Intel's EFI: Hidden Threat to Computing Freedom?

Posted: 2009-01-06

Now i'm no expert in this field, but from what i've been reading, the industry is shifting towards Extensible Firmware Interface (EFI) and EFI means bad news for the future of fully open machines. First of all, it will make current fully-free BIOS replacements like coreboot useless as well as always requiring a piece of proprietary binary-only code to build a free BIOS on top of EFI. It will trap certain OS operations to an EFI-based control system meaning that the OS doesn't necessarily own the platform. On top of all that, EFI can control many things that effectively make it a "DRM BIOS". All of this comes with added complexity and, as expressed by Linus Torvalds, without real advantages. Linus also refers to EFI as "this other Intel brain-damage (the first one being ACPI)", and this is why i stick to AMD =]

This excerpt from an interview with Ronald G. Minnich from FOSDEM explains in more detail the dangers of EFI:

What are your thoughts on the Extensible Firmware Interface (EFI)?
I have spoken with the EFI authors at length. They make no secret of the fact that a "core value" of EFI is the preservation of intellectual property related to chipset programming and internal architecture. To put it another way, EFI is dedicated to the preservation of "Hard" hardware (as defined above), and the provision of binary interfaces and subsystems to BIOS vendors and others.

It is not really possible to build a full open-source BIOS if EFI is involved. The Tiano system, which Intel claims is an open source BIOS, can not be used to build a BIOS unless it is attached to proprietary, binary-only BIOS code provided by a vendor.
Another important thing to realize about EFI is that it also contemplates enabling chipset features that will trap certain OS operations to an EFI-based control system running in System Management Mode. In other words, under EFI, there is no guarantee that the OS owns the platform.

Accesses to IDE I/O addresses, or certain memory addresses, can be trapped to EFI code and potentially examined and modified or aborted. Many see this as an effort to build a "DRM BIOS".

I am not sure what the real intent of this design is, but is is a real concern in secure environments (such as those found in governments, banks, and large search engine companies). A number of vendors and users have told me that they are not sure they can ship an EFI system they are willing to trust in a secure environment.
I've taken this to Dell's IdeaStorm, asking them to resist EFI, but i'm not sure where else to go and how concerned we should all be about this. Thousands of customers called out for Dell to put effort into adopting a free BIOS replacement for a number of reasons, but Dell's john_h has informed us that their "BIOS teams have investigated, but no plans to do this. Most of the industry is moving towards using uEFI", clearly not a pro-consumer move. Please vote on it and let me know in the comments what you think of these issues with EFI.