Practical benefits of UEFI
We’ve mentioned that UEFI lets motherboard
manufacturers provide a friendly graphical interface to system settings, and
that may be reason enough to switch. Once you’ve used a handy dropdown menu to
configure your hard disks and tweak the frequency settings on your CPU, the old
business of moving back and forth with the cursor keys feels impossibly
primitive.
However, UEFI provides a few more
far-reaching benefits, too. A major one is the ability to work better with
modern hard disks. The original PC BIOS system was designed to work with the
Master Boot Record (MBR) partitioning system, which only supports disks of up
to 2TB, and no more than four partitions per disk. This may have seemed like plenty
of headroom back when the system was introduced in 1983, but today it feels
restrictive.
Once
you’ve experienced UEFI, the traditional PC BIOS looks decidedly primitive
UEFI brings full support for the newer GUID
Partition Table (GPT) partitioning scheme. This system can accommodate up to
128 partitions per disk, with a total capacity of 8ZB equivalent to eight
billion terabytes. Modern BIOS implementations can often handle GPT disks, but
with limitations: many are unable to boot from very large disks, limiting the
usefulness of the latest 3TB drives. UEFI also allows a generally closer degree
of integration between the operating system and the pre-boot environment
something Windows 8 takes advantage of in its Advanced Startup Options. If
you’re using a UEFI system, you can choose these options from the PC settings
screen and select a device to boot from directly within the Windows 8
interface. (This option also appears if Windows 8 fails to start up properly,
and takes you to the Troubleshooting screen.) If you’re using non-UEFI
hardware, this option won’t be available: to boot from a device other than the
default, you’ll have to jump in when the computer restarts and configure your
BIOS directly.
Secure Boot
The most significant UEFI feature found in
Windows 8 is Secure Boot a system that ensures only authorised operating
systems can start up on your PC. It works by reading a cryptographic signature
embedded in the OS boot loader and verifying it against a database of
authorised keys stored within the UEFI firmware. When you buy a new Windows 8
PC, laptop or tablet, the relevant key is preinstalled by the manufacturer, so
you won’t even know Secure Boot is active. However, if you try to start a
different operating system, the UEFI platform will refuse to boot.
This may not sound like a good thing.
Indeed, when it was first announced that all new Windows 8 hardware would come
with Secure Boot enabled, there was uproar among the technorati. Microsoft was
accused of shutting out competing operating systems, such as Ubuntu Linux, and
limiting customers’ ability to run whatever software they wanted on their PCs.
UEFI
Secure Boot presentation slide at Microsoft BUILD conference
In reality, Secure Boot as implemented on
x86 Windows 8 hardware brings real benefits, as we’ll discuss below. And it
doesn’t stop you from doing anything. Although it’s enabled on all new Windows
8 systems, you can simply go into the UEFI settings and turn it off with a
click. Once this is done, you can boot whichever operating system you like. If
you’re upgrading older hardware to Windows 8 then it’s likely that Secure Boot
won’t even be available; it requires the latest version of UEFI to function.
It’s also worth noting that you’re free to
authorise bootloaders other than the Windows 8 one. For example, you might add
a key for Ubuntu to the Secure Boot database, enabling both Windows 8 and
Ubuntu to start, while continuing to disallow other, unknown operating systems.
The precise process for generating a Secure Boot key should be detailed in the
manual for your motherboard or laptop, or in the installation instructions for
the operating system.
What’s more, Microsoft has agreed to allow
other recognised operating system publishers to use the same bootloader key as
Windows 8 (for a fee). Fedora Linux has already done this, so you can install
and boot Fedora on a Windows 8 system with no additional configuration
required.
The advantage of Secure Boot
Not only is Secure Boot not harmful, it can
be greatly beneficial, both at home and at work. For businesses, it can help to
enforce security policies. If users are able to plug in their own hard disks
and boot into unauthorized operating systems, they could bypass restrictions on
which software can be run, what sort of network access is permitted and so
forth. If the IT department uses Secure Boot and a password protects the UEFI
settings, to prevent them from being tampered with the potential for data leaks
is greatly reduced.
For home users, Secure Boot can protect
your security in a different way. Here, the major risk isn’t from corporate
spies, but from malware. Specifically, Secure Boot protects your system against
rootkit type infections that infect the bootloader and effectively make
themselves hypervisors for the operating system. Secure Boot stops infections
like this in their tracks by refusing to execute unrecognised startup code.
Windows
8 security detailed Turning secure boot on and off on a Windows 8 PC
Before we go overboard singing the praises
of Secure Boot, there’s one catch we must point out. We mentioned above that
Secure Boot could be disabled on x86 hardware. However, if you buy an ARM-based
Windows RT device, you won’t be able to disable Secure Boot: on this platform,
the feature is permanently locked on, and all third-party bootloaders are
strictly banned. You can see why Microsoft insists on this: it ensures that
consumer tablets provide a completely seamless and consistent experience, with
no possibility of malware or confusing multiple environments. However, it’s bad
news for anyone hoping to install Android or Linux on Windows tablet hardware.
What’s in a name?
The rise of UEFI raises questions about
terminology. Some motherboard manufactures have taken to referring to their
UEFI offerings as sporting a “UEFI BIOS”. Arguably, this is misleading, since
the UEFI system completely replaces the classic PC BIOS.
However, the combination of UEFI and the
underpinning firmware does constitute a “basic input and output system”, albeit
not of the specific sort that’s typically referred to by the term “BIOS”.
Alternately, you might take the view that the firmware itself is a BIOS, and
the UEFI is merely a shell that sits on top of it. Either way, the use of the
term BIOS isn’t exactly wrong, and as long as the term UEFI is present as well,
the meaning should be clear.
Another question is how to pronounce UEFI.
Although the Unified EFI Forum has published voluminous standards material, it
hasn’t provided any official guidance on this burning issue. Here at PC Pro we
tend to say “weffy”, but it’s been reported that Microsoft internally spells
the term out as “U-E-F-I”. Another possibility is “you-fee”, or perhaps, for
football fans, “you-eh-fee”. Whichever pronunciation you choose, get used to
defending it: if the ongoing lack of consensus on “SATA” is any guide,
pronunciation arguments over UEFI will probably be with us for at least as long
as the technology itself.
