Why do Linux fanatics want to make Windows 8 less secure?

Windows 8 isn't even in beta yet, and already the FUD is flying fast and furious. A small group of activists are whipping up controversy over the UEFI secure boot feature even as they admit the feature is "valuable and worthwhile." Here's the real story.

The FUD is flying fast and furious over Windows 8, and the OS isn't even in beta yet.

The Free Software Foundation (FSF) is organizing a petition-signing campaign over Microsoft's announced support for the secure boot feature in next-generation PCs that use Unified Extensible Firmware Interface (UEFI) as a replacement for the conventional PC BIOS. My ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to sign the petition with a bit of deliberately inflammatory language, calling it "UEFI caging."

The crux of their argument is that Microsoft is deliberately requiring a change in next-generation hardware that will make it impossible to wipe off a Windows installation and install Linux. They are wrong, and their effort to whip up public fury is misguided at best and cynical at worst.

Allow me to illustrate by turning the argument around in an equally cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that Microsoft disable a key security feature planned for Windows 8 so that malware authors can continue to infect those PCs and drive their owners to alternate operating systems.

Oh, wait. Now that I think about it, that's actually pretty close to the truth.

The most disappointing part of this whole phony controversy is that its ringleaders have managed to suck in some people who should know better. Like Ross Anderson, Professor of Security Engineering at the University of Cambridge Computing Laboratory, who wrote this last month:

I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging.

This is grossly incorrect. It is disappointing that a university researcher who should believe in scientific rigor and respect for facts would spread a rumor that begins "I hear that..."

He continues:

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed.

This is pure FUD.

Here's the reality. Malware authors are getting more creative and more vicious. A rootkit that can infect key operating system files can hide itself so thoroughly that it is virtually impossible to detect. The TDL4 rootkit is probably the best known and most deadly of the bunch. It can patch the Windows Boot Configuration Database, overwrite key system modules, and disable driver signing requirements, just for starters. It is a nightmare to clean up.

The secure boot feature pulls the rug out from under this rootkit and everything like it. Those key boot files that the rootkit tampers with are digitally signed. With Secure Boot enabled, any modification to those files is detected at startup by the UEFI code-signing check, and the system stops in its tracks. Rootkit foiled, user protected, recovery possible.

As my colleague Mary Jo Foley has noted, the initial reports came from an employee of Red Hat Linux who acknowledges that "UEFI secure boot is a valuable and worthwhile feature."

Page 2: What do the BIOS makers say? -->

<-- Previous page

The question to ask anyone who tries to sell you on this bit of FUD is "Why?" Why would Microsoft even care whether this option is available? They care about the 99% of PC buyers who purchase systems with Windows preinstalled. They have no economic incentive to mess with the microscopic percentage of the PC market that uses Linux.

Microsoft has specified that this feature must be enabled by default for new systems that are sold with Windows 8 to qualify for logo support. OEM sales historically represent more than 90% of all Windows sales, making this a crucial requirement. If this feature has to be enabled manually by users, or if OEMs have the option to install Windows 8 with this feature turned off, the security feature is meaningless.

So the real question becomes this:

Will PC makers make it possible for end users to toggle this option in the UEFI settings?

And the answer is painfully obvious:

Of course they will. They would be insane not to.

A non-trivial percentage of PC buyers will want to replace the installed operating system with either an older Windows version or an alternate operating system (like Linux). If they are unable to do so, they will call the manufacturer's support line asking why this seemingly simple task cannot be accomplished.

PC profit margins are razor thin. A single 10-minute support call can eat through the entire profit that an OEM makes on a computer sold in the retail channel. If the call goes on for long enough, it gobbles up the profit for 10 PCs.

I asked a spokesperson for AMI, one of the largest makers of BIOS and UEFI firmware, for a statement on this issue. Here's what I was told:

The decision on making secure boot open to the user is in the hands of the OEM.

Just as was/is the case with legacy BIOS, it is up to individual OEMs to decide what features are enabled on their specific platforms. Speaking specifically about Windows 8, since Microsoft has announced that they would like secure boot enabled by default, OEMs seeking to enter the Win8 market will likely ensure that secure boot is enabled on their platforms. Since secure boot can be enabled / disabled by the user if the OEM makes this available, I would imagine that many OEMs will keep this option open to their users in order to appeal to a wider cross-section of users.

I can say that generally speaking, AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so. [Emphasis added] 

In AMI's case, OEMs use a simple toolkit to build a BIOS. The Aptio UEFI Firmware tool is an integrated development environment, with debug tools, utilities and the like. OEMs can get the most out of their BIOS development and make platform-specific customizations and enhancements. The option to enable/disable secure boot is, literally, a check box.

Here is what Microsoft has to say specifically about the secure boot requirement and Windows 8 certification:

For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.


At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.

In the Samsung tablet that Microsoft gave paid attendees at the BUILD conference, the Secure Boot option was enabled, but the toggle was right there in the settings. I am confident this will be the case with virtually every new PC sold in the Windows 8 timeframe. Any PC maker who does otherwise is shooting themselves right in the foot.

I expect this sort of FUD from the Free Software Foundation. They have a longstanding reputation for hysterical reactions to everything Microsoft does. I vividly recall their deliberately misleading, technically absurd, and factually inaccurate FUD campaign over Microsoft's support for the MP3 format in 2010. This is more of the same.

I expect better from academics at an institution like Cambridge.

Don't fall for this FUD.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All