FSF Criticizes Microsoft For Secure Boot Feature

Martin Brinkmann
Oct 20, 2011
Updated • Jun 25, 2018
Windows, Windows 8
|
18

Hardware manufacturers that want to ship Microsoft's upcoming Windows 8 operating system with manufactured PCs need to implement the Secure Boot feature that is part of the UEFI specification according to Microsoft.

The feature determines which code or programs can be started during boot. The core intention here is to prevent malware and other unauthorized code from being executed when the computer boots (see Windows 8, Boot Security And Third Party Operating Systems for details).

While that looks like a good security feature it also means that the feature will block other unauthorized operating systems from being started on the system.

The main problem that the Free Software Foundation (FSF) sees is that Microsoft is giving manufacturers the power to decide how to implement the feature. This means in particular that hardware vendors could implement the feature in a way that users could not install any other operating system on the PC.

In other words: manufacturers may lock down the device so that it runs only Windows and no other operating system as standalone or multi-boot.

Matthew Garrett points out that Windows 8 certification requires that hardware ship with UEFI boot enabled, that it does not request that manufacturers give users options to disable the feature (which can be done) and that certification does not require that the PCs ship with any keys other than that for Windows. Keys determine which systems can be installed and run.

According to Matthew, some hardware vendors have already confirmed their intention that they wont give users the option to disable UEFI secure boot.

This means that users may no longer be in control of the computer, and that the hardware manufacturers and Microsoft are.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

Even worse, it could furthermore mean that hardware that would otherwise be compatible with the PC won't function because of missing signing keys. This could mean that users will be unable to swap graphics cards, network cards or other peripherals.

One could now say that users have to just buy from the right vendor to avoid this if they want to install other operating systems on their PC. The issue here is that this would require extensive research on part of the user. They first would need to be aware of the limitations of Secure Boot and they would then need to research how particular PC vendors have implemented the feature and whether the devices they are interested in have the feature locked or not: this is far from practicable.

The only sure way out is to build your own PCs or convince Microsoft and hardware vendors to give users control over the feature. The FSF is asking users to sign a statement to "urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed".

Summary
Article Name
FSF Criticizes Microsoft For Secure Boot Feature
Description
Hardware manufacturers that want to ship Microsoft's upcoming Windows 8 operating system with manufactured PCs need to implement the Secure Boot feature that is part of the UEFI specification according to Microsoft.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. ilev said on October 21, 2011 at 11:12 am
    Reply

    I have signed and will not recommend Win 8 to family and friends until the option to disable UEFI becomes mandatory.

  2. holy shit said on October 21, 2011 at 3:55 am
    Reply

    we’ll just see which hardware manufacturing who is selling to consumer market wants to blacklist itself with “no off option”

  3. Jack said on October 21, 2011 at 12:59 am
    Reply

    Right now, I’m 50-50 Win7/Linux – use one as much as the other – both have their pros and cons.

    MS clearly want me to go 100% Linux – I may well oblige. Which would always have been easier if manufacturers and distributors offered what I’ve wanted for a long time – ready-built PCs with no OS. I think that may well be about to happen.

    Vote of thanks to MS, then.

  4. Morely the IT Guy said on October 20, 2011 at 7:21 pm
    Reply

    Any PC that can’t have UEFI disabled will NOT be purchased here in our IT shop. While we only have about 250 PCs company-wide (including servers), we insist that we will be able to install any OS necessary (we have some peripheral equipment which is critical for our manufacturing process that will not work with any version of Windows later than XP SP2, for example).

    I am sure we aren’t unique in that requirement. So, if you want to lose market share, PC OEMs, make it impossible to disable UEFI.

  5. kalmly said on October 20, 2011 at 3:28 pm
    Reply

    Another thing to dislike about MS highway. I won’t be driving Windows 8.

  6. Rambaldi said on October 20, 2011 at 2:43 pm
    Reply

    It reminds me of the FUD during the period prior to the release of Vista, when more or less the same people wanted us to believe that we would be unable to play any media file without DRM on our Vista PCs, which turned out to be completely wrong and misleading. Therefore you will understand that I am quite skeptical about his (to put it very politely).

    1. ReX said on October 20, 2011 at 3:05 pm
      Reply

      The funny thing is that I still see people bringing that up like it’s true.

  7. Jim said on October 20, 2011 at 2:41 pm
    Reply

    I guess we can have any OS we want as long as it is Windows. MS is doing everything it can to make sure I never use Win8.

    I haven’t bought a pre-built computer (besides laptops) in many years. Looks like that trend will continue.

  8. Paul(us) said on October 20, 2011 at 12:47 pm
    Reply

    Great that you charing this fairy bad development with us your readers Martin, thanks for that. I have signed in and directly received a mail and confirmed it right away. This because i like my Ubuntu and Windows 8 on one system.

    1. Martin Brinkmann said on October 20, 2011 at 3:28 pm
      Reply

      I personally think that Microsoft should enforce the rule that users should have a say in this.

      1. ilev said on October 21, 2011 at 11:17 am
        Reply

        Well, most of the users said that they don’t want Windows 8 Ribbon in Windows explorer, and look where it got them, when Steven Sinofsky just laughed at their faces.

  9. Ciaran said on October 20, 2011 at 12:42 pm
    Reply

    I am not by any means anti-microsoft.

    What a scarey new world we are heading into. What happens if you want to upgrade your two or three year old laptop to windows 9? No Keys no boot? A fully locked down BIOS may be Microsofts way to emulate Apples H/W lockin.

    If UEFI is enabled like the scaremongering is indicating, surely the EU at the least will kick up a fuss about anti-competitive behaviour.

    I foresee a future where you will rent/licence access to your purchased consumer devices and it will be sold with the delightful name “Computing as a service” or some such BS.

  10. Leon said on October 20, 2011 at 12:30 pm
    Reply

    Another present from Microsoft… Yes, 90% market share is not enough…

  11. Transcontinental said on October 20, 2011 at 9:03 am
    Reply

    I have signed in but after 15 minutes or so still haven’t received their email confirmation of mine …

    1. Martin Brinkmann said on October 20, 2011 at 9:51 am
      Reply

      Have you checked your spam folder?

      1. Transcontinental said on October 20, 2011 at 10:29 am
        Reply

        Yes I have, Martin. At this time still no echo. Perhaps a technical issue. I’ll wait 24hrs ans sign again. If anyone has succeeded, I’d be happy to know.

      2. Martin Brinkmann said on October 20, 2011 at 3:26 pm
        Reply

        I have signed it and received the email less than a minute later.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.