Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

Summary: If you'll be wanting to install Linux or an older version of Windows on that Windows 8 PC, you'd better do your research before you buy.

SHARE:

A few days ago, Red Hat developer Matthew Garrett raised the possibility that Linux (not to mention earlier versions of Windows) could be locked out of new PCs due to Microsoft's insistence that Windows 8 logo certified PCs will have the 'secure boot' feature of UEFI enabled. Microsoft has now responded to this concern ... and there is cause to be concerned.

Microsoft's Tony Mangefeste of the Ecosystem team has written a long post over on the Building Windows 8 blog. The post is, in my opinion, far too long and winding and the issue of 'secure boot' and whether it can be disabled aren't addressed until the last two paragraphs:

At the end of the day, the customer is in control of their PC. Microsoft's philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.

A demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers. Windows merely did work to provide great OS support for a scenario we believe many will find valuable across consumers and enterprise customers.

I've read and re-read those two paragraphs several times and think that it can be fairly summarized as follows:

  • Microsoft says it wants consumers to be in charge
  • Microsoft makes the OS, OEMs make the PC
  • Microsoft wants 'secure boot' enabled because it believes that it makes the PC safer
  • Disabling 'secure boot' is risky
  • The Samsung tablets given out at BUILD had the option to disable 'secure boot' ...
  • ... but, how OEMs handle this feature on new PCs is up to them, so you could be stuffed when it comes to installing Linux or even an older version of Windows on your new PC
  • If you're stuffed by your OEM, don't go crying to Microsoft

So, Garrett was right to be concerned.

I'm concerned too. I'm concerned because over the years I've seen plenty of bone-headed restrictions placed on BIOSes on OEM PCs, and since it's the same companies responsible for UEFI, so we can expect more bone-headedness. Also, OEMs all participare in a race to the bottom in terms of price, and this inevitably results in cost cutting and dropped features. If having a feature to disable 'secure boot' in the UEFI costs the OEMs money, then it's something that could well be given the chop.

BUT - This is not really a Microsoft issue (beyond Microsoft insisting that OEMs use UEFI and 'secure boot' in the name of security), this is an OEM issue. If OEMs give users the ability to switch this feature off, this is not going to be a problem.

If you're going to be wanting to install Linux, or for that matter an older version of Windows, on that new Windows 8 PC, you'd better do your research before you buy.

Topics: Microsoft, Apps, Linux, Open Source, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

    Good! No reason to have linux on the PC anyway. Microsoft just did the world a favor.
    LoverockDavidson_-24231404894599612871915491754222
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @LoverockDavidson_

      Ah I see you have had to change your name, why is that ?
      Alan Smithie
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @LoverockDavidson_ ha i didn't even have to check the name, knew it'd be you, please, hence forth to the rock you crawled out from.
      explodingwalrus
  • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

    *yawn*
    jhughesy
  • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

    ... Or just build your own.<br><br>But, seriously, how many "average consumers" dual boot? Next to none. This is better for them.

    It's funny how this issue is causing concern only because the 'L' word is involved. SJVN seemed to nearly have a coronary because of it, yet failed to lay out any facts or even demonstrate any technical knowledge on it or why it's even there to begin with. The main issue here is <I>malware</I> not Linux.
    The one and only, Cylon Centurion
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @Cylon Centurion Definitely. Even techies don't dual-boot anymore. That's what VM's are for. This media frenzy over it is just stupid.
      BillDem
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @BillDem We addressed this already. When you can play Crysis 2 or access PCIe hardware in your VM, we'll talk. Otherwise... VMs aren't a solution. In addition, your scenario suggests that everyone in the world MUST run Windows 8 as their primary OS whether they want to or not. That's ridiculous.
        jgm@...
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @Cylon Centurion
      SJVN never makes his points with facts, but only those arguments that support his interests (open source). I don't know how his posts pass editorial standards on zdnet.

