What's the best: UEFI vs. Legacy? (security-wise)

Hello, from a security point of view is UEFI or legacy bios better to have in Qubes? When I installed legacy I had no problems, but with UEFI I had to comment out noexitboot and mapbs, I also had to manually make my ssd bootable with my bios, and I apparently have to do that set up every time Kernel and Xen get updated.

1 Like

Hi @Fire,

I think you (we) may get more useful answers by separating both topics. The simplest option would likely be to keep the UEFI vs Legacy boot here and open a new topic for Leak proof VPN. Could you please do that?

Opening separate topics will makes it easier for everyone to relate the answers to the question(s), and will make both topics easier to find for people with similar questions in the future! :slightly_smiling_face:

It’s likely only a matter of editing your post and cutting the VPN part to paste it in a new topic, but if needed, @deeplow may be able to help :wink:

For reference: This is not explicitly called out in the FAQ, but is directly related to the guideline Keep It Tidy. It is a lot easier to separare topics early on, than it is to untangle a stream of interleaved replies!

2 Likes

What qubes version you use?
I use uefi with 4.1 and what files you need to comment out noexitboot?

What command?

My Qubes version is 4.0.4, and I had to comment out those listed in BOOTX64.cfg before installation because it was freezing.

I then followed the following in the faq in order to get my SSD to read as a bootable device under my BIOS: Boot device not recognized after installing

Very quickly:

It’s important to realise that there isn’t one UEFI - UEFI is a
standard, implemented in different ways by different manufacturers.
The code is complex and closed, in almost all cases, although Tianocore
provides an open-source implementation of UEFI. In most cases, you have
no idea what the OEM has done.

I’ll use “UEFI” as shorthand for “UEFI implementations”.

UEFI is now widely deployed, and is a target for hackers. It’s software
and vulnerable to all the usual threats. Some attacks will be transient,
but others will be persistent - e.g. anything injected to the flash
regions will run on every boot.
UEFI has certain modes that are transparent to the system, but provide
privileged access, including full visibility of all processor and
memory contents and devices.
Code in the SMM has full access to memory and devices, is not controlled
by the OS (or Xen in the case of Qubes), and can read and write to
memory at will, as well as change file contents on disk.

This doesn’t sound like something I would want on a machine with sensitive
contents.

Note that if you have a legacy boot option alongside UEFI, that isn’t
legacy boot. It’s a mode of UEFI that provides the functions of a legacy
boot. In some cases it’s better, but who knows?

If all this sounds worrying to you, it should.
The only widely used alternative is something like coreboot - you can
use Tianocore as a payload and have some features of UEFI. Coreboot
is only available for a limited range of machines. Not just classic
Lenovos: System76, Purism and some chromebooks are good.

2 Likes