BIOS vs EFI vs coreboot vs libreboot

I haven’t made up my mind yet. Here are some information which are conflicting.

Some thing for Advanced Security Guide - Whonix.


coreboot / libreboot should be preferred above all else since it is Libre Software / Open Source.

But since coreboot / libreboot has very limited hardware support, the other options also need some documentation / recommendation.

There is no feature like secure boot for coreboot / libreboot yet?


EFI should be discouraged because it is more open and standardized yet it is still obscure closed source like BIOS.

So infections that persist even reinstallations are more likely when using EFI. Therefore, In the question is only EFI vs BIOS, it would mean a clear recommendation for BIOS.


EFI and secure boot should be encouraged. AEM can measure malicious modifications, but secure boot can provide a chain of verification from the processor the the firmware (EFI) to the bootloader to the kernel.

There is an issue when secure boot gets implemented as restricted boot, but one could use the presigned shim bootloader or deploy its own secure boot keys.

Debian is working on secure boot.

https://wiki.debian.org/SecureBoot

Qubes does not have it yet. Other linux operating systems may already support it.

2 Likes

Noted! :slight_smile:

1 Like

Whonix for VirtualBox developer builds now are compatible with both, legacy BIOS booting and EFI booting.

Booting with SecureBoot enabled is also supported.

It is therefore possible to switch VirtualBox settings:

  • EFI: on / off
  • SecureBoot: on / off [requires EFI]

Enabling SecureBoot breaks tirdad.

This is because tirdad isn’t signed by Debian but with the local DKMS yes. That key however isn’t enrolled by default into the system’s keyring (MOK).

If there’s a solution and if enabling SecureBoot (or even EFI) in VMs makes sense yet is yet to be determined.

related:

1 Like

Secureboot on VMs seems absurd, it’s already hard dealing with it on a host. But if you do need any help testing anything related to this out, please @ let me know and I will do!

Would also break LKRG.

EFI still causing issues up to this day.

EFI inside VirtualBox breaks Debian Installer (the traditional one, not Calamares):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036019

Therefore probably better to not enable EFI by default. Having EFI booting compatibly however is a nice feature.

The requirements to have EFI are installing the ovmf package on Debian and flipping a couple of options to change machine type and select the firmware with the MS sig. It is easily enabled nowadays compared to the past however with the guest side plumbing like EFI partitioning on the disk and having a signed kernel version, the EFI cannot “see” or start the image. However a vanilla iso from Debian is readily started.

I don’t know if the last built Whonix KVM image already comes with EFI booting compatibly. It might not. New Whonix KVM image required to test this for real.


Secure Boot support:

It depends which OVMF firmware is in use. Afaik (not re-tested now):

  • /usr/share/OVMF/OVMF_CODE_4M.ms.fd: EFI SecureBoot with Microsoft key
  • /usr/share/OVMF/OVMF_CODE.fd: EFI without SecureBoot

I figured that out when making sure the Kicksecure ISO is compatible with EFI SecureBoot inside QEMU for simplified testing of ISO images.

So,

  • A) enabling vs not enabling EFI by default, versus
  • B) enabling vs not enabling Secure Boot by default,

are two different decisions to make.

These are connected in so far that

  • If enabling Secure Boot by default, enabling EFI by default is a prerequisite.
  • However, in theory we could enable EFI by default but not Secure Boot.

For Secure Boot there is a dedicated forum thread: enable Linux kernel gpg verification in grub and/or enable Secure Boot by default

For host operating systems (Kicksecure, Whonix-Host), the user could opt-in Secure Boot DKMS Signing Key Enrollment.

Enabling UEFI is using the current proprietary software instead of the old software. So in order to overcome any problems (if any) with UEFI better to be enabled by default.

All VMs (debian and others) im installing are with UEFI, no issues.

As far as Whonix is concerned, inside VirtualBox and KVM, both BIOS and EFI are fully Open Source / source-available. [1]

The assumption “old” has to be rejected.

The assumption “old = bad” here has also to be rejected.

Details:


For VMs, the worthwhile goal is Sovereign Boot, once available/possible.


[1]
VirtualBox BIOS:
There’s a compilation toolchain software freedom issue. Details here:
VirtualBox Unavailable in Debian main due to Licensing Issues
It’s not closed source. The required compiler is source-available, under OSI certified license but not FSF certified license yet.

How old is better when no Secureboot or TPM (even if currently not mainly used) and microcode updates (critical) available? From security point view this is a disaster.

So working old software doesnt mean :prohibited: necessarily its secure software. And in our case the old hardware are deprecated/insecure.

The only way to justify supporting old hardware is when we for example say that we are FSDG distro, meaning yes we care about security when only its literally full free software, so microcode will be out of the scope, but thats not the current case.

So there is no avoidance from the support of the current new supported software/hardware and remove the support from the deprecated ones, if we are talking about security.

Secure Boot with Microsoft key isn’t worthwhile. References:

Less worthwhile with leaked Microsoft secure boot key.

Secure Boot brings shim into the mix, which is also not great… →

Without full Verified Boot, without Sovereign Boot, it’s not worthwhile.

TPM for? Verified boot / Measured Boot? Not needed until implemented.

There are no microcode updates for VMs.

Note: This forum thread is in the Whonix forums. So the only place where Whonix - as long as runs “primarily” inside VMs (ignoring physical isolation) - could flip the BIOS vs EFI setting is on the virtualizer settings level. And for that - at the time of writing - no sufficient rationale exists.

Whonix doesn’t run on hardware yet until Whonix-Host Operating System Live ISO, Whonix-Host Installer is available.

Even if Whonix-Host existed, the decision of BIOS or EFI depends on the host hardware. It’s not something that can be adjusted from within Whonix source code level. Modern hardware comes with EFI by default anyhow and does not even have BIOS compatibility module. So your EFI-only feature request on modern hardware is automatically fullfilled without any changes by Whonix required.

1 Like

Awesome, lets hope it can come soon.