Microsoft just announced Project Mu, promising “firmware as a service” on supported hardware. Every PC manufacturer should take note. PCs need security updates to their UEFI firmware, and PC manufacturers have done a poor job of delivering them.
What Is UEFI Firmware?
Modern PCs use UEFI firmware instead of a traditional BIOS. The UEFI firmware is the low-level software that starts when you boot your PC. It tests and initializes your hardware, does some low-level system configuration, and then boots an operating system from your computer’s internal drive or another boot device.
However, UEFI is a little more complicated than the older BIOS software. For example, computers with Intel processors have something called the Intel Management Engine, which is basically a tiny operating system. It runs in parallel to Windows, Linux, or whatever operating system you’re running on your computer. On corporate networks, system administrators can use features in the Intel ME to remotely manage their computers.
UEFI also contains processor “microcode,” which is kind of like firmware for your processor. When your computer boots, it loads microcode from the UEFI firmware. Think of it like an interpreter that translates software instructions to hardware instructions performed on the CPU.
Why UEFI Firmware Needs Security Updates
The last few years have shown over and over why UEFI firmware needs timely security updates.
We all learned about Spectre in 2018, showing the serious architectural problems with modern CPUs. Problems with something called “speculative execution” meant programs could escape standard security restrictions and read secure areas of memory. Fixes to Spectre required CPU microcode updates to function correctly. That means PC manufacturers had to update all their laptop and desktop PCs—and motherboard manufacturers had to update all their motherboards—with new UEFI firmware containing the updated microcode. Your PC isn’t adequately protected against Spectre unless you’ve installed a UEFI firmware update. AMD also released microcode updates to protect systems with AMD processors from Spectre attacks, so this isn’t just an Intel thing.
Intel’s Management Engine has seen some security bugs that could either let attackers with local access to the computer crack the Management Engine software, or let an attacker with remote access cause trouble. Luckily, the remote exploits only affected businesses who had enabled Intel Active Management Technology (AMT), so average consumers weren’t affected.
These are just a few examples. Researchers have also demonstrated shown it’s possible to abuse the UEFI firmware on some PCs, using it to gain deep access to the system. They’ve even demonstrated persistent ransomware that gained access to a computer’s UEFI firmware and ran from there.
The industry should be updating every computer’s UEFI firmware just like any other software to help protect against these problems and similar flaws in the future.
How the Update Process Has Been Broken for Years
The BIOS update process has been a mess forever—since long before UEFI. Traditionally, computers shipped with that old-school BIOS, and less could go wrong. PC manufacturers might ship a few BIOS updates to fix minor problems, but the usual advice was to avoid installing them if your PC was working properly. You often had to boot from a bootable DOS drive to flash the BIOS update, and everyone heard stories of BIOS updates failing and bricking PCs, rendering them unbootable.
Things have changed. UEFI firmware does a lot more, and Intel has released several big updates to things like CPU microcode and the Intel ME in the past few years. Whenever Intel releases such an update, all Intel can do is say “ask your computer manufacturer.” Your computer manufacturer—or motherboard manufacturer, if you built your own PC—has to take the code from Intel and integrate it into a new UEFI firmware version. They then have to test the firmware. Oh, and each manufacturer has to repeat this process for every individual PC they sell, as they all have different UEFI firmware. It’s the kind of manual work that made Android phones so difficult to update in the past.
In practice, this means it often takes a long time—many months—to get critical security updates that have to be delivered via UEFI. It means manufacturers might shrug and refuse to update PCs that are just a few years old. And, even when manufacturers do release updates, those updates are often buried on that manufacturer’s support website. Most PC users won’t ever discover those UEFI firmware updates exist and install them, so these bugs end up living on in existing PCs for a long time. And some manufacturers still make you install firmware updates by booting into DOS first—just to make it extra complicated.
What People Are Doing About It
That’s a mess. We need a streamlined process where manufacturers can more easily create new UEFI firmware updates. We also need a better process for releasing those updates, so users can get them automatically installed on their PCs. Right now the process is slow and manual—it should be fast and automatic.
That’s what Microsoft is trying to do with Project Mu. Here’s how the official documentation explains it:
Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners. For too long the industry has built products using a “forking” model combined with copy/paste/rename and with each new product the maintenance burden grows to such a level that updates are near impossible due to cost and risk.
Project Mu is all about helping PC manufacturers create and test UEFI updates faster by streamlining the UEFI development process and helping everyone work together. Hopefully, this is the missing piece, as Microsoft has already made it easier for PC manufacturers to send their UEFI firmware updates to users automatically.
Specifically, Microsoft lets PC manufacturers issue firmware updates through Windows Update and has provided documentation on this since at least 2017. Microsoft also announced Component Firmware Update; an open-source model that manufacturers can use to update UEFI and other firmware, back in October 2018. If PC manufacturers get on board with this, they could deliver firmware updates to all their users very quickly.
This isn’t just a Windows thing, either. Over on Linux, developers are trying to make it easier for PC manufacturers to issue UEFI updates with LVFS, the Linux Vendor Firmware Service. PC vendors can submit their updates, and they’ll appear for download in the GNOME Software application, which is used on Ubuntu and many other Linux distributions. This effort dates back to 2015. PC manufacturers like Dell and Lenovo are participating.
These solutions for Windows and Linux affect more than just UEFI updates, too. Hardware manufacturers could use them to update everything from USB mouse firmware to solid-state drive firmware in the future.
As SwiftOnSecurity put it when talking about the problems with solid-state drive firmware and encryption, firmware updates can be reliable. We need to expect better from hardware manufacturers.
Firmware updates can be reliable. I have initiated at least 3,000 Dell BIOS updates with only one failure, and that old PC was already in service for failing.
Re-think what you think is impossible. Firmware servicing is not impossible or risky. It requires people demand better.
— SwiftOnSecurity (@SwiftOnSecurity) November 6, 2018