Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
Summary: If you'll be wanting to install Linux or an older version of Windows on that Windows 8 PC, you'd better do your research before you buy.
A few days ago, Red Hat developer Matthew Garrett raised the possibility that Linux (not to mention earlier versions of Windows) could be locked out of new PCs due to Microsoft's insistence that Windows 8 logo certified PCs will have the 'secure boot' feature of UEFI enabled. Microsoft has now responded to this concern ... and there is cause to be concerned.
Microsoft's Tony Mangefeste of the Ecosystem team has written a long post over on the Building Windows 8 blog. The post is, in my opinion, far too long and winding and the issue of 'secure boot' and whether it can be disabled aren't addressed until the last two paragraphs:
At the end of the day, the customer is in control of their PC. Microsoft's philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.
A demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers. Windows merely did work to provide great OS support for a scenario we believe many will find valuable across consumers and enterprise customers.
I've read and re-read those two paragraphs several times and think that it can be fairly summarized as follows:
- Microsoft says it wants consumers to be in charge
- Microsoft makes the OS, OEMs make the PC
- Microsoft wants 'secure boot' enabled because it believes that it makes the PC safer
- Disabling 'secure boot' is risky
- The Samsung tablets given out at BUILD had the option to disable 'secure boot' ...
- ... but, how OEMs handle this feature on new PCs is up to them, so you could be stuffed when it comes to installing Linux or even an older version of Windows on your new PC
- If you're stuffed by your OEM, don't go crying to Microsoft
So, Garrett was right to be concerned.
I'm concerned too. I'm concerned because over the years I've seen plenty of bone-headed restrictions placed on BIOSes on OEM PCs, and since it's the same companies responsible for UEFI, so we can expect more bone-headedness. Also, OEMs all participare in a race to the bottom in terms of price, and this inevitably results in cost cutting and dropped features. If having a feature to disable 'secure boot' in the UEFI costs the OEMs money, then it's something that could well be given the chop.
BUT - This is not really a Microsoft issue (beyond Microsoft insisting that OEMs use UEFI and 'secure boot' in the name of security), this is an OEM issue. If OEMs give users the ability to switch this feature off, this is not going to be a problem.
If you're going to be wanting to install Linux, or for that matter an older version of Windows, on that new Windows 8 PC, you'd better do your research before you buy.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
Ah I see you have had to change your name, why is that ?
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
It's funny how this issue is causing concern only because the 'L' word is involved. SJVN seemed to nearly have a coronary because of it, yet failed to lay out any facts or even demonstrate any technical knowledge on it or why it's even there to begin with. The main issue here is <I>malware</I> not Linux.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
SJVN never makes his points with facts, but only those arguments that support his interests (open source). I don't know how his posts pass editorial standards on zdnet.
and as BillDem says VM's are a far better choice for most situations. If you still insistn on dual boot (like me), you are probably smart enough to disable secure boot from UEFI.
The whole discussion surrounding this issue has just been too naive IMO. From what I see it is all about security. But if you listen to MS haters, it is all about locking people out of Linux or other OSes.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
Sigh. SJVN was right, and this post confirms it. This post suggests that it might not be possible to disable UEFI on some devices. You ignore that too. You also ignore the fact that whatever the motive, it DOES lock people out of using non Windows 8 OSes on their own hardware, and if some guy at RedHat thought of that, Microsoft had to think of it too but apparently not care. You ALSO ignore the fact that Microsoft refused to respond to queries about this UNTIL ZDNet got up in arms about it.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
SJVN was <I>NOT</I> right. To him, he claims this is all about Linux. His posts are nothing more than FUD about how Microsoft is out to kill Linux once and for all and fails to mention <U>any</U> basic facts about the technology or what it's purpose is.
Now, chances are on a tablet device you <U>will not</U> be able to disable secure boot, as dual booting a tablet is pretty useless. You bought the tablet for a purpose. Desktops and laptops however are more likely to be dual booted and will most likely feature the option to disable secure boot, but Microsoft is right in suggesting this feature be turned on by default. Joe User isn't in the game of dual booting and it will keep him/her safe without having to make him/her run all over their system to turn it on.
