So infections that persist even reinstallations are more likely when using EFI. Therefore, In the question is only EFI vs BIOS, it would mean a clear recommendation for BIOS.
EFI and secure boot should be encouraged. AEM can measure malicious modifications, but secure boot can provide a chain of verification from the processor the the firmware (EFI) to the bootloader to the kernel.
There is an issue when secure boot gets implemented as restricted boot, but one could use the presigned shim bootloader or deploy its own secure boot keys.
Secureboot on VMs seems absurd, it’s already hard dealing with it on a host. But if you do need any help testing anything related to this out, please @ let me know and I will do!
The requirements to have EFI are installing the ovmf package on Debian and flipping a couple of options to change machine type and select the firmware with the MS sig. It is easily enabled nowadays compared to the past however with the guest side plumbing like EFI partitioning on the disk and having a signed kernel version, the EFI cannot “see” or start the image. However a vanilla iso from Debian is readily started.
I don’t know if the last built Whonix KVM image already comes with EFI booting compatibly. It might not. New Whonix KVM image required to test this for real.
Secure Boot support:
It depends which OVMF firmware is in use. Afaik (not re-tested now):
/usr/share/OVMF/OVMF_CODE_4M.ms.fd: EFI SecureBoot with Microsoft key
/usr/share/OVMF/OVMF_CODE.fd: EFI without SecureBoot
I figured that out when making sure the Kicksecure ISO is compatible with EFI SecureBoot inside QEMU for simplified testing of ISO images.
So,
A) enabling vs not enabling EFI by default, versus
B) enabling vs not enabling Secure Boot by default,
are two different decisions to make.
These are connected in so far that
If enabling Secure Boot by default, enabling EFI by default is a prerequisite.
However, in theory we could enable EFI by default but not Secure Boot.
Enabling UEFI is using the current proprietary software instead of the old software. So in order to overcome any problems (if any) with UEFI better to be enabled by default.
All VMs (debian and others) im installing are with UEFI, no issues.
For VMs, the worthwhile goal is Sovereign Boot, once available/possible.
[1]
VirtualBox BIOS:
There’s a compilation toolchain software freedom issue. Details here: VirtualBox Unavailable in Debian main due to Licensing Issues
It’s not closed source. The required compiler is source-available, under OSI certified license but not FSF certified license yet.
How old is better when no Secureboot or TPM (even if currently not mainly used) and microcode updates (critical) available? From security point view this is a disaster.
So working old software doesnt mean necessarily its secure software. And in our case the old hardware are deprecated/insecure.
The only way to justify supporting old hardware is when we for example say that we are FSDG distro, meaning yes we care about security when only its literally full free software, so microcode will be out of the scope, but thats not the current case.
So there is no avoidance from the support of the current new supported software/hardware and remove the support from the deprecated ones, if we are talking about security.
TPM for? Verified boot / Measured Boot? Not needed until implemented.
There are no microcode updates for VMs.
Note: This forum thread is in the Whonix forums. So the only place where Whonix - as long as runs “primarily” inside VMs (ignoring physical isolation) - could flip the BIOS vs EFI setting is on the virtualizer settings level. And for that - at the time of writing - no sufficient rationale exists.
Even if Whonix-Host existed, the decision of BIOS or EFI depends on the host hardware. It’s not something that can be adjusted from within Whonix source code level. Modern hardware comes with EFI by default anyhow and does not even have BIOS compatibility module. So your EFI-only feature request on modern hardware is automatically fullfilled without any changes by Whonix required.