What is EFI/UEFI?
UEFI (Unified Extensible Firmware Interface) is the new boot and runtime service provider that claims to "...provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards..." (as per the UEFI.org website). UEFI is simply the EFI specification with Intel modifications in the form of re-factoring. The UEFI specification is similar to BIOS (Basic Input/Output System) in that it provides boot/runtime services, but is architecture independent (ie: not reliant on the x86 architecture). I must mention that UEFI is not a replacement of BIOS as some firmware requires the use of BIOS functions (eg: POST (Power-On Self-Test) and Setup). One final note should be that EFI/UEFI does not improve or degrade the security of the system it is on.
Before purchasing the laptop, I had not heard of EFI/UEFI. Nor, had I heard of GPT (GUID Partition Table). I spent quite a bit of time researching these acronyms and discovering something that had been around from some time now and wondered exactly how I never heard of it! I spent quite a few hours attempting to install Linux distributions and different bootloaders (including GRUB-EFI, SYSLINUX, LILO, etc) all claiming to work with EFI/UEFI.
I finally [accidentally] discovered that I could in fact boot, but only from a Live DVD and selecting the "Boot from first HDD" option. What the heck!? Pressing F12 at POST on my machine and selecting "Boot From Hard Disk" was effectively the same thing, but it failed and went on to try booting removable media before moving on to a PXE boot. I was perturbed at this point to say the least.
"Secure Boot" and the PK
As stated previously, EFI/UEFI does not improve or degrade system security. It does, however, include alleged "security enhancements" to protect the pre-OS environment from "unknown OS loaders" (please see: MSN Blog Archive). This particular blog goes on to say, "...secure boot doesn't "lock out" operating system loaders, but is a policy that allows firmware to validate authenticity of components...". The problem with this is in the event you purchase a new machine with UEFI and it does not have the option in BIOS to disable secure boot. By design it is supposed to sign executables like drivers with a KEK (Key Exchange Key; similar to a public key) and provide an additional layer of security, which actually sounds good to me, honestly. My biggest qualm with this methodology is the fact that, once the firmware is out of "setup" mode (no PK installed) and enters "user" mode (gets assigned a signed key) it is "locked down" to the signer of the keys (in my case Microsoft or the UEFI organization).
My Run-In with Secure Boot
I have recently purchased a new Lenovo V570 series laptop from Best Buy. The specifications looked great for the price and the machine had and aesthetic allure as well. The brushed, dark aluminum, the slim and light-weight design. It certainly appealed to my eyes as well as my wallet proportionately with the specs therein. My wife probably thinks I'm having an affair with the thing, so I'll stop talking about how great it is and get to the part where I say that I also hate it.Before purchasing the laptop, I had not heard of EFI/UEFI. Nor, had I heard of GPT (GUID Partition Table). I spent quite a bit of time researching these acronyms and discovering something that had been around from some time now and wondered exactly how I never heard of it! I spent quite a few hours attempting to install Linux distributions and different bootloaders (including GRUB-EFI, SYSLINUX, LILO, etc) all claiming to work with EFI/UEFI.
I finally [accidentally] discovered that I could in fact boot, but only from a Live DVD and selecting the "Boot from first HDD" option. What the heck!? Pressing F12 at POST on my machine and selecting "Boot From Hard Disk" was effectively the same thing, but it failed and went on to try booting removable media before moving on to a PXE boot. I was perturbed at this point to say the least.