UEFI (Unified Ex­tens­ible Firmware Interface)

UEFI stands for Unified Extensible Firmware Interface. This special interface is a kind of miniature operating system which starts up im­me­di­ately after booting the computer’s mother­board (also referred to as the mainboard) and its cor­res­pond­ing hardware com­pon­ents. It ensures that a special start-up program (referred to as a boot­load­er) can be loaded in the memory and then execute ad­di­tion­al op­er­a­tion­al routines. Usually, this process ends with the login screen. The user then enters the required in­form­a­tion (user name and password) at which point the computer can be used for specific tasks (e.g. word pro­cessing, etc.).

To be able to use the UEFI interface, the computer needs a special firmware on the mother­board. After booting up the computer, the program generates the UEFI interface as a special op­er­a­tion­al layer that com­mu­nic­ates between the firmware and the operating system. For UEFI mode to be ini­tial­ised before the operating system is started up, it per­man­ently resides on a memory chip on the mother­board. As a permanent component of the mother­board firmware, the UEFI program is retained even if there is no power.

Nowadays, an NVRAM (non-volatile random-access memory) is used for specific boot-related settings (e.g. con­fig­ur­a­tion data, BIOS para­met­ers such as the boot sequence) which are stored after the computer is turned off. It uses very little power covered by an autonom­ous mother­board battery (a button cell battery). If the battery dies, perhaps due to the computer not being used for a while, this can lead to start-up problems.

UEFI is often referred to as the direct successor to BIOS. However, the UEFI spe­cific­a­tion does not define how firmware should be pro­grammed in its entirety. It only describes what the interface between the firmware and operating system should look like. The UEFI spe­cific­a­tion does not do away with the tra­di­tion­al Basic Input/Output System (BIOS) as the computer’s basic boot firmware. It is more of an extension or mod­ern­ised modi­fic­a­tion that boots up current computers with an op­er­a­tion­al interface and also uses new mech­an­isms and functions. To be able to dif­fer­en­ti­ate between these two types today, we usually refer to legacy BIOS (i.e. tra­di­tion­al BIOS) and UEFI BIOS or UEFI firmware.

In the Windows ecosystem, the UEFI mode has been the standard boot method since Windows 8. As of this version, Windows defined the GUID Partition Table as the standard for hard drive par­ti­tion­ing. The tra­di­tion­al legacy BIOS system boot tech­no­logy tied to the Master Boot Record no longer works with this par­ti­tion­ing technique. The op­er­a­tion­al unit con­sist­ing of the Unified Ex­tens­ible Firmware Interface and GPT par­ti­tion­ing paves the way for new functions and options while removing some of the lim­it­a­tions of the tra­di­tion­al boot process.

The following are some of the most important ad­vant­ages and functions of UEFI tech­no­logy:

• Designed as an in­dus­tri­al standard
• Easy to program (uses the pro­gram­ming language C)
• Its modular structure makes it flexible and allows it to be adapted to special hardware en­vir­on­ments and re­quire­ment profiles (e.g. support modules for older operating systems can be in­teg­rated with the UEFI firmware)
• UEFI can be extended with special functions and programs (e.g. digital rights man­age­ment, games, web browsers, hardware mon­it­or­ing, fan control)
• Improved usability via the use of a computer mouse and a graphical user interface (there were also some attempts with the tra­di­tion­al BIOS)
• In­teg­rated boot manager which manages the various boot­load­ers for different operating systems
• Early in­teg­ra­tion of drivers is possible (which then no longer needs to be loaded by the operating system)
• A dedicated command line tool is available for per­form­ing dia­gnostics and troubleshoot­ing (UEFI Shell)
• Network func­tion­al­ity even without an active operating system
• Network con­nec­tion enables remote main­ten­ance (remote upgrade of firmware com­pon­ents or the entire firmware) and booting via the network
• Increased security through the Secure Boot feature

Secure Boot was in­tro­duced to increase security. Each software component (e.g. parts of the UEFI firmware, the boot­load­er, the operating system kernel, etc.) is verified before it is started up. Cryp­to­graph­ic digital sig­na­tures stored in the signature database of the UEFI firmware are used for veri­fic­a­tion. If something has been com­prom­ised by viruses, does not have a signature or has an invalid key, it will not pass this security check and the system will cancel the system boot.

