A few days ago, Red Hat developer Matthew Garrett raised the possibility that Linux (not to mention earlier versions of Windows) could be locked out of new PCs due to Microsoft’s insistence that Windows 8 logo certified PCs will have the ’secure boot’ feature of UEFI enabled. Microsoft has now responded to this concern … and there is cause to be concerned.
Microsoft’s Tony Mangefeste of the Ecosystem team has written a long post over on the Building Windows 8 blog. The post is, in my opinion, far too long and winding and the issue of ’secure boot’ and whether it can be disabled aren’t addressed until the last two paragraphs:
At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.
A demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers. Windows merely did work to provide great OS support for a scenario we believe many will find valuable across consumers and enterprise customers.
I’ve read and re-read those two paragraphs several times and think that it can be fairly summarized as follows:
- Microsoft says it wants consumers to be in charge
- Microsoft makes the OS, OEMs make the PC
- Microsoft wants ’secure boot’ enabled because it believes that it makes the PC safer
- Disabling ’secure boot’ is risky
- The Samsung tablets given out at BUILD had the option to disable ’secure boot’ …
- … but, how OEMs handle this feature on new PCs is up to them, so you could be stuffed when it comes to installing Linux or even an older version of Windows on your new PC
- If you’re stuffed by your OEM, don’t go crying to Microsoft
So, Garrett was right to be concerned.
I’m concerned too. I’m concerned because over the years I’ve seen plenty of bone-headed restrictions placed on BIOSes on OEM PCs, and since it’s the same companies responsible for UEFI, so we can expect more bone-headedness. Also, OEMs all participare in a race to the bottom in terms of price, and this inevitably results in cost cutting and dropped features. If having a feature to disable ’secure boot’ in the UEFI costs the OEMs money, then it’s something that could well be given the chop.
BUT - This is not really a Microsoft issue (beyond Microsoft insisting that OEMs use UEFI and ’secure boot’ in the name of security), this is an OEM issue. If OEMs give users the ability to switch this feature off, this is not going to be a problem.
If you’re going to be wanting to install Linux, or for that matter an older version of Windows, on that new Windows 8 PC, you’d better do your research before you buy.
