Microsoft just announced Project Mu, promising “firmware as a service” on supported hardware. Every PC manufacturer should take note. PCs need security updates to their UEFI firmware, and PC manufacturers have done a poor job of delivering them.
What Is UEFI Firmware?
Modern PCs use UEFI firmware instead of a traditional BIOS. The UEFI firmware is the low-level software that starts when you boot your PC. It tests and initializes your hardware, does some low-level system configuration, and then boots an operating system from your computer’s internal drive or another boot device.
However, UEFI is a little more complicated than the older BIOS software. For example, computers with Intel processors have something called the Intel Management Engine, which is basically a tiny operating system. It runs in parallel to Windows, Linux, or whatever operating system you’re running on your computer. On corporate networks, system administrators can use features in the Intel ME to remotely manage their computers.
UEFI also contains processor “microcode,” which is kind of like firmware for your processor. When your computer boots, it loads microcode from the UEFI firmware. Think of it like an interpreter that translates software instructions to hardware instructions performed on the CPU.
Why UEFI Firmware Needs Security Updates
The last few years have shown over and over why UEFI firmware needs timely security updates.
We all learned about Spectre in 2018, showing the serious architectural problems with modern CPUs. Problems with something called “speculative execution” meant programs could escape standard security restrictions and read secure areas of memory. Fixes to Spectre required CPU microcode updates to function correctly. That means PC manufacturers had to update all their laptop and desktop PCs—and motherboard manufacturers had to update all their motherboards—with new UEFI firmware containing the updated microcode. Your PC isn’t adequately protected against Spectre unless you’ve installed a UEFI firmware update. AMD also released microcode updates to protect systems with AMD processors from Spectre attacks, so this isn’t just an Intel thing.