Hello everyone,
In the wake of the recent Right to Repair Act (SB 244) enacted in California on October 10, 2023, the discourse around consumer rights and sustainable technological practices has intensified. A critical facet of this discourse is the BIOS/UEFI (Basic Input/Output System/Unified Extensible Firmware Interface), the fundamental firmware that initializes the hardware during the boot process of our computing devices.
Currently, BIOS/UEFI is largely under proprietary control, posing substantial barriers to our ability to repair, upgrade, and exercise full control over our own devices. This proprietary dominance not only stifles technological innovation and user freedom but also raises serious security concerns. The lack of transparency and verifiability inherent in closed-source firmware like Intel’s Management Engine (IME) and AMD’s Platform Security Processor (PSP) presents potential security vulnerabilities.
I am launching a petition on Change.org to advocate for Free and Open Source BIOS/UEFI. This initiative transcends personal control over our devices. It symbolizes a stride towards reducing electronic waste, promoting sustainability, and nurturing a culture where technology serves as a medium for empowerment rather than suppression.
The necessity for freedom in hardware firmware is clear. Open BIOS/UEFI furnishes a foundational level of control and understanding, dismantling barriers that keep users distanced from the core operations of their devices, and fostering a more inclusive and participatory technological ecosystem.
We are at a pivotal moment. The momentum nurtured by the Right to Repair movement invites us to extend the principles of openness and user empowerment to the foundational firmware of our devices. Our proactive stance today significantly influences our digital autonomy tomorrow.
The global advocacy for digital rights is reaching a crucial point, with a growing community rallying for more control, transparency, and accountability in the technology we use daily. The shift towards a more open and user-centric technological landscape is not just a fleeting trend, but a substantial movement that echoes the broader societal values of autonomy, privacy, and democratic engagement.
This petition endeavors to rally tech industry stakeholders and governmental bodies to advocate for the liberation of BIOS/UEFI from proprietary control. With open BIOS/UEFI, we inch closer to a technological landscape that aligns with democratic values, ensuring that technology serves the collective, not just a privileged few.
I invite you to sign the petition, disseminate it within your networks, and vocalize your support for a more open, sustainable, and democratically-aligned computing environment.
Together, through a shared vision and collective action, we can usher meaningful change in the technological domain.
Thank you for your support.
Currently, BIOS/UEFI is largely under proprietary control
This is incorrect.
The UEFI Forum makes specifications freely available at no cost at https://uefi.org/specifications, and membership is free which would then allow you to redistribute and otherwise use the specs. There are many “open specifications” that require either a one-time purchase of a single specification or a subscription for continued access to a set of specifications, that you of course then cannot share. (PCI-SIG requires a company subscription at $4000 a year to access PCIe related specs.)
edk2, the reference implementation used on everything with UEFI, is open source (BSD-2-Clause-Patent) and available on GitHub: https://github.com/tianocore/edk2.
The problem is not that it’s under proprietary control, it’s that every fucking company forks edk2 into proprietary products because the license allows it (because Intel required it).
- Most ODMs/IBVs/OEMs are not willing to make their garbage “value-add” components available, let alone source code for them.
- Many companies are not willing or unable to make available any required datasheets or provide source code for Platform Initialization (such as NDAs for 3rd party components).
- Intel has not only gone back on its word about making more the FSP open source (FSP also uses edk2), they are trying to take control even more by shoving increasingly more shit into the FSP.
While I appreciate that some components are open-source, the goal here is broader—ensuring BIOS/UEFI is not just open-source but entirely free and open in an ethical sense. This aims for complete transparency, verifiability, and user freedom, beyond what current licenses like BSD-2-Clause-Patent allow. The proprietary forks and lack of transparency you mentioned actually reinforce the need for a fully free BIOS/UEFI. Your points are well taken but highlight that there’s still work to be done to achieve full user freedom.
This whole “project” is the very definition of a solution in search of a problem.
You’re more than welcome to flash whatever bin you want to put together. No one is stopping you. If you want these companies proprietary apis you’re kidding yourself.
This whole “project” is the very definition of a solution in search of a problem.
You’re more than welcome to flash whatever bin you want to put together. No one is stopping you. If you want these companies proprietary apis you’re kidding yourself.
The goal isn’t merely to flash custom binaries; it’s about creating a computing environment where that sort of freedom is a given, not an exception reserved for those in the know.
Your comments make you come off as clueless as to how firmware works and is developed.
You don’t need to be an expert in firmware development to recognize the systemic issues at play here. Understanding the problem doesn’t require a deep technical background.
There are no systemic issues lol. Ur claiming that without providing any proof of an issue as per my original comment.
