How Intel and PC makers prevent you from modifying your laptop's firmware

haswell e
Credit: Brad Chacos

Even if you’re rocking the most open of open-source operating systems, chances are your laptop isn't really that "free," betrayed by closed firmware binaries lurking deep within the hardware itself.

Modern UEFI firmware is a closed-source, proprietary blob of software baked into your PC’s hardware. This binary blob even includes remote management and monitoring features, which make it a potential security and privacy threat.

You might want to replace the UEFI firmware and get complete control over your PC’s hardware with Coreboot, a free software BIOS alternative—but you can’t in PCs with modern Intel processors, thanks to Intel’s Boot Guard and the “Verified Boot” mode PC manufacturers choose.

Why Coreboot won’t support your new laptop

Coreboot was originally known as LinuxBIOS. It’s a Free Software Foundation-endorsed project working on replacing the proprietary UEFI firmware and BIOS found in typical computers. Coreboot is designed to be lightweight and only provide the necessary functions so the computer can initialize its hardware and boot an operating system. This isn’t just some fringe free software project—all modern Chromebooks ship with Coreboot, and Google helps support it.

When someone recently asked whether Coreboot would support new Intel Broadwell ThinkPads on the mailing list, the response was informative:

“New thinkpad's can't be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won't be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge.

For more details take a look at Intel Boot Guard architecture. It could be also confirmed by Secunet AG and Google.”

Intel Boot Guard explained

Intel themselves have a quick little explanation of Boot Guard in this document about Haswell’s new platform features. In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware.

Boot Guard has two separate modes, according to Intel. Every single PC OEM we know of configures it to work in “Verified Boot” mode. The PC manufacturer fuses their public key into the hardware itself. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else.

librem laptop opened front

Purism's freedom-obsessed Librem 15 laptop won't use the Verified Boot option.

There’s also a second option: “Measured Boot” mode, where the hardware securely stores information about the boot process in a trusted platform module (TPM) or Intel Platform Trust Technology (PTT). The operating system could then examine this information, and—if there was a problem—present an error to the user.

As Purism recently discovered, laptop makers can choose to have their hardware boot without looking for a digital firmware signature at all. The fusing of the processors can be set by the motherboard manufacturer to simply bypass the check. Purism's crowdfunded Librem 15 laptop will ship with a modern Intel CPU fused to run unsigned BIOS code.

In other words, Intel and Boot Guard don’t absolutely require hardware manufacturers to lock the computer to only using manufacturer-signed firmware, but every major PC maker does anyway.

Want to stay up-to-date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.

It’s all a big conspiracy, right? Not exactly

It can be tempting to see this as a big conspiracy. These big corporations—Intel and hardware manufacturers—are preventing us from running the software we want to run on our own computers, as if we were using some underpowered, locked-down Surface RT instead of a powerful PC we’re supposed to have control of.

And sure, that’s true, but Boot Guard does help secure the UEFI firmware and protect against malware that infects the boot process. Intel and PC OEMs aren’t out to crush free software and prevent open hardware. The truth is more mundane—Intel and hardware manufacturers prioritize tighter security for the masses over the proprietary firmware concerns of a few. 

But, to their credit, Intel does allow PC manufacturers to configure the hardware in a different way. The real way to get that open hardware seems to be to build it from scratch and make the right decisions along the way, as Purism is trying to do. If you want this sort of open hardware, be prepared to vote with your wallet. Taking existing PC laptops and trying to bend them into open hardware—as Gluglug does with the Free Software Foundation-endorsed Libreboot—doesn’t seem to be an option anymore.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.