FSF Criticizes Microsoft For Secure Boot Feature - gHacks Tech News

FSF Criticizes Microsoft For Secure Boot Feature

Hardware manufacturers that want to ship Microsoft's upcoming Windows 8 operating system with their PCs need to implement the Secure Boot feature that is part of the UEFI specification.

The feature determines which code or programs can be started during boot. The core intention here is to prevent malware and other unauthorized code from being executed when the computer boots. (see Windows 8, Boot Security And Third Party Operating Systems for details)

While that looks like a good security feature it also means that the feature will block other unauthorized operating systems from being started on the system.

The main problem that the Free Software Foundation (FSF) sees is that Microsoft is giving the manufacturers the power to decide how to implement the feature. This means in particular that hardware vendors could implement the feature in a way that the user could not install any other operating system on the PC.

Matthew Garrett points out that Windows 8 certification requires that hardware ship with UEFI boot enabled, that it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. According to Matthew, some hardware vendors have already confirmed their intention that they wont give the user the option to disable UEFI secure boot.

This means that the user may no longer be in control of the computer. The hardware manufacturers and Microsoft are.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

Even worse, it could furthermore mean that hardware that would otherwise be compatible with the PC won't function because of missing signing keys. This could mean that users will be unable to swap graphics cards, network cards or other peripherals.

One could now say that users have to just buy from the right vendor to avoid this if they want to install other operating systems on their PC. The issue here is that this would require extensive research on part of the user. They first would need to be aware of the limitations of Secure Boot, and then need to research how particular PC vendors have implemented the feature in their PCs. This is far from practicable.

The only sure way out is to build your own PCs or convince Microsoft and hardware vendors to give users control over the feature. The FSF is asking users to sign a statement to "urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed".

  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:


    1. Transcontinental said on October 20, 2011 at 9:03 am

      I have signed in but after 15 minutes or so still haven’t received their email confirmation of mine …

      1. Martin Brinkmann said on October 20, 2011 at 9:51 am

        Have you checked your spam folder?

        1. Transcontinental said on October 20, 2011 at 10:29 am

          Yes I have, Martin. At this time still no echo. Perhaps a technical issue. I’ll wait 24hrs ans sign again. If anyone has succeeded, I’d be happy to know.

        2. Martin Brinkmann said on October 20, 2011 at 3:26 pm

          I have signed it and received the email less than a minute later.

    2. Leon said on October 20, 2011 at 12:30 pm

      Another present from Microsoft… Yes, 90% market share is not enough…

    3. Ciaran said on October 20, 2011 at 12:42 pm

      I am not by any means anti-microsoft.

      What a scarey new world we are heading into. What happens if you want to upgrade your two or three year old laptop to windows 9? No Keys no boot? A fully locked down BIOS may be Microsofts way to emulate Apples H/W lockin.

      If UEFI is enabled like the scaremongering is indicating, surely the EU at the least will kick up a fuss about anti-competitive behaviour.

      I foresee a future where you will rent/licence access to your purchased consumer devices and it will be sold with the delightful name “Computing as a service” or some such BS.

    4. Paul(us) said on October 20, 2011 at 12:47 pm

      Great that you charing this fairy bad development with us your readers Martin, thanks for that. I have signed in and directly received a mail and confirmed it right away. This because i like my Ubuntu and Windows 8 on one system.

      1. Martin Brinkmann said on October 20, 2011 at 3:28 pm

        I personally think that Microsoft should enforce the rule that users should have a say in this.

        1. ilev said on October 21, 2011 at 11:17 am

          Well, most of the users said that they don’t want Windows 8 Ribbon in Windows explorer, and look where it got them, when Steven Sinofsky just laughed at their faces.

    5. Jim said on October 20, 2011 at 2:41 pm

      I guess we can have any OS we want as long as it is Windows. MS is doing everything it can to make sure I never use Win8.

      I haven’t bought a pre-built computer (besides laptops) in many years. Looks like that trend will continue.

    6. Rambaldi said on October 20, 2011 at 2:43 pm

      It reminds me of the FUD during the period prior to the release of Vista, when more or less the same people wanted us to believe that we would be unable to play any media file without DRM on our Vista PCs, which turned out to be completely wrong and misleading. Therefore you will understand that I am quite skeptical about his (to put it very politely).

      1. ReX said on October 20, 2011 at 3:05 pm

        The funny thing is that I still see people bringing that up like it’s true.

    7. kalmly said on October 20, 2011 at 3:28 pm

      Another thing to dislike about MS highway. I won’t be driving Windows 8.

    8. Morely the IT Guy said on October 20, 2011 at 7:21 pm

      Any PC that can’t have UEFI disabled will NOT be purchased here in our IT shop. While we only have about 250 PCs company-wide (including servers), we insist that we will be able to install any OS necessary (we have some peripheral equipment which is critical for our manufacturing process that will not work with any version of Windows later than XP SP2, for example).

      I am sure we aren’t unique in that requirement. So, if you want to lose market share, PC OEMs, make it impossible to disable UEFI.

    9. Jack said on October 21, 2011 at 12:59 am

      Right now, I’m 50-50 Win7/Linux – use one as much as the other – both have their pros and cons.

      MS clearly want me to go 100% Linux – I may well oblige. Which would always have been easier if manufacturers and distributors offered what I’ve wanted for a long time – ready-built PCs with no OS. I think that may well be about to happen.

      Vote of thanks to MS, then.

    10. holy shit said on October 21, 2011 at 3:55 am

      we’ll just see which hardware manufacturing who is selling to consumer market wants to blacklist itself with “no off option”

    11. ilev said on October 21, 2011 at 11:12 am

      I have signed and will not recommend Win 8 to family and friends until the option to disable UEFI becomes mandatory.

    Leave a Reply