Hardware manufacturers that want to ship Microsoft's upcoming Windows 8 operating system with their PCs need to implement the Secure Boot feature that is part of the UEFI specification.
The feature determines which code or programs can be started during boot. The core intention here is to prevent malware and other unauthorized code from being executed when the computer boots. (see Windows 8, Boot Security And Third Party Operating Systems for details)
While that looks like a good security feature it also means that the feature will block other unauthorized operating systems from being started on the system.
The main problem that the Free Software Foundation (FSF) sees is that Microsoft is giving the manufacturers the power to decide how to implement the feature. This means in particular that hardware vendors could implement the feature in a way that the user could not install any other operating system on the PC.
Matthew Garrett points out that Windows 8 certification requires that hardware ship with UEFI boot enabled, that it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. According to Matthew, some hardware vendors have already confirmed their intention that they wont give the user the option to disable UEFI secure boot.
This means that the user may no longer be in control of the computer. The hardware manufacturers and Microsoft are.
What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.
Even worse, it could furthermore mean that hardware that would otherwise be compatible with the PC won't function because of missing signing keys. This could mean that users will be unable to swap graphics cards, network cards or other peripherals.
One could now say that users have to just buy from the right vendor to avoid this if they want to install other operating systems on their PC. The issue here is that this would require extensive research on part of the user. They first would need to be aware of the limitations of Secure Boot, and then need to research how particular PC vendors have implemented the feature in their PCs. This is far from practicable.
The only sure way out is to build your own PCs or convince Microsoft and hardware vendors to give users control over the feature. The FSF is asking users to sign a statement to "urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed".
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.