LWN: Comments on "Fedora considers deprecating legacy BIOS"

Fedora considers deprecating legacy BIOS

ms-tg — Fri, 29 Apr 2022 15:48:16 +0000

@corbet Any thoughts on the level and style of discourse on these BIOS and UEFI threads? Doesn't seem in keeping with LWN, wondering if you had any thoughts.

Fedora considers deprecating legacy BIOS

yuhong — Fri, 29 Apr 2022 08:24:32 +0000

Personally all the papers on NVMe SSD based search engines are enough of a reason to end legacy BIOS boot for me.

Fedora considers deprecating legacy BIOS

johannbg — Thu, 28 Apr 2022 21:09:40 +0000

> https://www.theregister.com/2022/04/27/microsoft-linux-vu...
which is vulnerability within systemd and only happens on UEFI hardware.

Interesting even Keith Richards drugs aren't strong enough to reach that conclusion in otherwords please explain to the audience here on LWN how a security flaw in networkd-dispatcher has anything to do with systemd and it only be happening on uefi hardware.

I eagerly await your response on the matter backing that up...

Fedora considers deprecating legacy BIOS

pizza — Thu, 28 Apr 2022 13:47:55 +0000

> which is vulnerability within systemd and only happens on UEFI hardware.

The vulnerability is actually with networkd-dispatcher, which is developed (and distributed!) independently from systemd. It's not even widely packaged in distributions! It's not a "systemd vulnerability" any more than a vulnerability in NetworkManager or Apache (or any other random daemon) can be called a "systemd vulnerability."

Meanwhile I see nothing in the article about how this vulnerability can only affect UEFI systems -- it seems to involve relatively run-of-the-mill symlink traversal, and the CVE descriptions are still redacted. Can you point us towards some sort of supporting evidence for your assertion?

Fedora considers deprecating legacy BIOS

stock — Thu, 28 Apr 2022 12:55:48 +0000

I think you need to back that up. Here's a recent example to the
contrary :
https://www.theregister.com/2022/04/27/microsoft-linux-vu...
which is vulnerability within systemd and only happens on UEFI hardware.

sneaky dual-boot

jem — Wed, 27 Apr 2022 14:55:30 +0000

While the combination of BIOS boot and GPT is technically feasible it's notexactly standard, I'm not sure if grub supports it or if a hybrid partion table (which is it's own can of worms) is needed.

GRUB supports booting from a GPT disk in BIOS mode, but you will need an extra BIOS boot partition. A disk with an MBR partition table usually contains a gap between the boot record and the first partition, which GRUB takes advantage of. GPT-partitioned disks do not (typically) have this "no man's land", so a separate partition is used instead. Using a partition is cleaner anyway, and GPT also does not have a practical limit on the number of partitions a disk can contain, so one extra partition doesn't make a big difference.

sneaky dual-boot

plugwash — Wed, 27 Apr 2022 11:57:01 +0000

Many distro install images nowadays support four different boot methods.

Legacy HD-media
Legacy optical media
UEFI HD-media
UEFI CD

In principle it would be possible for an installed system to support both UEFI and Legacy. I do see a few issues though.

1. Operating systems using UEFI installed on fixed drives are supposed to register themselves with the firmware(which requires the installer to berunning in UEFImode) rather than relying on a fixed entry point on the drive. In practice it's possible to boot using the "removable media path" even on a fixed drive but it's not the official way to do things.
2. While the combination of BIOS boot and GPT is technically feasible it's notexactly standard, I'm not sure if grub supports it or if a hybrid partion table (which is it's own can of worms) is needed.
3. There is no gaurantee that what works in one mode will work in the other.
4. Multiboot becomes even more of a can of worms than usual.

Clouds and VPSes

JanC_ — Wed, 27 Apr 2022 01:33:01 +0000

There is also the concept of children taking care of the elderly in poor areas, which is less needed in places where we have pensions.