However, there is nothing in the technology preventing you from wiping the system with a non OEM disk and using another OS.
Secured boot doesn???t ???lock out??? operating system loaders, but is is a policy that allows firmware to validate authenticity of components
OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
>SJVN was NOT right. To him, he claims this is all about
>Linux.
He never claimed it was "all about" Linux. He did claim it would hurt Linux while everyone else was denying that the Red Hat engineer's take on things was even correct.
>His posts are nothing more than FUD about how
>Microsoft is out to kill Linux once and for all and fails to
>mention any basic facts about the technology or what >it's purpose is.
That's funny, I never read him claiming this and all of the posts on ZDNet have explained the technology quite clearly.
>Now, chances are on a tablet device you will not be
>able to disable secure boot, as dual booting a tablet is
>pretty useless. You bought the tablet for a purpose.
Please don't tell me what that purpose is, however. Also, dual booting may have nothing to do with it. Example: Suse Linux Enterprise Desktop runs on x86 but not ARM. An enterprise user may very well want to purchase an x86 tablet, remove Windows, and run SLED on it. That would be the purpose, and the purpose would be foiled.
>Desktops and laptops however are more likely to be dual
>booted and will most likely feature the option to disable
>secure boot,
"Most likely" isn't good enough and is little more than a guess, not a guarantee by Microsoft or OEMS. How'd you like to be managing a facility that uses linux for desktop and servers and be told "most likely" there will be hardware that will support your OS in the future, but maybe not, just wait and see what happens? Think about it for a second, then see how casual you'd be about the situation.
>but Microsoft is right in suggesting this feature be
>turned on by default. Joe User isn't in the game of dual
>booting and it will keep him/her safe without having to
>make him/her run all over their system to turn it on.
I've got no problem with that. I DO have a problem with Microsoft requiring it on, but not requiring that it can be disabled, in their specifications. Just by making that extra small requirement Microsoft gains all the security and doesn't screw any other users or OSes in the process. They didn't bother.
>However, there is nothing in the technology preventing
>you from wiping the system with a non OEM disk and
>using another OS.
Yes, there is: the key in the BIOS. If it doesn't match the boot files, it's not booting.
>Secured boot doesnt lock out operating system loaders,
>but is is a policy that allows firmware to validate
>authenticity of components
Again, if there's a Microsoft key and only a Microsoft key in the EFI, how is it not locking out boot files?
>Microsoft does not mandate or control the settings on
>PC firmware that control or enable secured boot from
>any operating system other than Windows
Microsoft is controlling things, because it's using its Win8 certification to require this change. Making a change and then saying "It's not my responsibility" by not requiring the change made in such a way as to not interfere with competitors is akin to saying, "I didn't kill him... the bullet killed him, I just fired the gun." It's no different than if Apple got a spec changed (say, Thunderbolt) in such a way that it wouldn't work with Windows 8, and then saying it's not their fault and it's up to to every individual vendor to work around the spec to get Windows devices working. We'd all see through that bit of playing innocent in a second.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
Microsoft isn't pretending anything. They have publicly announced that they know Windows 8 will be run along side Windows 7 and more or less Windows Vista/XP.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
How is this even a surprise?
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
I'm sure I don't want to see Linux (or indeed the BSD variants) become the sole preserve of "big business". I think it's healthy that kernel hackers can try out their own ideas without sponsorship of a large corporation.
While I don't think it was Microsoft's intention, I do think this will have a VERY negative impact on "on the metal open source" projects - of which Linux is the most successful example.
How So?
It's a solution for protecting BIOS and software integrity.
There will be other solutions. Remember that IBM originally developed the IBM PC Bios to 'protect' their market.
That route ultimately failed and eventually IBM got out of the PC manufacturing business as competing clones with near-perfect emulation of the IBM-PC Bios emerged and caused the market to become fractious and commodity priced.
RE: Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs
@Jeremy-UK .. I think this issue falls into the territory