UEFI: Who Cares?

June 6, 2012

There is a lot of smoke in the air about Microsoft's apparent proposal to force all Windows 8 ARM tablet manufacturers (and potentially PC manufacturers as well) to enable UEFI Secure Boot, with the apparent goal of making it impossible to install aftermarket OS upgrades (i.e., competing operating systems like Linux/Android). But what does the fire look like?

First, there is a lot of FUD and no real facts on the ground. Yes, slashdot is as capable of spreading FUD as anyone else. We simply don't have the concrete facts about the final result. The most we can say is that the sky might fall in the future for various enumerable reasons, but "the sky is falling" it ain't.

In fact, there is one thing we know with confidence: Android and Apple have a substantial lead in the portable market. Microsoft has taken some impressive steps to try to make their "me too" offering compelling, but it is inconceivable that Samsung et al will drop Android for Windows any time soon.


MS touts Secure UEFI as a technique to prevent viruses. If you have been paying attention to Microsoft's record with certificate-based security (from Active-X to Stuxnet), you know they have not been very successful. UEFI itself is a very sophisticated chunk of code, and one that every foreign crappy-coder-consortium^H^H^HOEM will have to confront. There will be massive exploitable bugs. It will fail to prevent viruses from rewriting the bootloader, and it will fail to prevent Linux hackers from doing the same.

(yes, I'm racist against Samsung's programmers)

But no analysis is complete without examining the status quo. Consider the HP (Compaq??) iPAQ h1940. I bought one in 2003 because it was so sleek that I couldn't resist it. It came preinstalled with WinCE (or its successor), but I wanted to hack Linux onto it, like I had done previously with my iPAQ h3765. I was ultimately unable to do so, because in order to reverse-engineer the thing, I would have needed to work extensively with WinCE, which made me wince (har!).

The situation is little better today, with the one advantage that now all of these incompatible firmwares are often tailored to load Linux (Android) instead of WinCE, giving us a meager leg-up. But if you brick your device by fouling the OS bootloader and need to use the firmware to reflash it, you are stuck again in undocumentedville. It's surely possible, but it is often the undiscovered country.

In fact, the majority of these Android devices are only open at all on accident. Carriers demand closed smartphones, and media vendors demand closed tablets (Nook, Kindle). Vendors see portable devices as a way to sell a service, and there's no reason to believe this will change any time soon.

So basically, Microsoft intends to force the entire ARM portable devices market to abandon their long-standing practice of ad hoc undocumented incompatible firmwares and instead standardize on UEFI. Then they want all of the vendors to make just Windows 8 devices and nothing else.

Color me an optimist, but I think it's a lot more likely that they will succeed at popularizing UEFI than that they will convince Samsung to ditch Android.

So here's how I see it playing out. If you have a future Windows 8 tablet, it will have a standard documented firmware that you will have to root in order to install Linux. Rooting will be a path well-traveled because hackers will love the device because the enhanced crap factor of Windows 8 will make them cheap on the used market. And the standardized firmware will make every hacking-related task easier.

And once the manufacturers implement UEFI, they'll use it on all their products. So if you have a future non-Windows tablet, it will have a standard documented firmware that will not need to be rooted. That's right, MS's pressure will result in a major improvement for Android hackers.

Three cheers for UEFI! Hip hip hooray! Hip hip hooray! Hip hip hooray!

Thanks to the secure boot bait-and-switch, standardization has received a major boost.

This is another instance where it is important to "be here now." Look at the problems we actually face in the real world, and don't get too distracted by some impractical Orwellian pipe-dream.

[update: 2016/01/12] Since writing this, I have owned a sequence of Android phones that all support fastboot. Different vendors have had different approaches to unlocking the bootloader, but I have managed to only buy devices that can be unlocked. I have enjoyed the uniform ease of fastboot. In other words, Google effectively implemented something roughly equivalent to UEFI without anyone complaining, and with much benefit to users.