Microsoft explains Windows 8 boot to quell Linux fears

Microsoft explains Windows 8 boot to quell Linux fears

Summary: The company has given more details about the secure boot process in Windows 8, saying it is up to hardware makers to give people the option of choosing between operating system loaders


Microsoft has become locked in a dispute over whether the boot process in Windows 8 will block Linux from running on hardware designed for the next version of its flagship platform.

Windows 8 boot diagram

Windows 8 secure boot uses pre-OS boot checks, as well as third-party software checks, to ensure that users PCs remain healthy. Photo credit: Microsoft

Matthew Garrett, a power management and mobile Linux developer at Red Hat, raised questions in a blog post on Tuesday about dual-booting of Linux in Windows 8. He argued the use of Public Key Infrastructure (PKI)-based secure boot means either Windows 8 will be signed with a Microsoft key, with the public part of the key included on the system; or the hardware maker could use their own key and sign the pre-installed Windows.

"The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM [original equipment manufacturer] provided a new signed copy. The former seems more likely," Garrett said.

"A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," he concluded.

Microsoft response

On Thursday, Tony Mangefeste, a member of the Windows Ecosystem team, responded to the suggestions in a blog post that detailed what the secure boot system means for running alternative operating systems.

Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors.

– Matthew Garrett

Unlike Windows 7, Windows 8 uses the Unified Extensible Firmware Interface (UEFI) secure boot protocol. This allows manufacturers to set up a security policy for the hardware that prevents people from running loaders for operating systems and software it does not recognise. Ultimately, the protocol is designed to make the computer safer from pre-OS boot attacks or malware. 

The approach being taken by Microsoft is to provide the "best experience" first, Mangefeste said, by setting things up initially so most people will be protected against boot-loader attacks. After that, people can change the setting, if hardware makers give them the choice.

"At the end of the day, the customer is in control of their PC... For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste said.

Manufacturers have final decision

Secure boot is a UEFI protocol and not a Windows-specific feature, and hardware makers have the option of customising their firmware to specify the level of certificate and policy management, Mangefeste said. This means that the final decision will lie with them on whether to allow or disallow the disabling of secure boot.

"Secure boot doesn't 'lock out' operating system loaders, but is a policy that allows firmware to validate authenticity of components," Mangefeste said.

"Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," he added.

However, in a subsequent blog post on Friday, Garrett claimed that Microsoft had not contradicted any of the points he had made, and that the situation he had described remained the same.

"Microsoft's rebuttal is entirely factually accurate. But it's also misleading," Garrett said. "The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Windows, Operating Systems

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It would be a matter of time before the programming community writes a piece of software to circumvent the UEFI Boot issue - allowing users for multiple OS boot options again.
    Developers and users in the IT sector would be most affected with the new Windows 8 Boot structure - most home/business users can barely use their machines with the software already installed in their machines, much less be concerned about multiple boot options. In fact, as long as it doesn't affect their ability to log into facebook or tweeter, they wouldn't even know what a Boot Policy is.
  • I'm not a fan of Linux(its not my cup of tea) but is this really needed ? seems like a wast of time and money!.
  • Tony Mangefeste? Great name!

    'The approach being taken by Microsoft is to provide the "best experience" first' - in that case, they wouldn't bother putting Windows on the PC in the first place! :)
  • This whole situation is complete rubbish, as usual. Microsoft's excuse of: "Ultimately, the protocol is designed to make the computer safer from pre-OS boot attacks or malware." doesn't cut it. When was the last time we've seen any sort of pre-OS boot attack? Most if not all of the malware is within Windows itself. However, with all this said, in the end I'm sure a workaround will be found so that dual booting will be possible with non-Microsoft operating systems. It's unfortunate that Microsoft has such a large hand in the market. It continues to allow them to make moves like this, that in my opinion hurt the consumers time and time again.

    And, Garrett's statement: "The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows." is spot on. UEFI gives Microsoft and the PC vendors more control over your PC, plain and simple.

