DethNinja

I think open source firmware is one of the major requirements for security in 2022.

It is fairly easy to backdoor or infect firmware, yet very few companies use components with open source firmware.

Infections can be dealt with frequent firmware verification but only solution for backdoors seems to be open source firmware.

acd

Agree on open. We should also think in terms of simple.

UEFI is a big bloat of closed source security mess.

Secure boot. Just jump to start address of M2.SSD nothing more.

kr99x
UEFI is not a big bloat of closed source. UEFI is a spec that defines a newer, more feature-rich and easily-extensible way to boot than legacy BIOS. There is a common core, used by just about every single UEFI-based firmware out there, that is completely open source available here https://github.com/tianocore/edk2 and it's completely possible to ship a fully open UEFI system.

It happens to be the case that most organizations using UEFI-based firmware don't, and they keep everything beyond that core closed-source. This is not the fault of UEFI - those companies were closed source beforehand, and that trend continued. UEFI neither caused nor enabled them to be that way.

Now you may not want any of the things UEFI brings to the table, like GPT and booting to partitions larger than 2.2TB, or filepath based booting rather than sector based booting (or sector-booting into a boot manager and file booting from there). That's fine, but there's a difference between "X provides Y which I don't need" and "X causes Z which is bad" - UEFI causes almost none of the things people blame it for.

If you must blame UEFI for one thing, you can blame it for Secure Boot, as that wasn't (easily) possible with legacy BIOS. But neither is it mandated what keys it does or doesn't include, or even that it be implemented/enabled! UEFI has nothing to do with whether you should use Secure Boot - only that you can. The blame lies mostly with Microsoft for pushing so hard on vendors to ship with it enabled/locked/whatever.