Intel Boot Guard explained
Intel themselves have a quick little explanation of Boot Guard in this document about Haswell’s new platform features. In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware.
Boot Guard has two separate modes, according to Intel. Every single PC OEM we know of configures it to work in “Verified Boot” mode. The PC manufacturer fuses their public key into the hardware itself. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else.
Purism’s freedom-obsessed Librem 15 laptop won’t use the Verified Boot option.
There’s also a second option: “Measured Boot” mode, where the hardware securely stores information about the boot process in a trusted platform module (TPM) or Intel Platform Trust Technology (PTT). The operating system could then examine this information, and—if there was a problem—present an error to the user.
As Purism recently discovered, laptop makers can choose to have their hardware boot without looking for a digital firmware signature at all. The fusing of the processors can be set by the motherboard manufacturer to simply bypass the check. Purism’s crowdfunded Librem 15 laptop will ship with a modern Intel CPU fused to run unsigned BIOS code.
In other words, Intel and Boot Guard don’t absolutely require hardware manufacturers to lock the computer to only using manufacturer-signed firmware, but every major PC maker does anyway.
Want to stay up-to-date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.
It’s all a big conspiracy, right? Not exactly
It can be tempting to see this as a big conspiracy. These big corporations—Intel and hardware manufacturers—are preventing us from running the software we want to run on our own computers, as if we were using some underpowered, locked-down Surface RT instead of a powerful PC we’re supposed to have control of.
And sure, that’s true, but Boot Guard does help secure the UEFI firmware and protect against malware that infects the boot process. Intel and PC OEMs aren’t out to crush free software and prevent open hardware. The truth is more mundane—Intel and hardware manufacturers prioritize tighter security for the masses over the proprietary firmware concerns of a few.
But, to their credit, Intel does allow PC manufacturers to configure the hardware in a different way. The real way to get that open hardware seems to be to build it from scratch and make the right decisions along the way, as Purism is trying to do. If you want this sort of open hardware, be prepared to vote with your wallet. Taking existing PC laptops and trying to bend them into open hardware—as Gluglug does with the Free Software Foundation-endorsed Libreboot—doesn’t seem to be an option anymore.
When freelance writer Chris Hoffman isn’t writing about gadgets and software, he’s probably using them in his spare time.