Bootloader/Firmware

Chapter 1

UEFI

• BIOS limitations are:

  • You can have only four primary partitions.

  • The BIOS cannot read the logical partitions.

  • The BIOS is kind of dumb; it just jumps to the first sector of your HDD.

  • The maximum partition size with a BIOS-based system is 2.2 TB.

UEFI Advantages

UEFI supports 64-bit processors; hence, it does not face any of the hardware limitations that the BIOS faces.

• UEFI can use the full CPU. Unlike the BIOS (which is stuck with 16 bits of processor), UEFI can access up to 64 bits.

• UEFI can use a full RAM module. Unlike 1 MB of address space of the BIOS, UEFI can support and use terabytes of RAM.

• Instead of 64 bytes of a tiny MBR, UEFI uses the GPT (GUID) partition table, which will provide an infinite number of partitions, and all will be primary partitions. In fact, there is no concept of primary and logical partitions.

• A maximum partition size is 8 zettabytes.

• UEFI has enterprise management tools.

  1. You will be able to fix the computer remotely.

  2. You will be able to browse the Internet inside the UEFI firmware.

  3. You will be able to change the UEFI firmware behavior/settings from OS.

  4. To change the settings of BIOS, we have to reboot the system since OS runs in long mode, whereas BIOS runs in real mode, and real mode can only be possible at the time of boot.

• UEFI is a small OS.

  1. You will have full access to audio and video devices.

  2. You will be able to connect to WIFI.

  3. You will be able to use the mouse.

  4. In terms of the GUI, UEFI will provide a rich graphics interface.

  5. UEFI will have its own app store like we have for Android and Apple phones.

  6. You will be able to download and use the applications from the UEFI app store, just like with Android and Apple phones. Hundreds of apps are available such as calendars, email clients, browser, games, shells, etc.

  7. UEFI is able to run any binary that has an EFI executable format.

  8. It boots operating systems securely with the help of the Secure Boot feature. We will discuss the Secure Boot feature in depth later in this book.

  9. UEFI is backward compatible, meaning it will support the “BIOS way” of booting. In other words, operating systems that do not have UEFI support will also be able to boot with UEFI.

UEFI Implementation

• Only one EFI System Partition (ESP) partition is created in the disk and the bootloader has to be installed in this partition only. It is not necessary to create ESP as a first partition; it could be created anywhere, but the ESP should have the FAT16/32 (preferably FAT32) filesystem. The recommended ESP size is a minimum of 256 MB.

• The OS vendor has to create the following directory structure in ESP:

• Once this structure is created, the OS has to install the bootloader inside the /EFI/<os_vendor_name>/ location only. This means, like the 512 bytes + 31 KB space reserved for bootloaders, in the same way we have a 256 MB minimum dedicated space for bootloaders in UEFI. The ESP partition will be mounted in Linux under the mount point /boot/efi.

• It’s compulsory for every OS vendor to write bootloader files in the EFI executable format. Also, the files should have the .efi extension.

• One of the best features UEFI provides is Secure Boot . The feature was proposed by Microsoft and later added in the UEFI specification. Microsoft first used the Secure Boot feature in Windows 8.

• The recommended partition table is GPT, which is a GUID partition table, whereas the BIOS uses an MS-DOS partition table.

UEFI Shell

• The moment you choose the option Launch EFI Shell from USB drives, it will execute the shell.efi file and will present you with a shell.

• The blk* entries are the device names, whereas fs* is a filesystem naming convention. Since the UEFI shell is able to read the FAT32 filesystem (ESP partition), we can browse the ESP directory.

• UEFI shell has similar characteristics to a standard Linux shell.

Secure Boot

• It guarantees that grubx64.efi, which is about to run, is from an authentic source.

• It guarantees that BCD does not have any backdoor in it.

• It stops something from executing if it is unauthorized.

• This is how Secure Boot works:

  1. Microsoft will generate a key pair (public and private key).

  2. Microsoft will digitally sign its bootloader or its files with the private key.

  3. The public key of Microsoft will be kept inside the UEFI firmware.

  4. The digital signature that was generated in step 2 will be regenerated by the public key of Microsoft, which is present inside the UEFI.

  5. If the digital signature matches, then only UEFI will allow the *.efi file’s execution.

  6. If the digital signature does not match, then UEFI will consider that a harmful program, or at least it is not shipped by Microsoft, UEFI will halt the execution.