The issues are systemic because they exist at the foundational level of computing, affecting all users who rely on proprietary BIOS/UEFI systems. These aren’t isolated cases, they’re widespread vulnerabilities, as documented by experts in the field. Below are recent revelations highlighting the gravity of these vulnerabilities:
AMI AptioV: Vulnerability allowing command injection via local network misuse: https://www.cisa.gov/news-events/bulletins/sb23-261#:~:text=Windows Themes Remote Code Execution,version of the respective
Dell Client BIOS: Time-of-check Time-of-use (TOCTOU) vulnerability: https://www.dell.com/support/kbdoc/en-us/000212817/dsa-2023-152-security-update-for-a-dell-client-bios-vulnerability#:~:text=Article Number%3A 000212817 DSA,Article Properties Rate This Article
Intel BIOS Firmware: Vulnerabilities potentially allowing privilege escalation, information disclosure, or denial of service: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00813.html#:~:text=Potential security vulnerabilities in the,37343
Major BIOS Vulnerabilities: 23 vulnerabilities impacting various vendors including Intel and Lenovo: https://www.tomshardware.com/news/enterprise-oem-vunerabilities#:~:text=23 Major BIOS Vulnerabilities Discovered%2C,2027%2C 14nm by 2030
Intel’s New BIOS Vulnerabilities: 16 vulnerabilities allowing Denial of Service and Escalation of Privilege: https://www.tomshardware.com/news/intel-lists-16-new-bios-vunerabilities#:~:text=,Service and Escalation of Privilege
Hasn’t it been established already that APIs can’t be proprietary, like the case woth Oracle against Google?
No it is perfectly legal to have a private API. This is not a patent issue its a we won’t give you our code issue.
Yeah but you’re talking about APIs, not code.
API is code
What’s behind the API is code. API itself is only an communication interface.
You basically just proved OP’s point that most our firmware is closed and it’s a problem.
Wit that said, the nuance you mentioned is good to have, especially that we’re talking about legal stuff here.
I’m down but its unlikely to change anything. I bought a system76 labtop because I knew it wouldn’t do anything silly.
System76 is a great choice for a laptop! It might seem like a small step, but collectively, these actions can make a difference and encourage better practices in the tech industry.
What’s your opinion on framework computers
I do thing it was a bit over priced but that’s a small price to pay I suppose
Define silly? I don’t think they deactivate Intel ME or AMD PSP
On 13th Gen the Intel ME is disabled and 12th Gen are being updated to disable it as well. The AMD PSP is a different thing since there isn’t coreboot for AMD systems.
Very pog but is Intel not gonna patch this?
So what is the issue with this project https://libreboot.org/ ? maybe instead demanding change, supporting alternatives is a better option
So what is the issue with this project https://libreboot.org/ ? maybe instead demanding change, supporting alternatives is a better option
Libreboot is a great project, but its strict commitment to minimal blobs can limit compatibility. While the broader open BIOS/UEFI discussion often aims for a balance between freedom and compatibility, my advocacy is focused on pushing for a fully free and open BIOS to empower users to the greatest extent possible.
Edit: In fact, Leah Rowe, the creator of Libreboot, just signed the petition.
signed, thank you!
I don’t want to sound non supportive, but just out of curiosity: why not put the effort into smartphone bootloaders, which are a high bottleneck of locking users and preventing right to repair?
I mean, while uefi isn’t so tranaparent, we can at least install our os of choice, something usually not possible in phones.
A victory in making BIOS/UEFI open and free could set a precedent that influences other realms of hardware and software, including the smartphone bootloaders you mentioned. It’s a step towards a more comprehensive shift in how we approach user freedom across devices.
software freedom or death
Hah! As if. Low level things like that is reserved for the best state-sponsored malware. We can’t be opening that up and letting users (gasp!) protect themselves.
It would also undermine the OS security stuff, in the same way that Nintendo Switches were hacked through the bootloader when they first came out. Just have the BIOS tell the OS everything’s ok. So it really, really is a non-starter, as far as the industry is concerned.
With a free and open framework and the right security measures, we can address these issues over time and build a unified BIOS that empowers users while maintaining security standards. This initiative aims to create a more transparent and user-controlled tech ecosystem, recognizing that security through obscurity is not the solution.
Yeah I understand the benefits - and even want them - but I really don’t see it happening. You mentioned the Intel ME, that was introduced right around the time the NSA started their PRISM program. Between commercial and intelligence interests I don’t think this idea will take off. If anything, state actors have been actively preventing open hardware from being developed and sold commercially.
Challenges from corporate and state players are real, but that’s all the more reason to push for change. Sure, it’s a tall order given the interests you’ve mentioned, but if we don’t speak up, who will? Advocacy starts somewhere, and it’s initiatives like this petition that can at least get the ball rolling.
I want to be able to compile the BIOS and sign it with my own key.
On one hand, I fear this could to people trying to have DDR5 speeds on DDR4, but on the other would make easier to spot and fix moronic features like the auto-update on some recent ASUS(?) motherboards.
[Duplicate comment]
Signed!
Wish there was an alternative to change… they force a subscription to their shit every time you sign
Wish there was an alternative to change… they force a subscription to their shit every time you sign
Right now, it’s the best tool we have for large-scale impact. I apologize for any inconvenience you might experience due to their subscription model.
Is there any actual evidence that a change.irg petition gets anything changed?
The front page of Change.org showcases various successful campaigns.
No not really
