Microsoft: Don't blame us if Windows 8's secure boot requirement blocks Linux dual-boot

Microsoft officials provided more information on plans for UEFI secure boot support in Windows 8 in response to fears by some users that they may be blocked from dual-booting Linux on Windows 8 machines.
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft officials have indirectly attempted to address concerns that surfaced earlier this week that Windows 8's secure boot implementation might end up blocking users who want to dual-boot Linux on Windows 8 PCs. The Microsoft response -- a September 22 blog post on the Building Windows 8 blog -- doesn't ever mention the word "Linux." Instead, the post adds more information on Windows 8's support for the Unfied Extensible Firmware Interface (UEFI) and the secure boot protocol that is part of it.

"For the enthusiast who wants to run older operating systems, the option (disabling secure boot) is there to allow you to make that decision," said the Microsoft blog post. (The statement didn't specify whether this is a reference to older versions of Windows only or if it also applies to Linux and other operating systems.)

In the comments section of the post, Windows President Steven Sinofsky got a little closer to directly addressing the issue, noting "How secure boot works with any other operating systems is obviously a question for those OS products :-)."

In the September 22, Microsoft officials noted that:

  • UEFI allows firmware to implement a security policy
  • Secure boot is a UEFI protocol not a Windows 8 feature
  • UEFI secure boot is part of Windows 8 secured boot architecture
  • Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
  • Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
  • OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
  • Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

"Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems," according to the post.

Microsoft officials told attendees of the recent Build developers conference that Windows 8 clients must be certified in UEFI mode, and that support for secure boot is a Windows 8 certification requirement. But even though Microsoft is requiring OEMs to support secure boot in UEFI as part of its certification requirements, "OEMs are free to choose how to enable this support," the new post said.

In other words, with Windows 8 certified systems secure boot support has to be there, but OEMs can decide whether or not they want to allow customers to be able to turn it off and how they handle the signature process for supported operating system versions. In the September 22 post, officials said that Microsoft designed the Windows 8 firmware to allow customers to disable secure boot in the Windows 8 Developer Preview release if they so choose.

By mandating UEFI secure boot support as a Windows 8 requirement, Microsoft is attempting to better secure Windows machines, which is a good thing, obviously. Some have suggested those wanting dual-boot simply run Linux in a VM on Windows 8. But, as the relatively small contingent of users who want to dual-boot Linux note, if the requirement results in users who pay for Windows machines being unable to use them in the way they want, is this fair -- or even legal?  Thoughts, readers?

Update (September 26): Red Hat employee Matthew Garrett -- whose post last week kicked off the whole Windows 8 UEFI controversy, has posted a two-part response to Microsoft's latest post on this topic. It ends with:

"Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise."

Update No. 2: It looks like some Australian Linux users are agitating for possible antitrust-focused legal actions over the coming UEFI secure boot changes.

Editorial standards