      and as BillDem says VM's are a far better choice for most situations. If you still insistn on dual boot (like me), you are probably smart enough to disable secure boot from UEFI.
      The whole discussion surrounding this issue has just been too naive IMO. From what I see it is all about security. But if you listen to MS haters, it is all about locking people out of Linux or other OSes.
      regsrini
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @regsrini
        Sigh. SJVN was right, and this post confirms it. This post suggests that it might not be possible to disable UEFI on some devices. You ignore that too. You also ignore the fact that whatever the motive, it DOES lock people out of using non Windows 8 OSes on their own hardware, and if some guy at RedHat thought of that, Microsoft had to think of it too but apparently not care. You ALSO ignore the fact that Microsoft refused to respond to queries about this UNTIL ZDNet got up in arms about it.
        jgm@...
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @jgm

        SJVN was <I>NOT</I> right. To him, he claims this is all about Linux. His posts are nothing more than FUD about how Microsoft is out to kill Linux once and for all and fails to mention <U>any</U> basic facts about the technology or what it's purpose is.

        Now, chances are on a tablet device you <U>will not</U> be able to disable secure boot, as dual booting a tablet is pretty useless. You bought the tablet for a purpose. Desktops and laptops however are more likely to be dual booted and will most likely feature the option to disable secure boot, but Microsoft is right in suggesting this feature be turned on by default. Joe User isn't in the game of dual booting and it will keep him/her safe without having to make him/her run all over their system to turn it on.

        However, there is nothing in the technology preventing you from wiping the system with a non OEM disk and using another OS.

        Secured boot doesn???t ???lock out??? operating system loaders, but is is a policy that allows firmware to validate authenticity of components
        OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
        Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
        The one and only, Cylon Centurion
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @cylon

        >SJVN was NOT right. To him, he claims this is all about
        >Linux.

        He never claimed it was "all about" Linux. He did claim it would hurt Linux while everyone else was denying that the Red Hat engineer's take on things was even correct.

        >His posts are nothing more than FUD about how
        >Microsoft is out to kill Linux once and for all and fails to
        >mention any basic facts about the technology or what >it's purpose is.

        That's funny, I never read him claiming this and all of the posts on ZDNet have explained the technology quite clearly.


        >Now, chances are on a tablet device you will not be
        >able to disable secure boot, as dual booting a tablet is
        >pretty useless. You bought the tablet for a purpose.

        Please don't tell me what that purpose is, however. Also, dual booting may have nothing to do with it. Example: Suse Linux Enterprise Desktop runs on x86 but not ARM. An enterprise user may very well want to purchase an x86 tablet, remove Windows, and run SLED on it. That would be the purpose, and the purpose would be foiled.

        >Desktops and laptops however are more likely to be dual
        >booted and will most likely feature the option to disable
        >secure boot,

        "Most likely" isn't good enough and is little more than a guess, not a guarantee by Microsoft or OEMS. How'd you like to be managing a facility that uses linux for desktop and servers and be told "most likely" there will be hardware that will support your OS in the future, but maybe not, just wait and see what happens? Think about it for a second, then see how casual you'd be about the situation.

        >but Microsoft is right in suggesting this feature be
        >turned on by default. Joe User isn't in the game of dual
        >booting and it will keep him/her safe without having to
        >make him/her run all over their system to turn it on.

        I've got no problem with that. I DO have a problem with Microsoft requiring it on, but not requiring that it can be disabled, in their specifications. Just by making that extra small requirement Microsoft gains all the security and doesn't screw any other users or OSes in the process. They didn't bother.

        >However, there is nothing in the technology preventing
        >you from wiping the system with a non OEM disk and
        >using another OS.

        Yes, there is: the key in the BIOS. If it doesn't match the boot files, it's not booting.

        >Secured boot doesnt lock out operating system loaders,
        >but is is a policy that allows firmware to validate
        >authenticity of components

        Again, if there's a Microsoft key and only a Microsoft key in the EFI, how is it not locking out boot files?

        >Microsoft does not mandate or control the settings on
        >PC firmware that control or enable secured boot from
        >any operating system other than Windows

        Microsoft is controlling things, because it's using its Win8 certification to require this change. Making a change and then saying "It's not my responsibility" by not requiring the change made in such a way as to not interfere with competitors is akin to saying, "I didn't kill him... the bullet killed him, I just fired the gun." It's no different than if Apple got a spec changed (say, Thunderbolt) in such a way that it wouldn't work with Windows 8, and then saying it's not their fault and it's up to to every individual vendor to work around the spec to get Windows devices working. We'd all see through that bit of playing innocent in a second.
        jgm@...
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @Cylon Centurion The main issue is Microsoft pretending its the only OS in the room and making a move to make IT more safe that inconveniences everyone else in the process.
      jgm@...
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @jgm@...

