Google working on UEFI replacement and Intel ME curtailment
Google is developing non-extensible reduced firmware based on a compact Linux kernel as a replacement for uefi to improve the security of systems. At the same time, the company wants to limit the functionality of Intel’s Management Engine.
Google’s goal with non-extensible reduced firmware, or nerf, is to prevent firmware misuse, make code operation more transparent, and strip the Intel Management Engine so that the technology no longer poses a risk. The alternative to uefi consists of a compact Linux kernel as a boot manager and initramfs written in Google’s Go as userland, to mount the root filesystem. The company also strips the uefi-rom down to the basic parts.
The problem, according to Google, is that Linux does not control the x86 platform, but that there are kernels between Linux and the hardware, which run code that is not visible. According to Google, the uefi kernel is complex and security is based on obscurity. In addition, the company refers to the System Management Mode, or SMM, which was originally intended for power management, but has since become more widely used and vulnerable to attacks. Nerf disables Google SMM.
Finally, Google points out the risks of the Intel Management Engine. This is a part of Intel processors that can operate separately from the CPU and can be used for, among other things, remote management, even when a system is turned off, with all the associated security risks. In principle, the technology cannot be switched off, but researchers recently realized a breakthrough that allows parts to be switched off. Google uses these capabilities to disable components of the Intel ME.
According to Google, nerf not only leads to a more secure boot environment, but systems also start faster. It is not known whether the company has plans to actually apply nerf to systems running ChromeOS. The company showcased nerf at the Linux Foundation’s Open Source Summit, in a presentation called Replace Your Exploit-Ridden Firmware with Linux.