Clouds and VPSes

nix — Tue, 26 Apr 2022 12:50:07 +0000

This is not a population bust in the biological boom/bust sense. These are caused by starvation or predator pressure. What we are seeing almost worldwide is the voluntary reduction of breeding rates in order to focus more resources on fewer offspring. This is largely because this is what women want, but also because there is an economic incentive: in poverty-stricken rural areas children become a source of free labour fairly fast as they grow up, so you can use one round of children to help fund the next, and having *lots* is to a certain degree beneficial to all of them. In cities they are and remain a substantial cost to the whole family, including any older children. So it's beneficial to have fewer.

(There is probably also something related to falling death rates: if you know that most of your children will survive, you'll have fewer. But the economic incentive is substantial even in the absence of that.)

sneaky dual-boot

nix — Tue, 26 Apr 2022 12:43:39 +0000

Done that mistakenly, on several occasions. It is *incredibly* confusing! The machine hardly ever gives any sort of on-screen indication of how it's booting, so the symptom is often that you install one OS, reboot, and the OS the machine used to run leaps into action as if it was not installed over, with the new one invisible (because it's using a completely different partitioning scheme) and with the old one often misbehaving (because parts of it have just been overwritten more or less completely at random).

This fubar is becoming rarer now because few machines with existing DOS partition tables are getting GPT-reformatted, and the installers that do that are using wipefs or equivalent and thus are *actually* wiping out the old one properly. But oh good grief was it confusing for a few years.

Clouds and VPSes

Wol — Mon, 25 Apr 2022 22:13:47 +0000

Well, for a start a repeat of Tunguska over Stal (sorry, Put)'s palace might be a good idea ... let's hope the universe obliges ...

Cheers,
Wol

Clouds and VPSes

johannbg — Mon, 25 Apr 2022 19:08:35 +0000

Well it's not like the human population will stop breeding tomorrow despite the genderless generation's attempt to put a dent in the population growth rate and the fact is we kinda need a meteor like right now, not 50+ years from now.

And who does not want to go out in a blaze of glory of kinetic energy = mass/2 * velocity^2

It sure beats dying of old age doesn't it...

Fedora considers deprecating legacy BIOS

wtarreau — Mon, 25 Apr 2022 18:24:33 +0000

> Year 2000 edition had a nice, simple jumper which made ROM read-only

Many of us have had much more robust than a jumper, an EPROM that required UV light to erase them, and a special programmer delivering 21V to the VPP pin to program them :-) There was no need for a jumper, and as an added bonus, not being upgradable in field tended to make them less bogus (at least they were more tested than my core i7's AMI BIOS).

Clouds and VPSes

Wol — Mon, 25 Apr 2022 18:22:07 +0000

Well, iirc the prediction (in 1980) for the millenium world population was 12Bn, and if we were unbelievably lucky it might be only 8Bn. What's the current figure?

To the best of my knowledge, we've undershot pretty much every prediction since, and the forecast for 2100 or 2150 is only 3Bn ...

Populations naturally boom and bust, and it looks like we might be hitting bust, luckily for Earth ...

Cheers,
Wol

Clouds and VPSes

johannbg — Mon, 25 Apr 2022 17:36:57 +0000

> Perfect is the enemy of good. If we only accept perfect solutions we'll never get anywhere.

It's not like we are getting anywhere without the solutions being perfect now is it.

And it's not like the real/perfect solutions aren't known as in changing the world's economy and reduce the human population, they just cant be realistically implemented, well technically they can the former will never be allowed to happen and the latter never be socially accepted.

> I don't disagree with your sentiment that we're already basically screwed,

Biodiversity, polution in earth, water and air yup we are pretty fucked.

> but I don't think that's an excuse to just give up completely.

True we can always hope that good size meteor hits the planet.

Fedora considers deprecating legacy BIOS

khim — Mon, 25 Apr 2022 15:46:48 +0000

That's very true, sure. I see no reason to use the BIOS interface on the system where it's emulated via CSM.

But I don't think it's imlemented that way in virtual systems and other small systems where Linux can still run.

