Recently discovery of Management engine(ME) inside cpu follow with some exploits based on that in intel system make security conscious people to think about is firmware provided by intel to our systems are at all secure?
Latest intel system comes with UEFI(Unified Extensible Firmware Interface) which is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the Basic Input/Output System (BIOS) firmware interface originally present in all personal computers, with most UEFI firmware implementations providing legacy support for BIOS services.
UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.
In this video Ron Minnich a Software Engineer at Google( also a developer of famous coreboot project) explais how NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google can replace almost all of UEFI firmware with a tiny Linux kernel and initramfs.
The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.
U-root is an embeddable root file system intended to be placed in a FLASH device as part of the firmware image, along with a Linux kernel. The program source code is installed in the root file system contained in the firmware FLASH part and compiled on demand. All the u-root utilities, roughly corresponding to standard Unix utilities, are written in Go, a modern, type-safe language with garbage collection and language-level support for concurrency and inter-process communication. Unlike most embedded root file systems, which consist largely of binaries, U-root has only five: an init program and 4 Go compiler binaries.