    Every time I read articles with news like this, I am even happier that I've migrated away from Microsoft's garbage software. It makes GNU/Linux even more free (as in freedom) than ever.
  • "For the enthusiast who wants to run older operating systems" I find that insulting, some distibutions of linux are merely 1 month old - thus newer than windows 7.

    It also makes it sound like theres only a few of us, its widely used in business and theres millions of home users as well, we are certainly not a niche of "enthusiasts".

    Any vendor would be making a big commercial mistake if they dismiss linux users, and as recession bites, its something im confident vendors will realise.
  • For the records, boot-level malware does exist. The latest incarnation is called TDL-4:
  • Re: ApexWM
    "When was the last time we've seen any sort of pre-OS boot attack?"

    I seem to recall many years ago (about 10 possibly even 15 years ago??) there was viruses that used to re-write the boot information on a PC to infect it.

    Of course now the main way a virus intercepts a PC is installing itself into System Restore folder. Maybe Microsoft want to fix that major hole before trying to fix something else that isn't broken. System Restore is great for viruses 'cos when they install Windows kindly installs there files into System Restore, which is a place where no virus killer can touch any of the files - isn't that good!

    Most viruses now come from people who are using Windows, and not before boot up, this just seems to be Microsoft's way of locking the user to their software whether you want it or not.

    Plus this is going to put the user at a serious disadvantage if they Windows software is corrupted in anyway. You won't be able to get your data back if Windows gets itself in a state it can't boot, unlike at the present time you just boot off a Linux Live CD and copy the stuff over.
  • Right, well....

    For me, i bought windows 95, 98se, Millenium,

    i feel so burned by the whole sistuation of ms only creating a few good stable OS's

    XP and 7 that im no longer going to pay for windows. i think that this move is to stop boot loaders...

    which ulitmaly alow you to tirck windows in to thinking it is a legit "dell" or whichever brand...

    ahh well, like people say it will only be time before its worked around.
    kristian vanags
  • Why wait for someone to fix a work around.
    Just say...."WE DON'T WANT IT!"
    Tired of these jokers always waiting for someone else to fix their problems or work around a problem.. the word is PROBLEM! MICROSOFT! read it my friends
  • "For the enthusiast who wants to run older operating systems"

    How utterly patronising and elitist. Remember Betamax anyone? FAR superior to VHS ie Market Share or mainstream acceptance does NOT mean a better system.

    God Bless Linux and all who sail in her :)
  • No one has mentioned that Microsoft has, apparently, excluded all other OS providers from any discussions, development or negotiation with the computer industry, or indeed from any information at all. It would seem that this can only be construed one way, and I wasn't thinking of arrogant, although it is.

    Not just a security measure then, but also an attack on alternative OSs. It's also suggested that we will be stuck with the actual Windows version provided by the OEMs. Where does that leave Linux and other OSs and self build?

    As I understand, it's not only dual boot that might be a problem but any alternative OS (including alternative Microsoft products) to the installed OS. Nevertheless, common sense would dictate that there must be a way to turn off or work around the feature so that developers can develop.

    Even Mary Jo Foley is frustrated by the lack of information. It does make one wonder what game Microsoft is playing. Are they deliberately courting controversy or has the cat escaped from the bag prematurely and caught them unprepared. It's all very worrying since the anti-trust oversight is coming to an end.

    No word of an *independant* CA managing the scheme either.
    The Former Moley
  • This is all news to me - still trying to get and handle on my PC's hardware status with regard to perhaps being able to run Win 7.

    With McAfee and Microsoft Security slogging it out and leaving me with very little room to do anything on my Win XP machine, perhaps it's time to bale out and go the linux route instead.
    Strange indeed to be seeing Win 7 as the middle-man needing to be cut out !