Although I wonder how many of these are out there which may not just run Linux, but specifically Fedora. It's pretty heavy novadays.

Clouds and VPSes

Wol — Mon, 25 Apr 2022 15:45:26 +0000

Does it work if you can't move the default from entry 1?

Last time I read the grub documentation, it told you how to changed the default boot entry from entry one, and then had the caveat "this only works if ...". Of course, my system breaks that "if"...

Cheers,
Wol

Fedora considers deprecating legacy BIOS

farnz — Mon, 25 Apr 2022 15:41:31 +0000

Note, though, that on all modern x86 hardware platforms, "traditional" BIOS is implemented as a module running atop UEFI; so you get all the vulnerabilities of UEFI, plus extra holes due to the CSM that implements the BIOS interface.

Which, in turn, makes the claims about BIOS being more secure questionable - you're talking about an additional layer atop UEFI, which can have its own vulnerabilities, plus you have the full stack of UEFI beneath it to compromise.

Clouds and VPSes

Wol — Mon, 25 Apr 2022 15:31:30 +0000

Yup.

Running costs are only part of the equation. How much environmental damage is done and making new and disposing of obsolete hardware? Surely the extra costs of running old hardware may well be cheaper ...

Much as I dislike the waste-to-power plant just down the road (and even more so because we're a poor East London borough having all of posh West London's waste dumped on us), the fact is that is very environmentally friendly - it means a load of waste is converted efficiently to energy and CO2 rather than inefficiently converted to methane ... and it leaves a load of oil/coal unmined and in the ground.

If you're being green, you need to look at the big picture, not just minimise your costs at the expense of creating even bigger costs elsewhere (cough cough the government pricing our steel industry out of existence cough cough).

Cheers,
Wol

Fedora considers deprecating legacy BIOS

khim — Mon, 25 Apr 2022 15:14:55 +0000

> Meanwhile, the other 99.999% of motherboards lacked that feature, including, as you mentioned, later versions of that same motherboard. One data point does not a generalization make.

Sorry, but no. It's most definitely not 99.999%. I know for the fact that you had to replace ROM chips on Risc PC, Amiga (in fact you can still buy a replacement chips) and I have seen "Flash Protect" switch on lots and lots of motherboards made in XX centory.

I remember that one specifically because it was a surprise to me that they would remove it.

> BIOS is layered-hacks-on-top-of-layered-hacks built that goes all the way back to 1982.

Yes, so what? It works. It's secure (more secure than the XXI century abomination). And easy to provide in virtual environment.

EFI is huge mess with the only redeeming quality: it can support >4TB SSDs. That's great, but I'm not sure all that pointless complexity is worth it.

Insecure-by-design POS which can not be protected by design — and I'm supposed to use for sake of “security”? Puhlease.

Sure, I use EFI when I have no choice, but that doesn't mean it's not POS.

> And it's also why, to this day, our bleeding edge Ryzen processors still pretend to be a 44-year-old 16-bit i8086 when powering up.

So what? One doesn't need that many transistors to implement that more and today there are billions of them on any x86 CPU.

Fedora considers deprecating legacy BIOS

pizza — Mon, 25 Apr 2022 14:26:30 +0000

> I still remember MS-6309.
>Year 2000 edition had a nice, simple jumper which made ROM read-only. Yes, certain change in configuration cause complaints at boot, but it was a simple matter of changing its position for one boot and return it back after that.

Meanwhile, the other 99.999% of motherboards lacked that feature, including, as you mentioned, later versions of that same motherboard. One data point does not a generalization make.

BIOS is layered-hacks-on-top-of-layered-hacks built that goes all the way back to 1982. [1] It's long past time to shoot it in the head. And it's also why, to this day, our bleeding edge Ryzen processors still pretend to be a 44-year-old 16-bit i8086 when powering up.

[1] As in when Compaq released PC clones using a clean-room reverse-engineered BIOS.

