FSF Criticizes Microsoft For Secure Boot Feature
Hardware manufacturers that want to ship Microsoft's upcoming Windows 8 operating system with manufactured PCs need to implement the Secure Boot feature that is part of the UEFI specification according to Microsoft.
The feature determines which code or programs can be started during boot. The core intention here is to prevent malware and other unauthorized code from being executed when the computer boots (see Windows 8, Boot Security And Third Party Operating Systems for details).
While that looks like a good security feature it also means that the feature will block other unauthorized operating systems from being started on the system.
The main problem that the Free Software Foundation (FSF) sees is that Microsoft is giving manufacturers the power to decide how to implement the feature. This means in particular that hardware vendors could implement the feature in a way that users could not install any other operating system on the PC.
In other words: manufacturers may lock down the device so that it runs only Windows and no other operating system as standalone or multi-boot.
Matthew Garrett points out that Windows 8 certification requires that hardware ship with UEFI boot enabled, that it does not request that manufacturers give users options to disable the feature (which can be done) and that certification does not require that the PCs ship with any keys other than that for Windows. Keys determine which systems can be installed and run.
According to Matthew, some hardware vendors have already confirmed their intention that they wont give users the option to disable UEFI secure boot.
This means that users may no longer be in control of the computer, and that the hardware manufacturers and Microsoft are.
What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.
Even worse, it could furthermore mean that hardware that would otherwise be compatible with the PC won't function because of missing signing keys. This could mean that users will be unable to swap graphics cards, network cards or other peripherals.
One could now say that users have to just buy from the right vendor to avoid this if they want to install other operating systems on their PC. The issue here is that this would require extensive research on part of the user. They first would need to be aware of the limitations of Secure Boot and they would then need to research how particular PC vendors have implemented the feature and whether the devices they are interested in have the feature locked or not: this is far from practicable.
The only sure way out is to build your own PCs or convince Microsoft and hardware vendors to give users control over the feature. The FSF is asking users to sign a statement to "urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed".Advertisement