I know that the OS is the boss of programs (once OS is loaded). Is BIOS/UEFI the boss of the everything before OS is loaded? Can an OS be a sitting duck for any BIOS/UEFI related malware?
In other words, can BIOS/UEFI delete or modify OS and other code?
The answer, in simple terms, is "yes" to all of your questions.
The firmware (BIOS or UEFI) loads before the operating system. Typically, it looks for a boot sector on your storage devices (internal HD, CD/DVD, USB drives, etc). Then it loads the bootloader specified in the boot sector into memory and passes control to that boot loader, which will get the rest of the operating system up and running.
If the firmware is infected with malicious code, it can read/write anywhere. File permissions are implemented by the OS kernel or the file system driver, so they aren't a concern at all in this situation. This means that you are free to tamper with the OS files as well.
In modern systems, this is very difficult to accomplish, however.
The firmware controls access to the EEPROM, which is where its code is stored. Modern motherboards will usually only accept firmware updates which have been digitally signed by the manufacturer. You would have to defeat this mechanism first if you wanted to tamper with the BIOS/UEFI.
Newer operating systems can validate digital signatures on their files. If you tamper with their files, the digital signature will no longer be valid. E.g., if you enable SecureBoot on Windows 10 and change something it will refuse to boot.
Obviously, you could edit the OS to strip out the digital signature checks if you control the firmware, but it is very difficult to infect firmware for several reasons.
In addition to the built-in protections, the firmware on most motherboards is customized for that individual model or, at most, that particular product line. Writing a firmware hack that applies to a wide range of motherboards is extremely difficult---and may be practically impossible.
It is theoretically possible to tamper with a system in this fashion. The potential for abuse is well understood, however, so the danger is addressed with reasonable technical measures.
People with physical access to your machines could flash the EEPROM chips containing the BIOS code with custom-programmed malware. It takes a lot of resources to orchestrate this, so the average computer user is not at risk.
This type of attack is easily within reach of governments and large criminal organizations. Governments and large firms are at risk, and they generally buy from trusted vendors or certified resellers to reduce the risk of acquiring compromised equipment.
The answer here is basically "no," it typically should not. It just calls the bootloader or the UEFI image.
I say typically in the sense of: depending on manufacturer and device it may do some writing features utilized by the BIOS, like writing information to a floppy disk or into memory.
It is theoretically possible that a BIOS could be written that changes setting at specific memory locations that are known parts of the "OS" for specific reasons, although that is not the standard implementation and I don't know of any devices that do that in the standard "PC BIOS" type set up (where firmware and bios overlap in embedded devices gets much more complicated, for example).
The wiki page is actually really good, please review it. https://en.wikipedia.org/wiki/BIOS
Once the OS is loaded, the BIOS/UEFI is the boss of the OS.
Not really. When OS is up, every program calls functions from the OS, and OS is really the one executing important code. A program cannot execute anything the OS didn't gave it permission to run.
BIOS/UEFI is more a loader. It reads data from disk, loads data on memory, and executes code in the Master Boot Record. In this moment, whatever code is on the boot record takes control. The BIOS does not have control anymore.
Even if the UEFI/BIOS changes any memory address used by the OS, it will be reverted when the OS initializes and loads itself from disk, as BIOS will not be in execution anymore.