Clouds and VPSes

wtarreau — Mon, 25 Apr 2022 14:23:03 +0000

Yep it does and I discovered this one very recently, thank you for sharing anyway because it's possible it'll help others!

However it only works when the machine reaches grub, and that one is particularly stubborn and decides to boot again from the first disk because boot priorities are reset every second boot or so... I simply gave up doing kernel testing on that one.

Clouds and VPSes

wtarreau — Mon, 25 Apr 2022 14:20:02 +0000

> reduce the human population because *none* of the solution out there fix anything ( but they do produce profit ), at best they just delay it. This whole act of people pretenting to be "green" to ease their environmental guilt which has been installed by their government in conjunction with the oil companies and an trillion dollar environmental industry is just ridiculous.

This actually is the part I agree with :-)

Note that I wasn't doing some greenwashing, just explaining that I'm not seeing any reason to trash perfectly working hardware (which comes with costs and waste) just for the sake of making some developers' life easier when they claim that may hardware is dead.

Fedora considers deprecating legacy BIOS

khim — Mon, 25 Apr 2022 14:09:06 +0000

I think you should separate the XX century from the XXI century here.

I still remember MS-6309.

Year 2000 edition had a nice, simple jumper which made ROM read-only. Yes, certain change in configuration cause complaints at boot, but it was a simple matter of changing its position for one boot and return it back after that.

It was as protected from malware as one can imagine.

And then version 5 from 2001 (or was it 2002?) which not only lacked jumper in that place, it refused to boot if you short these two numbs which were left in it's place!

So, please don't tell about the problematic situation with BIOS. It wasn't problematic when people cared. It is, of course, became problematic when people started thinking only about flexibility and forgot that it's not a good idea to have computers which are trivially bricked.

Clouds and VPSes

james — Mon, 25 Apr 2022 12:15:58 +0000

... a UEFI machine that takes more than one minute doing whatever in your back before trying to boot, and you have just 2 seconds to decide what device to boot from so you're forced to stay in front counting in your head.

Just in case you haven't heard of it, does sudo grub2-reboot work for you? You run it from the Linux command line, specifying a grub menu entry, then reboot: Grub2 uses that menu entry just that once.

Works for me on Fedora.

sneaky dual-boot

lsl — Mon, 25 Apr 2022 11:44:54 +0000

Fedora's cloud image does that, I think.

Clouds and VPSes

kleptog — Mon, 25 Apr 2022 08:49:53 +0000

While I agree that them term carbon footprint can be misleading, some of your other points are off the mark. NF3 has been regulated under the Kyoto Protocol since 2012, largely as a result of the the research you're referring to. Its total radiative forcing compared to CO2 is rounding error. It's something to monitored, but hardly a major issue.

Sources:
https://en.wikipedia.org/wiki/Nitrogen_trifluoride#Greenh...
https://unfccc.int/process-and-meetings/transparency-and-...

Perfect is the enemy of good. If we only accept perfect solutions we'll never get anywhere.

I don't disagree with your sentiment that we're already basically screwed, but I don't think that's an excuse to just give up completely.

Clouds and VPSes

johannbg — Mon, 25 Apr 2022 07:30:06 +0000

> But surely I'm wrong on all that line and it's normal to trash perfectly working hardware, I'm the only one concerned about e-waste

That would be insecure working hardware, connected to the network that requires more "power" than current solutions, which adds to the environmental problem.

The people/companies that live by a concept called "carbon footprint" installed by the oil companies as part of an deceptive PR campaigns [1] on their behalf, the biggest one in history and claim that they care about the environment should not be buying/using anything involving computers,solar panels, tv's etc since in the devices manufacturing process is an chemical ( that is among few that was conveniently left out of the Kyoto Protocol international climate change agreement ) called Nitrogen Trifluoride(NF3) is being used.

"The gas is 17,000 times more potent as a global warming agent than a similar mass of carbon dioxide. It survives in the atmosphere about five times longer than carbon dioxide" [2]
It's use increases as the world is being deliberately pushed into adopting more technology as can be clearly seen in the market projections for the chemical [3].

