Microsoft just announced Project Mu, promising «firmware as a service» on supported hardware. Every PC manufacturer should take note of this. PCs need security updates for their UEFI firmware, and PC manufacturers don’t supply them well.
What is UEFI Firmware?
Modern PCs use UEFI firmware instead of the traditional BIOS. UEFI firmware is low-level software that runs when the computer boots. It tests and initializes your hardware, performs low-level system setup, and then boots the operating system from your computer’s internal drive or other bootable device.
However, UEFI is a bit more complex than older BIOS software. For example, computers with Intel processors have what is called the Intel Management Engine, which is a tiny operating system. It works in parallel with Windows, Linux or any other operating system installed on your computer. On corporate networks, system administrators can use Intel ME features to remotely manage their computers.
UEFI also contains processor «microcode», which is a kind of firmware for your processor. When your computer boots up, it loads the firmware from the UEFI firmware. Think of it as an interpreter that translates software instructions into hardware instructions to be executed on the processor.
CONNECTED:What is UEFI and how is it different from BIOS?
Why UEFI Firmware Requires Security Updates
The last few years have shown again and again why UEFI firmware needs timely security updates.
We all learned about Specter in 2018, showing serious architectural problems with modern processors. Problems with so-called «speculative execution» meant that programs could avoid standard security restrictions and read protected areas of memory. Fixes for Specter required for correct functioning of the CPU microcode. This means that PC manufacturers had to update all their laptops and desktops, and motherboard manufacturers had to update all their motherboards — with a new UEFI firmware containing updated microcode. Your computer is not sufficiently protected from Specter unless you have installed a UEFI firmware update. AMD has also released microcode updates to protect systems with AMD processors from Specter attacks, so this is not just an Intel problem.
The Intel Management Engine found some security bugs that could either allow attackers with local access to the computer to break into the Management Engine software, or allow an attacker with remote access to cause problems. Fortunately, the remote exploits only affected companies that had enabled Intel Active Management Technology (AMT), so ordinary consumers were not affected.
These are just a few examples. The researchers also showed that UEFI firmware can be abused on some PCs, using it to gain deep system access. They even showcased a persistent ransomware that accessed the computer’s UEFI firmware and ran from there.
The industry should update the UEFI firmware on every computer, just like any other software, to protect against these issues and similar bugs in the future.
RELATED:How to check if your computer or phone is protected from collapse and ghost
How the renewal process has been broken for years
The BIOS update process has been a mess forever — long before UEFI. Traditionally computers came with this old school BIOS and less could go wrong. PC manufacturers may ship a few BIOS updates to fix minor issues, but it’s generally advised to avoid installing them if your PC is working properly. You often had to boot from a DOS boot disk to flash a BIOS update, and everyone heard stories of BIOS updates failing and PC crashing making them unbootable.
Times have changed. UEFI firmware does a lot more, and Intel has released several major updates for things like CPU microcode and Intel ME over the past few years. Whenever Intel releases such an update, all Intel can do is say «ask your computer manufacturer». Your computer manufacturer — or motherboard manufacturer if you built your own PC — should take the code from Intel and integrate it into the new UEFI firmware. version. Then they have to check the firmware. Yes, and each manufacturer must repeat this process for every single PC they sell, as they all have different UEFI firmware. It’s this kind of manual work that has made Android phones so difficult to update in the past.
In practice, this means that receiving critical security updates that must be delivered through UEFI often takes a long time — many months. This means manufacturers can shrug their shoulders and refuse to upgrade PCs that are only a few years old. And even when manufacturers release updates, those updates are often hidden on that manufacturer’s support website. Most PC users will never discover that these UEFI firmware updates exist and install them, which is why these bugs remain on existing PCs for a long time. And some manufacturers still force you to install firmware updates by booting into DOS first — just to make it more complicated.
What do people do with it
It’s a mess. We need a streamlined process where manufacturers can more easily create new UEFI firmware updates. We also need a more efficient release process for these updates so that users can automatically install them on their PCs. Right now the process is slow and manual – it should be fast and automatic.
This is what Microsoft is trying to do with Project Mu. Here’s how it’s explained in the official documentation:
Mu is based on the idea that delivering and maintaining a UEFI product is an ongoing collaboration between multiple partners. For too long, the industry has built products using a «fork» model combined with copy/paste/rename, and with each new product, the maintenance burden increases to the point where updates are almost impossible due to cost and risk.
Project Mu is about helping PC manufacturers build and test UEFI updates faster, streamlining the UEFI development process and helping everyone work together. This is hopefully the missing piece as Microsoft has already made it easier for PC manufacturers to automatically push UEFI firmware updates to users.
Specifically, Microsoft allows PC manufacturers to release firmware updates through Windows Update and has been providing documentation on the subject since at least 2017. Microsoft also announced a component firmware update; an open source model that manufacturers can use to update UEFI and other firmware as early as October 2018. If PC manufacturers get this capability, they will be able to deliver firmware updates to all their users very quickly.
It’s not just a Windows thing. On Linux, developers are trying to make it easier for PC manufacturers to release UEFI updates with LVFS, the Linux Vendor firmware service. PC vendors can submit their updates and they will appear for download in the GNOME Software application used by Ubuntu and many other Linux distributions. This work began in 2015. PC manufacturers such as Dell and Lenovo are participating.
These Windows and Linux solutions affect more than just UEFI updates. Hardware manufacturers can use them to update everything from USB mouse firmware to SSD firmware in the future.
How says SwiftOnSecurity, when it comes to issues with firmware and SSD encryption, firmware updates can be reliable. We should expect more from equipment manufacturers.