Firmware - BIOS vs. UEFI

A computer's firmware is low-level software, with an associated data area, that comes pre-installed in flash memory on the motherboard. The first software to be run when the computer is booted, firmware is generally customised to be motherboard-specific and designed to communicate with other hardware in the system. The two main firmware types used nowadays are BIOS and the more recent UEFI. This article does not cover other firmware interfaces such as libreboot and coreboot.

Originally the firmware acted as an interface between the operating system and the hardware, containing code to access the various hardware components (hence the name of Basic Input/Output System (BIOS)). However, operating systems now address the hardware directly.

When the computer boots, the firmware, among other functions:

• Finds, identifies, initialises and tests various hardware components (CPU, RAM, chipset, cards, drives, peripherals, etc.) using the POST (Power-On Self-Test).
  *
• Displays information about the system on the screen.
  *
• Loads the bootloader or (directly) an operating system from a storage device or network adapter (working through candidate boot devices in order until a bootable device is found), and then hands over control to it, providing it with runtime services to assist it.
  *
• Allows users and higher-level software to obtain information on and configure various hardware settings.

BIOS (Basic Input/Output System)
=======================
Developed in the 1980s on personal computers, the BIOS firmware interface is very widely used but has some recognised limitations, despite various tweaks, overlays and extensions being introduced over the years in order to try and address these. Standard BIOS, for example, is limited to 16-bit processor mode and 1 MB of addressable memory space, provides no support for advanced features such as cryptography and networking, and has trouble initialising multiple hardware devices at the same time. Earlier BIOSes had problems accessing disk drives over a certain limited size.

Note that if your firmware is BIOS-only then you cannot change it to UEFI without changing the motherboard itself. However, unless you have a specific need for UEFI-provided functionality, BIOS should still work fine. It is emulated as Legacy BIOS on most UEFI systems so that the user can boot older operating systems that don’t support UEFI, allowing you to switch firmware modes between boots.

UEFI (Unified Extensible Firmware Interface)
==============================
EFI was developed by Intel in the mid-1990s for Itanium systems in order to counter BIOS limitations, but remained a fairly obscure option on that platform for over a decade. The standard evolved into UEFI in 2005 (essentially EFI 2.x) and, now managed by the Unified EFI Forum, is present on the vast majority of PCs sold since 2011-2012.

• In essence, UEFI is a flexible mini operating system.
  *
• Has been designed with CPU-independent architecture and drivers.
  *
• Processor mode can be 32/64-bit, thus providing more addressable space than BIOS. 64-bit mode supports long mode, allowing applications in the pre-boot execution environment to use 64-bit addressing to directly access all the machine's memory.
  *
• Normally requires the firmware and operating system loader or kernel to be size-matched e.g. a 64-bit UEFI firmware implementation can only load a 64-bit boot loader or kernel. However Linux kernels ≥v3.15 support 64-bit kernels booted on 32-bit UEFI on x86-64 CPUs.
  *
• Launches standardised executables rather than BIOS-dependent code.
  *
• May be loaded from a network share at boot, allows network authentication, and supports other networking features such as remote diagnostics and computer repair, even if no operating system is present.
  *
• Supports the Secure Boot protocol to prevent the loading of incorrectly signed drivers or operating system loaders. For more information on this somewhat controversial feature, see below.
  *
• Only supports being booted from GPT-partitioned disks, not MBR disks.
  *
• Supports cryptography.
  *
• Includes a Human Interface Infrastructure specification that allows, for example, the provision of mouse, trackpad and better graphics support in the GUI configuration program.
  *
• Is better than BIOS at initialising multiple hardware devices at the same time than, resulting in a faster boot time.

UEFI Secure Boot
---------------------
Implemented in UEFI 2.3.1, the Secure Boot protocol aims to secure the boot process by preventing the loading of drivers or Operating System loaders not signed with an acceptable digital signature. It was designed to stop pre-boot malware, e.g. rootkits and boot sector viruses, from installing themselves and becoming the boot loader, thus being able to launch the operating system but remain hidden at a lower level.

Controversy around this feature was generated when Microsoft insisted in 2011 that Intel-based computers certified to run Windows 8 had to be shipped with Secure Boot enabled, thus including Microsoft keys in the firmware. After initial confusion, they confirmed however that manufacturers had to allow custom mode (where keys from other operating systems could be added) or the Secure Boot feature could be disabled entirely, thus allowing other operating systems to boot. Due to the lack of manufacturer support for Linux, this meant that Linux distro developers essentially had to use special Microsoft-supplied keys or advise their users to turn off Secure Boot before booting up into Linux.

Different distros take different approaches to this problem (e.g. Fedora's shim). The most important thing to remember is that there are not a great number of Linux distros which support Secure Boot, and it is only the more modern versions of these distros that do, e.g. Ubuntu ≥12.04.2, Fedora ≥18, openSUSE ≥12.3, RHEL/CentOS ≥7.