People wont like what I'm about to say but the fact is we are way beyond point of no return for our planet at this point so if people genuenly care about the environment then they should disconnect, find another line of work and go and live like an Amish in the literal sense and figuring out solution that a) change the worlds economy in an instant and b) reduce the human population because *none* of the solution out there fix anything ( but they do produce profit ), at best they just delay it.

This whole act of people pretenting to be "green" to ease their environmental guilt which has been installed by their government in conjunction with the oil companies and an trillion dollar environmental industry is just ridiculous.

1. https://mashable.com/feature/carbon-footprint-pr-campaign...
2. https://scripps.ucsd.edu/news/potent-greenhouse-gas-more-...
3. https://www.marketquest.biz/report/108079/global-nitrogen...

Clouds and VPSes

wtarreau — Mon, 25 Apr 2022 03:41:50 +0000

> Fedora will not be allowed to make the required change to prepare RHEL due to the legacy trolls that come crawling out of last century, screaming ME ME ME, MY USECASE, FOREVER!!!! while riding on their roating,rusting, steam powered technology devices demanding that the technology universe remains frozen in time and be supported forever, as is ( another example is Adam trying to deprecate the legacy xorg driver ) as opposed to be thinking a bit further away from their own noses, ahead into the future, to the state that the industry is in now and evolving into.

This paragraph is very interesting because I've long been interpreting the situation exactly the other way. What if those unnecessary changes were only pushed hard by a few vendors who need to force their customers to regularly buy new hardware, and by software developers who see it as a guarantee to get a lifetime job ? I mean, I'm fine with changes that bring improvements, but there are many changes we're forced to swallow that significantly degrade our user experience. Sometimes you're even forced to abandon hardware by lack of support from new software, and for what justification, beyond "look how great the new version is" ?

I used to have machines that took 3 seconds to start to boot from power-on in the past. At work in the lab we have a UEFI machine that takes more than one minute doing whatever in your back before trying to boot, and you have just 2 seconds to decide what device to boot from so you're forced to stay in front counting in your head. That's one of the machines I run test kernels on... It's a good example of crap I don't need and that significantly degrades my experience by preventing me from remotely booting test kernels.

It's not about wanting to stay in the previous century, it's a concrete example of "improvements" that I didn't need and that makes users suffer for no reason except some vendors forcefully pushing that down their customers' throat.

It would be nice if software developers could sometimes try to argument their improvements as benefits perceived by their *users* and not only by themselves as software maintainers. Just claiming that "new feature X is much better and if you don't want to adopt it we'll remove the previous one and you'll have no other choice" isn't exactly how the free software movement started, quite the opposite in fact. I remember the time when we were proud to recycle old machines to make powerful Linux servers. Nowadays some linux distros force you to trash powerful machines. There must be something really wrong with that policy. The only reason I'm thinking about is the distro's policy possibly being dictated by too powerful companies whose business does not benefit from small systems.

But surely I'm wrong on all that line and it's normal to trash perfectly working hardware, I'm the only one concerned about e-waste and with purposely spending my money to buy less pleasant replacement hardware...

Fedora considers deprecating legacy BIOS

mjg59 — Mon, 25 Apr 2022 03:40:20 +0000

The security situation around BIOS was *much* worse than on UEFI, it's just that the general platform security situation was sufficiently bad that nobody was really looking at it.

Fedora considers deprecating legacy BIOS

Cyberax — Mon, 25 Apr 2022 03:26:24 +0000

BIOS-es haven't been read-only since forever. Though they are typically well-protected by very obscure toolchains that are required to build them and 16-bit x86 code that you'll have to write.

Fedora considers deprecating legacy BIOS

wtarreau — Mon, 25 Apr 2022 03:17:17 +0000

So in short, only attacks targetting the UEFI crap that would not have been possible with a read-only BIOS that doesn't try to provide operating system-like functions. When you see the Dell one which is able to download updates via https, no comments.

