How high is the risk for using laptops with closed source BIOS?

or any other source code for that matter … and the most dangerous thing for end-users is proprietary Java-Script code that can basically load a huge number of things that can Rick-Roll you to death …

The practical answer is “the ‘IP’ laws”. See, for some stupid reason, you can get a software patent for an idea, such as putting a “one click order” button on a website. For something as complex as a modern computer BIOS, there are literally hundreds of patented parts to it. And the thing is, independent development is not a reliable defense against patent infringement, so even if a company just locked their devs in a room with the hardware and no outside contact, they could still get sued over patent infringement. (Nor is it simple to verify that you’ve worked around or licensed all patented parts, as there is no one central repository to check (international treaties are a B), and sometimes non-obvious patents apply). If they don’t release the source code (while XORing parts of the code together), they can run the cost of proving patent infringement up, while not really making life more difficult for their own people.

1 Like

Actually, a lot more of the BIOS is FOSS than you think.
Anyone can download the spec for UEFI:

Intel’s reference implementation of UEFI (Tianocore > EDK > EDK2) has been FOSS since 2004. Microsoft’s Mu Project for the Surface is also FOSS. Of course, all Chromebooks use Coreboot which is almost all FOSS.

AMI, Award and Phoenix (the three major BIOS/UEFI manufacturers for PCs) can all use Intel’s reference code, but none of them release their source code, so it is hard to know how much they use.

1 Like

they aren’t required to do so by the license then i assume … it’s a very permissive license no ?

Yes, its very permissive.
Tianocore EDK2 has a BSD-style license:

By the way, its 2.2 million lines of code, and I bet that AMI, Award and Phoenix do use a lot of it, since it would be a lot of work to reimplement UEFI.

1 Like

how many EXTRA lines would need to be hidden among those 2.2 million visible in the source to make a successful/hidden infiltration possible ? not many i would imagine in comparison to the ones that already do the functionality work …