FOSS LinuxBoot replaces UEFI on servers

[German]Vendors using Linux-Servers intends to move away from proprietary hardware with UEFI, Intel ME & Co. The free LinuxBoot is the answer to the UEFI glue of the commercial manufacturers, but is limited to the server area. Here is some information about LinuxBoot.


Advertising


Microsoft, Intel and the rest of the industry are forcing the use of the Extensible Firmware Interface (UEFI), which is supposed to replace the legacy BIOS on main boards. U(EFI) describes a unified, extensible firmware interface between the firmware, the individual components of a computer and the operating system. The Linux and Open Source community’s criticism of UEFI is quickly summarized: Untransparent and a lever to exclude unpleasant competition.

LinuxBoot as a new approach

The answer of the Linux community is LinuxBoot. LinuxBoot is, according to this project page, a firmware for modern servers that replaces certain firmware functions such as the UEFI DXE phase with a Linux kernel and a runtime environment.

LinuxBoot als UEFI-Ersatz

The above scheme shows the architecture of LinuxBoot, which is based on UEFI-PEI (Pre EFI Initialization) and the Coreboot RomStage components [1] to initialize the hardware, but then no longer needs UEFI modules. Advantages are mentioned:

  • Improves boot reliability by replacing easily tested firmware drivers with hardened Linux drivers.
  • Reduces boot time by removing unnecessary code. Usually makes the boot process 20 times faster.
  • Allows the initrd runtime of Linux to be adapted to site-specific requirements (both device drivers and custom executables).

According to the website, this has been a proven approach for nearly 20 years in military, consumer electronics and supercomputing systems – wherever reliability and performance are paramount.


Advertising

LinuxBoot advantages

Apart from the fact that LinuxBoot is FOSS (Free Open Source Software), the developers on the project’s website give further hints on the benefits in this FAQ.

  • LinuxBoot can use any file system that supports Linux, not just FAT (as with U(EFI).
  • Boot guidelines can be implemented with normal Linux applications, such as shell scripts or binaries, instead of manipulating opaque NVRAM variables.
  • Users or developers can run Linux applications directly from the ROM.
  • LinuxBoot completely eliminates legacy partitions and LVM can be used for flexible disk management.
  • LinuxBoot allows anyone to create and verify for themselves that the reproducible build matches what others have built.
  • This makes it possible to ensure that the firmware is clean. Users can have the firmware confirm via TOTP that it has not been changed.
  • Users can have a fully encrypted hard drive, with secrets data sealed with TPM and unsealed only if the firmware is not modified.
  • Device drivers can be added for things that UEFI does not support.
  • In addition, external hardware tokens such as a Yubikey can be used to sign the operating system installation and have the firmware validate the GPG signature.

All in all, LinuxBoot offers some important advantages over U(EFI). I came across the topic again via this article from itsfoss.com. There I’ve learned that the Open Compute Project has already been started in 2011 by Facebook. The goal was to develop the open source designs for some of the Facebook servers in order to make their own data centers more efficient. LinuxBoot has been tested on some Open Compute hardware listed in the itfoss.com article. LinuxBoot is available on GitHub. But so far it has not found its way into the typical clients for consumer devices. Nevertheless I find the development exciting – and I think, after the suspicion mentioned in this article, the whole thing could get even more impetus.


Advertising


This entry was posted in devices, Linux, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *