Taking Advantage of Preboot Moments
Computers defy our everyday experience of knowing what a device cant do. Your TV set cant suddenly start sending information on your video rental habits to the PTA newsletter. It simply doesnt have that capability. Your car cant suddenly take control and drive you to a restaurant specified by the automakers business partner when you try to go to dinner somewhere else. That capability just isnt there, and it cant be added without your permission.
In contrast, computers are just too darned capable of being invisibly transformed into a new kind of machine. Moreover, thanks to network connections and automation features, that transformation can take place without our effort or even our knowledge. Its time to put as much ingenuity into greater assurance of what computers cant do as the industry has so far invested in enabling them to do more.
I found cause for hope along these lines in my conversation late last month with Robert Wise, vice president at Phoenix Technologies, in Milpitas, Calif. If youve been around PCs for very long, you recognize Phoenix as the source of the IBM-compatible BIOS firmware that arguably created the fully IBM-compatible PC industry.
Wise discussed the difference between the boot-up experience of the early years, when users actually observed and often understood the POST (Power-On Self-Test) data that their PCs displayed, and the much-higher-level interaction of users who dont really look at their screens until the Windows desktop appears. The problem, Wise pointed out, is that the machine is still a computer and still capable of having new function injected into it during the preboot time. "One of the most vulnerable points is during the first few seconds before the operating system gets control," Wise said.
Phoenix is addressing this in cooperation with IBM, Dell, AMD, Intel, Microsoft and other members of the nonprofit Unified Extensible Firmware Interface Forum, whose specification for a tightly controlled preboot handoff interface is due to appear by years end. "Were the first electrons that run when you turn on the box, and we control what happens next; through our initiativesstandards-drivenwe can make that a much more powerful environment," Wise said.
Ive previously argued that a new PC, at least in a networked enterprise setting, should come out of the box with only one enabled function: to connect to a single trusted site for download of applications and concurrent configuration of firewalls and other resource privileges. The kind of thing that the Unified EFI group is doing could foster that approach to an enterprise appliance and could also constrain the generality of the PC platform to make it a more secure foundation for network appliances of other kinds.
A device that comes with Phoenixs TrustConnector technology can authenticate itself to the network and engage in public-key crypto handshakes before the operating system even kicks in, enabling a range of applications. "Were punching a hole up through the device into the network," Wise said. "Well have a secure TCP/IP stack; well be able to reach out through 802.1x to secure endpoints in the enterprise or in a managed service provider network. Utility grids will be able to tie these devices securely in to their infrastructure without a general-purpose OS."
Im not as enthusiastic about the rights management applications of this same technology. With a cryptographically verified system identity, a software or digital content vendor could sell a machine-specific software key that would let an instance of a product run on one, and only one, machine. That opens the door to vastly expanded online sale and subscription business models with dramatically lower possibilities of piracy, and, overall, thats probably a good thing. But Im leery of the potential for a drastic contraction of the scope of fair-use doctrine. Technology should not make policy, and its up to user advocacy groups to avoid that encroachment.
Overall, though, Im encouraged by the efforts of Phoenix and other Unified EFI Forum participants. I like the idea of helping PCs recover from their identity crisis. I root for anything that will make PCs more controllable and more predictable machines.
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.
Check out eWEEK.coms for the latest news in desktop and notebook computing.