How high is the risk for using laptops with closed source BIOS?

reC · October 3, 2020, 1:04pm

or any other source code for that matter … and the most dangerous thing for end-users is proprietary Java-Script code that can basically load a huge number of things that can Rick-Roll you to death …

lperkins2 · October 3, 2020, 6:30pm

The practical answer is “the ‘IP’ laws”. See, for some stupid reason, you can get a software patent for an idea, such as putting a “one click order” button on a website. For something as complex as a modern computer BIOS, there are literally hundreds of patented parts to it. And the thing is, independent development is not a reliable defense against patent infringement, so even if a company just locked their devs in a room with the hardware and no outside contact, they could still get sued over patent infringement. (Nor is it simple to verify that you’ve worked around or licensed all patented parts, as there is no one central repository to check (international treaties are a B), and sometimes non-obvious patents apply). If they don’t release the source code (while XORing parts of the code together), they can run the cost of proving patent infringement up, while not really making life more difficult for their own people.

amosbatto · October 3, 2020, 8:46pm

Actually, a lot more of the BIOS is FOSS than you think.
Anyone can download the spec for UEFI:

Intel’s reference implementation of UEFI (Tianocore > EDK > EDK2) has been FOSS since 2004. Microsoft’s Mu Project for the Surface is also FOSS. Of course, all Chromebooks use Coreboot which is almost all FOSS.

AMI, Award and Phoenix (the three major BIOS/UEFI manufacturers for PCs) can all use Intel’s reference code, but none of them release their source code, so it is hard to know how much they use.

reC · October 3, 2020, 8:59pm

they aren’t required to do so by the license then i assume … it’s a very permissive license no ?

amosbatto · October 3, 2020, 9:20pm

Yes, its very permissive.
Tianocore EDK2 has a BSD-style license:

github.com

tianocore/edk2/blob/master/License.txt

Copyright (c) 2019, TianoCore and contributors.  All rights reserved.

SPDX-License-Identifier: BSD-2-Clause-Patent

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
   this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

Subject to the terms and conditions of this license, each copyright holder
and contributor hereby grants to those receiving rights under this license
a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except for failure to satisfy the conditions of this license) patent
license to make, have made, use, offer to sell, sell, import, and otherwise
transfer this software, where such license applies only to those patent

This file has been truncated. show original

By the way, its 2.2 million lines of code, and I bet that AMI, Award and Phoenix do use a lot of it, since it would be a lot of work to reimplement UEFI.

reC · October 3, 2020, 9:24pm

how many EXTRA lines would need to be hidden among those 2.2 million visible in the source to make a successful/hidden infiltration possible ? not many i would imagine in comparison to the ones that already do the functionality work …