6 Ekim 2019 Pazar

Unified Extensible Firmware Interface - UEFI

Giriş
Eskiden boot sector virüsleri yaygındı.

UEFI Firmware'dir
Açıklaması şöyle. Yani UEFI "EFI System Partition" da bulunan bootloader'ları bulur ve kontrolü devreder.
The motherboard contains firmware that runs bootloaders that boot OSes, and the two main types of such firmware are UEFI (new) and BIOS (old).
UEFI yerine BIOS Kullanma
Bir zararı yok. Açıklaması şöyle.
Legacy mode (a.k.a. BIOS mode, CSM boot) matters only when the operating system boots. Once it boots, it doesn't matter anymore. If everything works as expected and you're happy with it, legacy mode is fine.
Ancak UEFI kullanılması tavsiye ediliyor. Getirileri şöyle.
Advantages of UEFI boot include:

- Faster boot times. UEFI can skip initialization of some devices which would be reinitialized by OS anyway
- Optional extra security. You can enable Secure Boot, which checks digital signatures of OS components, ensuring that they weren't tampered with. You should combine it with BIOS password protection.
- If you're using multiple OSes, UEFI offers boot manager integrated into firmware.
- If you're using Windows, UEFI mode lets you use GPT partitioning scheme, which supports disks over 3 TB. (Linux can use GPT without UEFI)
UEFI ve EFI Farkı Nedir?
Açıklaması şöyle.
UEFI is an updated version of EFI after the inventors of EFI donated EFI to the UEFI (Unified EFI) forum and stopped updating EFI themselves. So, yes, UEFI is the modern EFI

UEFI Güncelleme

1. Güncellemenin Dijital İmzalı Olması Gerekir
Açıklaması şöyle. Dijital olarak imzalı güncellemeler işletim sistemi tarafından yapılabilir.
Modern computers don't have a BIOS, they have a UEFI. Updating the UEFI firmware from the running operating system is a standard procedure, so any malware which manages to get executed on the operating system with sufficient privileges could attempt to do the same. However, most UEFIs will not accept an update which isn't digitally signed by the manufacturer. That means it should not be possible to overwrite it with arbitrary code.

This, however, assumes that:

-the mainboard manufacturers manage to keep their private keys secret
-the UEFI doesn't have any unintended security vulnerabilities which allow overwriting it with arbitrary code.
2. UEFI Capsule
Açıklaması şöyle.
The most common way of updating motherboard firmware is known as "UEFI Capsule". This method is supported by Windows update, fwupd and many manufacturer applications.

UEFI Capsule firmware updates work by copying the new version of the firmware into a specified location on the EFI partition. Applying this update is NOT immediate, as UEFI becomes read-only when control is handed over to an OS. Instead, upon each boot UEFI verifies if there is an update Capsule in the specified location, validates it's signature(which would have prevented the update from being applied if the file was corrupt), and applies the update.
UEFI Variables
Açıklaması şöyle
UEFI defines variables through which an operating system can interact with the firmware. UEFI boot variables are used by the boot loader and used by the OS only for early system start-up. UEFI runtime variables allow an OS to manage certain settings of the firmware like the UEFI boot manager or managing the keys for UEFI Secure Boot protocol etc. You can get the list using:
$ efivar --list
Örnek - WSL
WSL gerçek bir sistem olmadığı için çıktı olarak şunu alırız
$ efivar --list
efivar: error listing variables: Function not implemented

UEFI System Partition Nedir
Bootloader'lar EFI system partition alanında saklanır. Açıklaması şöyle.
For UEFI there is a filesystem on the disk, (a small fat partition labeled as UEFI which contains a first stage boot loader and instructions. In some cases this is supplemented by instructions programmed into the UEFI (ie settings stored in nvram similar to the BIOS)

Once a boot loader/UEFI partition has been found, a program takes over the boot process, and this may offer the ability to boot into different modes or OSs.
Bir başka açıklama şöyle
For UEFI you typically need an EFI System Partition (sometimes referred to as ESP). It's formatted with FAT-family FS (generally FAT32) and used to store all bootloaders for all operating systems in subdirectories or a directory called EFI (EFI legacy, see?). These bootloaders are then added to boot options list in UEFI setup or by OS installers to make them selectable in UEFI's built-in boot manager.
UEFI System Partition Kalıcıdır
Açıklaması şöyle.
/boot/efi is a persistent directory that survives shutdown and reboot
Kontrol işletim sistemine devredildikten sonra bu partition'a artık gerek yok. Açıklaması şöyle
In theory neither /boot/ nor /boot/efi are commonly used after boot. The two form a bridge between the BIOS (or similar) and the operating system. They are not generally used at runtime.
UEFI System Partition FAT32 Desteği
Açıklaması şöyle.
The UEFI standard requires FAT32 support. 
Bu partition FAT32 formatındadır.
It knows about FAT32 file system (and even more file systems on non-standard implementations), therefore boot files are stored in the EFI system partition, A.K.A ESP. The UEFI loads the *.efi applications in the ESP which will then load the operating systems.
UEFI System Partition NTFS Desteği
NTFS desteklenmez. Açıklaması şöyle
UEFI doesn't support NTFS. The spec calls for FAT family support. Vendors could add NTFS support, but:

- It's not really necessary, because FAT32 is completely sufficient and much less complex
- Unless all vendors agreed to add NTFS support, it wouldn't be a universally usable configuration anyway.
GTP Nedir
GPT yine UEFI tarafından tanımlanır. GTP yazısına taşıdım

Windows BootLoader
Sanırım adresi şöyle
C:\Windows\System32\winload.efi
Ubuntu EFI Kullanıyor mu Kontrolü
Açıklaması şöyle. Örneğin benim bilgisayarım EFI kullanıyor.
/sys/firmware/efi is created every time the computer is booted.
Şöyle yaparız.
if test -d /sys/firmware/efi;then echo efi;else echo bios;fi
veya şöyle yaparız.
test -d /sys/firmware/efi && echo efi || echo bios
UEFI Ekranına Dönme
sysctl komutu kullanılır.
Örnek
Şöyle yaparız.
systemctl reboot --firmware-setup


Hiç yorum yok:

Yorum Gönder