, Microsoft has agreed to allow other recognised operating system publishers to use the same bootloader key as Windows 8 & 10 (for a fee). Fedora Linux has already done this, so you can install and boot Fedora on a Windows system with no additional configuration required.

What are the advantages of Secure Boot?

Not only is Secure Boot not harmful, it can be greatly beneficial, both at home and at work. For businesses, it can help to enforce security policies. If users are able to plug in their own hard disks and boot into unauthorised operating systems, they could bypass restrictions on which software can be run, what sort of network access is permitted and so forth. If the IT department uses Secure Boot – and a password protects the UEFI settings, to prevent them from being tampered with – the potential for data leaks is greatly reduced.

For home users, Secure Boot can protect your security in a different way. Here, the major risk isn’t from corporate spies, but from malware. Secure Boot protects your system against rootkit-type infections that infect the bootloader and effectively make themselves hypervisors for the operating system. If unrecognised startup code can’t be executed, infections like this are stopped in their tracks.

Before I go overboard singing the praises of Secure Boot, there’s one catch that I must point out. I mentioned above that Secure Boot could be disabled on x86 hardware. However, if you buy an ARM-based Windows RT device, you won’t be able to disable Secure Boot: on this platform, the feature is permanently locked on, and all third-party bootloaders are strictly banned. You can see why Microsoft insists on this: it ensures that consumer tablets provide a completely seamless and consistent experience, with no possibility of malware or confusing multiple environments. However, it’s bad news for anyone hoping to install Android or Linux on Windows tablet hardware.

So there you have it!..

Post navigation