Windows 8, Boot Security And Third Party Operating Systems
Things got heated up quite a bit in the past two days as Microsoft started to reveal information about boot security in Windows 8. The main concern raised by Matthew Garrett and others was that secure boot could prevent the installation and use of third party operating systems like Linux on an OEM system running Windows 8.
Please note that this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won't be affected by it.
The UEFI secure boot protocol is the foundation of an architecturally neutral approach to platform and firmware security. Based on the Public Key Infrastructure (PKI) process to validate firmware images before they are allowed to execute, secure boot helps reduce the risk of boot loader attacks. Microsoft relies on this protocol in Windows 8 to improve platform security for our customers.
Microsoft today responded to those claims in another article on the Building Windows 8 blog. OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded.
While Secure Boot is enabled by default, it is up to the OEM to add controls to UEFI to allow the user to disable the feature. The Samsung tablet that Microsoft gave away on the BUILD conference for instance came with an option to disable Secure Boot on the device.
Microsoft employee Tony Mangefeste notes that "OEMs are free to choose how to enable this support", which means that OEM could make the decision to not implement the override in the UEFI configuration. This would then mean that customers would not be able to boot third party operating systems from the OEM machine.
The only option that consumers have at this point is to find out about this in advance before making a purchase. I for one would never buy a system that prevents me from loading a third party OS.
Your options to install Windows 8 are:
- Install Windows 8 on a PC with BIOS.
- Build your own new PC, or have it build for you.
- Verify that the OEM PC with Windows 8 is offering an option to disable Secure Boot before purchasing it.
- Hope that someone will come up with a hacked firmware to disable Secure Boot
What's your take on Secure Boot? I personally think that it improves security, and do not think that it is an issue as long as all OEMs add the means to disable the feature. Let me know in the comments.Advertisement