These examples just show that the most effective fix against all such problems is to refuse UEFI and revert back to BIOS instead.

sneaky dual-boot

pabs — Mon, 25 Apr 2022 00:46:16 +0000

What about the opposite; is it possible to set up a system so that it can boot in either UEFI or BIOS mode? IIRC current install systems don't do that, but can themselves be booted in either UEFI or BIOS mode.

sneaky dual-boot

ballombe — Sun, 24 Apr 2022 20:15:06 +0000

Sometime it is useful to setup the computer so that a different OS boots depending whether UEFI or BIOS is used.
It is also possible to have two different partitions tables (GPT and legacy) on the same disk.

Clouds and VPSes

johannbg — Sun, 24 Apr 2022 11:55:00 +0000

Google also ( almost to the date ) 2 years ago made Unified Extensible Firmware Interface (UEFI) and Shielded VM the default for everyone using Google Compute Engine and provided migration path from on premis uefi based vm images into that environment.

Fedora considers deprecating legacy BIOS

johannbg — Sun, 24 Apr 2022 06:48:46 +0000

Their change proposal is about deprecating legacy BIOS which basically just involves making documentation changes mentioning that UEFI is now a hardware requirement for new Fedora installations on platforms that support it.

The installer still supports installing Fedora on non uefi platforms.
Fedora will still work on non uefi platforms, it's just considered unsupported

What their change proposal effectively just does, is to open up the door for *other* change proposal to make further changes in Fedora which more or less will involve the elimination of the technical debt in Fedora that has been gathered since it's inception around legacy bios support.

At best it flips a switch or two for component defaulting to uefi but the fact is various upstream have already start defaulting to uefi and will eventually do code cleanups that drops any support for legacy bios regardless what downstream "feels" about it.

Those distribution that feel so strongly about it will have to carry and maintain everything themselves, they should not expect upstreams to do that *for them*.

Improving UEFI experience can and should be handled by a different change proposal in Fedora ( not that I'm seeing how since the experience from the installer is not "bad", the rest is relevant to upstream as in no downstream contributor is going to change that, let alone some individuals that are doing change proposal in Fedora, which is just a marketing gimmick for the distribution ).

Fedora considers deprecating legacy BIOS

Conan_Kudo — Sun, 24 Apr 2022 04:37:24 +0000

EDK2 is only one part of UEFI. In the entire thread, there was no commitment by the proposers to improve the experience with UEFI on Fedora Linux. There are several dimensions there to improve, but the fundamental assumption was that the current experience is fine, when it is clearly not.

Fedora considers deprecating legacy BIOS

johannbg — Fri, 22 Apr 2022 20:31:39 +0000

This put 30M Dell devices at risk for remote BIOS attacks

https://www.dell.com/support/kbdoc/en-is/000188682/dsa-20...

Many of OEM's are using insyde

https://cybersecurityworldconference.com/2022/02/02/exper...

Insyde Software Security Advisory can be found here
https://www.insyde.com/security-pledge

Report issued by U.S. Department of Homeland Security (DHS) and Department of Commerce

"Firmware presents a large and ever-expanding attack surface, as the population of electronic
devices grows. Securing the firmware layer is often overlooked, but it is a single point of failure
in devices and is one of the stealthiest methods in which an attacker can compromise devices at
scale. Over the past few years, hackers have increasingly targeted firmware to launch
devastating attacks."

https://www.dhs.gov/sites/default/files/2022-02/ICT%20Sup...

And the list goes on...

Fedora considers deprecating legacy BIOS

mattdm — Fri, 22 Apr 2022 16:24:16 +0000

Yeah, we talked about that briefly in the Fedora mega-thread. It's an interesting idea, but would require some people really excited about it to adapt to our needs.

Fedora considers deprecating legacy BIOS

abatters — Fri, 22 Apr 2022 15:47:35 +0000

> how common *is* UEFI malware anyway?

This was just in the news: Ars Technica: Hackers can infect >100 Lenovo models with unremovable malware.