What do Windows 8 and Windows Server 2012 offer that no other Windows operating system can? They support the Unified Extensible Firmware Interface, the long-overdue replacement for the ubiquitous BIOS that has defined PC startup operations since the 1970s. What's the difference between UEFI and BIOS? The new ecosystem represents a significant step forward for PC operations, but enterprises planning to deploy Windows 8 desktops should understand what UEFI is all about before rushing into any decisions.
For years, the Basic Input Output System (BIOS) provided the core functionality necessary to enable a computer's hardware when it's first turned on. The BIOS also jumpstarted the operating system's boot process once that hardware was enabled. And, to this day, BIOS continues to be used to boot most desktops.
On a typical PC, the BIOS runs hardware-specific code that provides the first instructions to the motherboard upon startup and then passes control over to the operating system when things get going. However, the BIOS must operate within a mere 1,024 KB of memory, can access only certain types of hardware and can work only with hard disks up to 2.2 TB.
The BIOS of yesterday was never engineered for today's computing environment. Even a mouse is too much for BIOS. Worse still, a computer that relies on BIOS is vulnerable to malware that can target the computer's boot sector before the operating system is even launched.
The difference between UEFI vs. BIOS
Windows 8 desktops configured to use UEFI can address many of the limitations imposed by BIOS. Although a UEFI system works a lot like the BIOS environment, UEFI provides enhanced control and manageability over the system's boot process. A UEFI-based computer provides a more advanced boot interface, offers more configurable options and supports additional hardware types.
In fact, Windows 8 UEFI can access all of a computer's hardware, including the mouse, USB ports, audio systems, graphic cards and network adapters. That means a UEFI-based system can also support Ethernet, Wi-Fi and Bluetooth network connectivity, allowing a device to be diagnosed and repaired remotely even if the OS won't boot.
More on Windows 8 UEFI vs. BIOS
Using UEFI to get a desktop ready for Windows 8
BIOS management best practices for patching and updating
Do enterprises need to worry about BIOS attacks?
Despite a lack of an advanced boot option, UEFI works for Windows 8
In addition, UEFI is programmable, so boot-time applications and services can be added to the boot process – which is generally a lot faster than with BIOS. Plus, according to the UEFI Forum, UEFI will support hard disks up to 9.4 zettabytes (ZB). That's a lot of hardware, considering that the entire Web contained merely 500 exabytes as of 2009 -- only half one of those zettabytes.
When comparing UEFI vs. BIOS, the newer system wins its biggest kudos in the area of security, by making it possible to prevent unauthorized firmware, operating systems or other UEFI drivers from running at boot time. Because applications and services can be added into the boot process, security features such as factory-encrypted drives and software verification can be implemented in a pre-OS environment.
Windows 8 UEFI takes advantage of these capabilities by including Secure Boot, a service that prevents malware from being introduced into the boot process. Secure Boot, which examines and authenticates each boot loader, maintains a set of databases that track software signatures and images approved to run on that computer. At startup, when UEFI is first initiated, it checks the databases to ensure that whatever is about to run can be properly authenticated to do so. Thus, only UEFI applications and certified services can operate on that machine.
The Linux controversy
Despite its advantages, the world of UEFI is not without its challenges, and IT can run into problems when deploying Windows 8 desktops. Not surprisingly, Microsoft requires these PCs to use UEFI by default. Otherwise, the manufacturer can't include the coveted Windows 8 logo on its hardware.
As a result, only operating systems with an appropriate digital signature can run on the machine. If users plan to run only Windows 8 -- and no other operating system -- there should be little problem. In fact, users should find that Windows 8 UEFI machines boot faster and require fewer restarts. But what about those users who want to set up their computers to dual-boot into Linux?
Because the Windows 8 implementation of UEFI includes Secure Boot, an operating system such as Linux must be digitally signed by a trusted certificate authority (CA). In order for any Windows 8-certified machine to dual-boot into Linux, IT must ensure that the Linux OS has a signed key that Secure Boot recognizes. Otherwise, Secure Boot must be turned off, thus undermining the fundamental boot protection.
The Linux Foundation has come up with one solution to this quandary. The operating system will include a mini-boot loader that can be signed like other software but will enable a handoff to a different boot loader that doesn't need to be signed. A splash screen will then prompt users to confirm whether to install or run Linux.
However, users will first need to manually configure UEFI. To facilitate this process, the Linux distribution will include instructions that walk users through the process of setting up UEFI with the keys necessary to make the boot operation legal.
The challenge with this approach is that it's a fairly manual one, and the process can vary greatly from one machine to the next. However, it does alleviate the need for a Linux distributor to acquire a Microsoft certification for its product. Some vendors have been reluctant to get such certification for financial or ethical reasons.
A few Linux distributors, such as Fedora, Ubuntu and openSUSE, have each come up with their own solutions to the Secure Boot challenge. Along with the operating system, they provide a small boot loader signed with a Microsoft certification from a CA. The boot loader will then load another, non-trusted boot loader to handle the Linux boot process. Although this approach forces the distributor to obtain a Microsoft-signed certificate, it avoids the manual solution offered by the Linux Foundation.
All this, of course, is a simplification of the complexities involved in getting a Windows 8-certified machine to play well with other operating systems. Organizations planning to deploy desktops that support dual-boot functionality should be aware of the challenges that UEFI might present.
For the most part, however, such a scenario is the exception for the average enterprise desktop, and the benefits of UEFI far outweigh the issues that might arise. The UEFI boot environment extends manageability and security well beyond what's available in BIOS and provides a better startup experience for most users. Clearly, the good old days of BIOS are behind us, and it's time to bring our PCs into the 21st century.
This was first published in May 2013