Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

Summary: Microsoft's demand that 'secure boot' is enabled on Windows 8 PCs means that you might not be able to install Linux.

SHARE:

An interesting story doing the rounds that, at first glance, looks like FUD, but it's not. Microsoft could indeed use the fact that Windows 8-compliant PCs must replace the BIOS with the more modern UEFI, and this could be used to lock Linux (and even previous versions of Windows) out from new PCs.

Note: This also applies equally to tablets running Windows 8 as well as PCs.

Sebastian Anthony over on ExtremeTech writes:

Dubbed "secure boot," UEFI has the capability to prevent any unsigned executables or drivers from being loaded. In other words, a Windows 8 PC could be set up so that it only boot from files that have been signed by Microsoft or an OEM vendor; and obviously, an open-source, build-it-yourself Linux boot loader isn't going to be signed by Microsoft. The way this works is that every UEFI firmware chip is pre-loaded with a secure key. If the OS knows this key, it can add and remove drivers and executables from a whitelist (or blacklist, in the case of known-bad drivers or malware); obviously this is good (or at least interesting) from a security standpoint.

Will Microsoft demand that 'secure boot' is enabled on Windows 8 PCs? You bet! Red Hat developer Matthew Garrett tells it like it is:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled.

Why would Microsoft do such a thing? Put simply - security. Having 'secure boot' enabled will prevent unsigned code from running at boot up. Good for preventing malware and rootkits at startup, not so good if you're trying to install unsigned code.

Systems can be shipped with multiple keys to run code signed from multiple sources. There's also a whitelist and blacklist mechanism for controlling what gets to run and what doesn't. Along with a Microsoft key a system could have installed one or more OEM keys installed for any stuff that the OEMs wants you to have running (please, not crapware!). However, this won't help you when it comes to installing your own stuff.

Garrett gives us the worst-case scenario:

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

To be able to install something like Linux then one of two things have to happen:

  • You'll need to be able to disable 'secure boot' - which could or could not be allowed by the OEMs
  • You'd need a signed boot loader for Linux and have that key that it is signed with shipped on the system ... which is unlikely to happen

So, is Microsoft or the OEMs going to block you from installing your own OS? I'm going to have to side with Garrett:

It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

It's probably not worth panicking yet. But it is worth being concerned.

The biggest problem is uncertainty. For those who 'build-their-own' systems, I'm certain that motherboard makers will include a mechanism for disabling 'secure boot' or allowing you to add unsigned code to the whitelist, but when it comes to OEM PCs, you'll have to do your homework. See, I don't think that Microsoft is going to be the one who wants Linux (and other OSes) banished from systems, it's going to be OEMs (and it'll be done in the name of keeping users safe from themselves). Some systems might ship with all the information you need to do what you want with it, for other systems you might have to get in touch with tech support, but I'm certain that there will be some systems that, for one reason or another, will be unlockable.

Note: Don't think that OEMs would do their best to prevent you from installing another OS on your system? Look at how many OEMs lock the bootloader on Android handsets to prevent tinkering!

It'll be interesting to see if OEMs mark systems that can have alternative operating systems installed on them.

For all you Linux users out there (all 1% of you, according to market share data), there could be trouble ahead.

More coverage:

Topics: Windows, Hardware, Linux, Microsoft, Open Source, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

76 comments
Log in or register to join the discussion
  • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

    Thank you for at least being less panic-y about the ordeal because we just don't know what will really be available. I think it is more likely that there will be ways to install unsigned code. You'll be plagued by warning notices that you are doing something scary and abnormal, but it will likely still be doable.
    grayknight
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @G Computer Network I dunno the people who make these things are a lazy lot - if this "get out of secure mode" isn't actually required they may well not bother to implement it.
      Jeremy-UK
  • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

    Considering that I use Fedora Linux-on-a-stick ... will this prevent me from booting to my USB tools since it doesn't involve the use of Grub? I want to be sure that I can still do Memtest and look for other hardware issues if I'm attempting to fix a malfunctioning computer.
    Vapur9
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Vapur9 Whatever boot loader your flash drive install uses... yes, if it's not signed by Microsoft or the OEM.
      jgm@...
  • No need to panic

    In the end, there's always Virtualbox.

    They can't stop that.
    Michael Alan Goff
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Michael Alan Goff

      Do you have to boot into Windows to get Virtualbox?



      :)
      none none
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @none none

        Well, yes, I do.

        Do you have a better, working, idea?
        Michael Alan Goff
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @none none <br><br>Actually, I do. Simply boot Linux. This is a solution I predict will always be available. <br><br>There is no reason to believe MS will force OEMs to block Linux from booting. Even if it thought it could get away with it.

        As for EFI, Linux bootloaders like elilo were booting Linux on EFI systems before Windows had the ability. They can't make the argument that Linux is not capable or that it's insecure.




        :)
        none none
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @none none <br><br>I just know that at this point, my main method of completely installing Ubuntu would have to be Wubi, which for some reason is refusing to work for me. I'm in the process of saving for a better computer, but right now mine doesn't have USB ports.<br><br>I can try to get a CD-RW, but I doubt I'd be able to. A lot of things have already been packed for the move.

        edit: As for single-booting Ubuntu, it isn't a possibility at this point. I could use LibreOffice to replace Office easily enough, but Visual Studio is just so.... nice.
        Michael Alan Goff
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Michael Alan Goff Or a Mac... Linux works just fine on that.
      Jeremy-UK
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @Jeremy-UK

        I love running Ubuntu, just not enough to pay 1k for the privilege.
        Michael Alan Goff
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Michael Alan Goff
      It'll be more interesting to check out how well Linux runs on Windows 8's built in HyperV and how well it's built in functionality can be leveraged by Linux. (After all MS has become one of the top contributors to the Linux code base to help insure Linux will be able to run well on HyperV.)
      brendan@...
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @brendan@...

        I hadn't thought about that.

        I'll have to look into that solution.
        Michael Alan Goff
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Michael Alan Goff They can stop VirtualBox if Microsoft decides to completely wall of its garden and not stop with Metro apps.
      jgm@...
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @Michael Alan Goff
      For whom do not need Windows why should they be forced to pay Windows Tax?
      ac1234555
  • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

    Cue the MS apologists to assure us this is in no way like the things Apple does to control users' use of their hardware that they love to bash.




    :)
    none none
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @none none Apple doesn't do this - they don't stop Linux from running and have actually HELPED users install Windows (Bootcamp).
      Jeremy-UK
      • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

        @Jeremy-UK
        Apple's decision to allow dual-booting to windows is a business decision. It's designed to draw in Windows users.
        Apple has a long history of playing nice when they have smaller market share and locking everyone else out when they have the dominant market share. Just look at what they've done with iTunes, every time someone gets itunes working with wine, Apple breaks it.
        mookiemu
    • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

      @none none

      This is nothing like what Apple does, it's actually worse if it turns out to be the case that this is completely true.

      Apple may smother the experience with mediocre drives, but at least they encourage you to dual-boot.
      Michael Alan Goff
  • RE: Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

    WUBI Plz???
    Imrhien