In pro­fes­sion­al en­vir­on­ments, Secure Boot often works in con­junc­tion with a special hardware component. The Trusted Platform Module (TPM) is a spe­cial­ised chip that provides computers and other devices with extensive security functions. It is highly likely that the com­bin­a­tion of Secure Boot and the TPM chip will become standard for ensuring the security of all computers in the near future.

When directly compared to the tra­di­tion­al legacy BIOS system boot method, the op­er­a­tion­al unit con­sist­ing of UEFI and GPT par­ti­tion­ing offers the following ad­vant­ages in par­tic­u­lar:

• Multiboot systems are supported. This means that several operating systems with their own boot managers can be installed at the same time. During the boot process, you can select, on demand, an al­tern­at­ive operating system, such as opting to start up Linux instead of Windows.
• The GPT par­ti­tion­ing allows up to 128 primary GPT par­ti­tions in Windows (pre­vi­ously, it only supported four primary par­ti­tions)
• Boot devices can exceed the 2.2 TB hard drive capacity for the first time (the previous limit for legacy BIOS systems with Master Boot Record)
• Pre-boot ap­plic­a­tions are supported (e.g. accessing and using dia­gnost­ic tools, backup solutions)
• Boots faster than legacy BIOS systems

The Unified Ex­tens­ible Firmware Interface also has some dis­ad­vant­ages. UEFI has limited com­pat­ib­il­ity because it only supports 64-bit systems. While these are in­creas­ingly becoming standard, 32-bit systems are still widely used, es­pe­cially in the Windows ecosystem. This limited com­pat­ib­il­ity is due to how tightly in­teg­rated the boot tech­no­logy is with the specific par­ti­tion­ing of the bootable system volume (boot device). This com­bin­a­tion of UEFI and GPT par­ti­tion­ing is only com­pat­ible with 64-bit systems. Older computers with 32-bit operating systems using legacy BIOS cannot boot GPT-par­ti­tioned hard drives.

To increase UEFI’s com­pat­ib­il­ity, the Com­pat­ib­il­ity Support Module (CSM) is used. For example, this module is used to run 32-bit versions of Windows 7 or 8 on modern UEFI hardware. The CSM also makes it possible to have a mix of operating systems on a single computer. In a multiboot system, older operating systems that only work with the tra­di­tion­al legacy BIOS can be booted up in addition to the UEFI-com­pat­ible ones. However, a 32-bit operating system will then have to use an ad­di­tion­al boot device, such as a second hard drive with Master Boot Record. When the computer is started up, the desired system can then be actively selected in the boot manager menu. Other firmware types handle this process auto­mat­ic­ally: First, the system looks for a more modern EFI boot­load­er. If one is not found, the CSM module is used directly during the boot process.

However, this com­pat­ib­il­ity with legacy BIOS is only a temporary solution. Intel is currently urging computer man­u­fac­tur­ers to stop im­ple­ment­ing CSM. It needs to be gradually phased out to reduce the size of the UEFI BIOS code and lower the costs of hardware testing. Fur­ther­more, computers that boot in legacy mode using the CSM module cannot use the UEFI-specific feature Secure Boot and its security mech­an­isms to protect against viruses and un­au­thor­ised tampering.

Another dis­ad­vant­age of UEFI is the following security risk. Due to the direct con­nec­tion during the boot phase, malware can infect a computer before the operating system’s security mech­an­isms have had a chance to intervene. This is by no means a the­or­et­ic­al threat. In 2014, the first security hole in the interface was dis­covered, and by 2018 experts had iden­ti­fied the first UEFI virus in the wild with LoJax (i.e. outside of pure labor­at­ory ex­per­i­ments).

This video provides an excellent in­tro­duc­tion on how to get started right away with the various UEFI BIOS options and modules (e.g. CSM, Secure Boot):