        Microsoft isn't pretending anything. They have publicly announced that they know Windows 8 will be run along side Windows 7 and more or less Windows Vista/XP.
        The one and only, Cylon Centurion
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @Cylon Without the ability to disable secure boot, that won't happen. The only way Microsoft can guarantee this is if they've made disabling secure boot a requirement, and nothing they've said indicates they have. Maybe they know it will run "alongside" 8 on legacy hardware?
        jgm@...
  • How is this even a surprise?

    Not a big deal, IMO.
    Dietrich T. Schmitz *Your
    • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

      @Dietrich T. Schmitz * Your Linux Advocate No? How so? The Linux project got started on commodity PC hardware. If UEFI had existed then the Linux project wouldn't have been viable.

      I'm sure I don't want to see Linux (or indeed the BSD variants) become the sole preserve of "big business". I think it's healthy that kernel hackers can try out their own ideas without sponsorship of a large corporation.

      While I don't think it was Microsoft's intention, I do think this will have a VERY negative impact on "on the metal open source" projects - of which Linux is the most successful example.
      Jeremy-UK
      • How So?

        @Jeremy-UK Much ado about nothing. for the .01% of the PC population that needs to run a second OS with UEFI-capable hardware, they can figure out how to do it.
        Your Non Advocate
      • It's a solution for protecting BIOS and software integrity.

        @Jeremy-UK

        There will be other solutions. Remember that IBM originally developed the IBM PC Bios to 'protect' their market.

        That route ultimately failed and eventually IBM got out of the PC manufacturing business as competing clones with near-perfect emulation of the IBM-PC Bios emerged and caused the market to become fractious and commodity priced.
        Dietrich T. Schmitz *Your
      • RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

        @Facebook, how about you have to run Linux on your PC unless you want to "figure out how to" run Windows? Sound fun? No? Thought so. Microsoft one-upping Apple doesn't bother you at all?
        jgm@...
      • @Jeremy-UK .. I think this issue falls into the territory

        .. of being a little more paranoia than complete substance. Why? Because such a move has <b>Anti-Trust</b> written over it. MS wouldn't dare go down that road again. So, if i had to hazard a guess, i'd go with MS OEM partners making only retail, OEM machines logo / W8 certified - but with OEM's having the ultimate last say. <br><br>Furthermore, I think the only way for UEFI to work is if all hardware that is bought above and beyond retail, OEM outlets <i>would have to be exempt</i> - or made UEFI-optional for those that purchase parts (i.e. to build a pc). That way, users are warned that if they buy non-UEFI devices, their PC becomes non-W8 logo certified: ergo, the end-user is made aware of the repercussions of building a pc that will not support W8 (oob) and, therefore, cannot be W8 certified.<br><br>The OEM's and independent hardware retailers have to know that locking out users is majorly problematic (to say the least) as they risk losing a revenue source - amongst already squeezed and marginal revenue sources, as it is.<br><br>The absolute worse case scenario (if MS goes down this road) is that such a move scares the public into staying with older hardware and OS's: with the uncertainty and fear, that, replacement becomes too expensive an option. Flow on is, many of these users switch to Apple or simply stay with aging systems (e.g. XP, W7) & ancillary hardware.<br><br>Although i personally can't see MS playing the "UEFI card" (across the board), Redmond <b>have to know</b> the days of strong-arming the public into lock-in-by-gun-to-the-head type tactics is not the way to win the public over. As DTS has already pointed out, IBM tried a similarly bad move .. and we now know how that turned out for them.<br><br>To finish, I really can't see it happening - as it's tantamount to MS proverbially shooting themselves in the foot. W8 will float or sink on its own ... cramming it down the throats of new PC buyers - and locking them into a new h/w-OS paradigm - is not the way to go (...by a long shot). Give the public freedom of choice and you win them over .. that's a truism you can take to the bank.</b>
        thx-1138_