Why you should insist on UEFI protected devices

March 28th, 2013 by Stephen Jones Leave a reply »

Security adviser/journalist/guru Roger Grimes makes a cogent argument for adoption of UEFI protected devices.

An interface layer between an operating system and firmware, UEFI offers much better security than PC BIOS. UEFI is an open standard that makes it harder to manipulate firmware in an unauthorized manner. Any UEFI-enabled component requires firmware updates to be digitally signed by a previously authorized party. UEFI also prevents other types of subversion, such as eavesdropping, boot changes, and so on. The latest version adds secure boot, which requires a unique key for each computer and each OS or low-level application; these keys can be revoked to block both known malware and unauthorised installations.

A novice malware writer could write a worm that could brick a significant amount of the computers in your network. With a little research and more malicious code, they could brick not only your computers, but printers, network devices, and (non-UEFI) mobile devices.

For mission-critical computers, I recommend that companies use UEFI-enabled computers and devices. Most end-users can’t tell the difference between a UEFI-protected computer and one that isn’t.
All new computer hardware that you buy should come UEFI-enabled, for several good security reasons. The original EFI specification didn’t offer much in the way of security. But version 2.3 (now under the UEFI name), and specifically 2.3.1, has solid security. It requires not only digital signatures for code updates, but enables the secure boot firmware-to-OS protection.

Today, UEFI and secure boot are easily the most secure protection firmware can have outside of a physical switch



Leave a Reply

You must be logged in to post a comment.