Windows 8, Boot Security And Third Party Operating Systems
Things got heated up quite a bit in the past two days as Microsoft started to reveal information about boot security in Windows 8. The main concern raised by Matthew Garrett and others was that secure boot could prevent the installation and use of third party operating systems like Linux on an OEM system running Windows 8.
Please note that this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won't be affected by it.
The UEFI secure boot protocol is the foundation of an architecturally neutral approach to platform and firmware security. Based on the Public Key Infrastructure (PKI) process to validate firmware images before they are allowed to execute, secure boot helps reduce the risk of boot loader attacks. Microsoft relies on this protocol in Windows 8 to improve platform security for our customers.
Microsoft today responded to those claims in another article on the Building Windows 8 blog. OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded.
While Secure Boot is enabled by default, it is up to the OEM to add controls to UEFI to allow the user to disable the feature. The Samsung tablet that Microsoft gave away on the BUILD conference for instance came with an option to disable Secure Boot on the device.
Microsoft employee Tony Mangefeste notes that "OEMs are free to choose how to enable this support", which means that OEM could make the decision to not implement the override in the UEFI configuration. This would then mean that customers would not be able to boot third party operating systems from the OEM machine.
The only option that consumers have at this point is to find out about this in advance before making a purchase. I for one would never buy a system that prevents me from loading a third party OS.
Your options to install Windows 8 are:
- Install Windows 8 on a PC with BIOS.
- Build your own new PC, or have it build for you.
- Verify that the OEM PC with Windows 8 is offering an option to disable Secure Boot before purchasing it.
- Hope that someone will come up with a hacked firmware to disable Secure Boot
What's your take on Secure Boot? I personally think that it improves security, and do not think that it is an issue as long as all OEMs add the means to disable the feature. Let me know in the comments.
Advertisement
I’m with you on this. If it can be disabled to allow me to run *nix then it’s ok. I doubt any vendor would be stupid enough to lock out third-party OSes.
I imagine the option to disable Secure Boot will be available on all OEM versions.
Computer manufacturers are responsible for Windows 8 operating system support
and they have a vested interest in avoiding added support calls for an issue like this.
The option to disable Secure Boot is a safe one to include for the
simple reason that anyone who disables it knows why and what for.
This is not something the vast majority of users will attempt to employ.
The wild card on this though is that manufacturers may stipulate that
disabling Secure Boot will void your warranty for OS system support.
Disabling secure boot will void Microsoft’s logo.
I think that most OEM will take the easy way and NOT add the option of disabling secure boot. This in turn will boost the sales of Mac laptops which allow the installation of Windows and Linux in dual boot.
p.s I wonder what will be the reaction from EU regulators on this issue. Judging from the past they may block all sales of PCs with Windows 8 that doesn’t have the option of disabling secure boot as it blocks competition (as they blocked installations of IE and WMP with Windows).
As a longtime Linux user one could imagine that I hate a locked boot mechanism. But I do not. Given that majority of computer users are not tech savvy it only makes sense to secure the boot by design, by default.
But to give users an ability to unlock it, two things can be implemented. 1. No OS should be able to write to BIOS ROM. 2. Have a hardware switch on the box or on the motherboard that will temporarily unlock secure boot.
This begs the question as to why it being left up to the computer makers.
Because the only reason why they could possibly NOT allow you to disable this “feature” would be if Microsoft were offering incentives (cash, favors, priority support, threats) to the PC manufacturers and BIOS suppliers for them not to do so.
Microsoft has demonstrated a talent for twisting arms in the past. Why should this latest thing be any different.
Hardware always has to allow third-party software.
————————————————————
By hardware- and/or software-switch or whatever.
This is a typical M$-move. We all know what they want.