    As it happens, I've got some downloaded Red Hat stuff, but it was downloaded long ago, the comments posted indicate I might be able to get linux installations that are newer than Windows 7. I suspect there's at least one linux distro that's likely to give me a less bumpy ride than the XP-to-Windows 7 transition is said to be: I have a seriously messed up and unremovable Microsoft Office 2010 installation on my machine and would need to start again from scratch to be able to use that software ever again. And now at least one sales site says you can't do a clean install of Windows 7, you can only run an update. I might try to do a complete rebuild of my XP installation - the bits that work, that is.

    If that failed and I had to revert to the backup of my present installation, supposing the full restore worked, it would mean that even if I did subsequently buy into Windows 7, I would have a PC with zero Microsoft Office capability forever. In some eyes devoutly to be wished !

    I'm getting quite fond of Wordpad !

    Open Office Writer has fuller functions, including *some* good typography and picture handling, but it's sooo much slower getting going, and in comparison with MS Word is really quirky over visual elements pasted in from web sites, because it *always* tries to save the web addresses of ".gif" files instead of the images. Anyone know how to stop it doing this ?

    I suspect it would (actually really should !) also behave like this if I were to try running under a linux distro.

    And where's the Open Office DTP we've all been promised ?
  • Moley: "*independant* CA managing the scheme " ?? Because Bill Gates appears to think he invented the PC, the company he created equally seems to think it can do whatever it likes with the PC and **** to the lot of us.
  • "And now at least one sales site says you can't do a clean install of Windows 7, you can only run an update."
    Not quite sure what that means.
    You can certainly install the full retail version of Windows 7 on a freshly formatted hard drive (I installed it on a new PC with no OS installed). This may help:
  • best comment of the year---
    'The approach being taken by Microsoft is to provide the "best experience" first' - in that case, they wouldn't bother putting Windows on the PC in the first place! :)
  • another example of commercial bullying..what happened to freedom of choice ..wont this just open up the "window" for rival os's to pave the way remember apple taking on board the Intel chips so users could embrace windows ...looks like Microsoft are taking their ball home
    Buy a mac, simples....
    then boot from a separate drive with linux on
    and wait for Microsoft to plead for it customers back
    :) job done
  • if this was a new apple OS, noone would be batting an eyelid.
  • @Mark Chapman
    > if this was a new apple OS, noone would be batting an eyelid.

    If this were a new Apple OS then we would be talking *exclusively* about Macs, and not every other piece of desktop or notebook hardware on the market.
  • What people dont realize is that if there are
    programs Windows does not wont you to use.
    you will be block’t from using it!
    you will only be able to use programs Windows lets you.
    Linux operating systems are use’d as much as Windows.
    I use Ubuntu. it is very easy to use Now.
    it can use most of the windows programs.
    and it is Free. and unlike windows,
    that is made for them to spy on you.
    which is why it is easy for spy and virus programs to get to it.
    Linux is hardly effected by spy and virus programs.
    you can try Ubuntu from a CD disk at boot up.
    it boot from the CD and you dont new to install any thing.
    so if you dont like it. just take out the CD
    and restart your PC and nothing is change.
    if you like it just install it with windows.
    or make a fresh install.
    • Microsoft Asus and HP appear to be in Collusion in Anti-Trust against Linux

      To purposefully block users from other Operating Systems by Microsoft controlling access to the computers firmware, would be a "colluded Monopoly", which would be a violation of the US Antitrust laws for both Microsoft and the vendors who sell computers. Asus and HP are currently standing together with Microsoft in what appears to be a colluded effort to limit users from installing anything other than MS Windows 8 as an Operating System, on the computer systems they sell to the public.

      "Preventing collusion and cartels that act in restraint of trade is an essential task of antitrust law. It reflects the view that each business has a duty to act independently on the market, and so earn its profits solely by providing better priced and quality products than its competitors. The Sherman Act §1 prohibits "[e]very contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce."[5] This targets two or more distinct enterprises acting together in a way that harms third parties. It does not capture the decisions of a single enterprise, or a single economic entity, even though the form of an entity may be two or more separate legal persons or companies."