Calls: Send in your ideas. Deadline April 1, 2024
Grant
Theme fund: NGI Assure
Start: 2022-12
More projects like this
Operating Systems

UEFI isolation in VM from non UEFI firmware

Safer booting into UEFI-compliant operating system

UEFI is the successor to BIOS, which initialises the bare hardware of a computer before handing over to a bootloader. The UEFI specification defines the architecture of platform firmware used for booting and its interface for run-time interaction with operating systems. As such, UEFI is responsible for bootstrapping pretty much every modern computer. In the majority of cases this is done with very little transparency for users - essentially relegating this enormously responsible position to a "black box" that just blips on the screen. Unfortunately trust in vendors to live up to their huge responsibility to make this safe and robust is not always justified: quite a few issues and security vulnerabilities in the (mostly proprietary) UEFI implementations have come to the surface via real-world exploits. The key open source booting mechanisms (like coreboot and Linuxboot/u-root) are not UEFI compliant.

This project aims to close the gap in a pragmatic way: through virtualization - booting into a stripped down Linux and using the Kernel Virtual Machine (which is generally considered mature) to run the reference open source reference implentation of UEFI until it can hand over to a UEFI compliant boot loader. This is of course a security tradeoff (the early stage Linux used for virtualisation would not be able to use UEFI just yet itself in bootstrapping) , but it allows a single intervention to bridge to all different boot loaders and wholly avoid opaque proprietary ones by switching to open source ones. This also helsp to debug and assist in finding new solutions to cope with the shortcomings of native UEFI implementations.

  • The project's own website:

Logo NLnet: abstract logo of four people seen from above Logo NGI Assure: letterlogo shaped like a tag

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.