Microsoft explains Windows 8 boot to quell Linux fears

The company has given more details about the secure boot process in Windows 8, saying it is up to hardware makers to give people the option of choosing between operating system loaders

Microsoft has become locked in a dispute over whether the boot process in Windows 8 will block Linux from running on hardware designed for the next version of its flagship platform.

Windows 8 boot diagram

Windows 8 secure boot uses pre-OS boot checks, as well as third-party software checks, to ensure that users PCs remain healthy. Photo credit: Microsoft

Matthew Garrett, a power management and mobile Linux developer at Red Hat, raised questions in a blog post on Tuesday about dual-booting of Linux in Windows 8. He argued the use of Public Key Infrastructure (PKI)-based secure boot means either Windows 8 will be signed with a Microsoft key, with the public part of the key included on the system; or the hardware maker could use their own key and sign the pre-installed Windows.

"The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM [original equipment manufacturer] provided a new signed copy. The former seems more likely," Garrett said.

"A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," he concluded.

Microsoft response

On Thursday, Tony Mangefeste, a member of the Windows Ecosystem team, responded to the suggestions in a blog post that detailed what the secure boot system means for running alternative operating systems.

Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors.

– Matthew Garrett

Unlike Windows 7, Windows 8 uses the Unified Extensible Firmware Interface (UEFI) secure boot protocol. This allows manufacturers to set up a security policy for the hardware that prevents people from running loaders for operating systems and software it does not recognise. Ultimately, the protocol is designed to make the computer safer from pre-OS boot attacks or malware. 

The approach being taken by Microsoft is to provide the "best experience" first, Mangefeste said, by setting things up initially so most people will be protected against boot-loader attacks. After that, people can change the setting, if hardware makers give them the choice.

"At the end of the day, the customer is in control of their PC... For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste said.

Manufacturers have final decision

Secure boot is a UEFI protocol and not a Windows-specific feature, and hardware makers have the option of customising their firmware to specify the level of certificate and policy management, Mangefeste said. This means that the final decision will lie with them on whether to allow or disallow the disabling of secure boot.

"Secure boot doesn't 'lock out' operating system loaders, but is a policy that allows firmware to validate authenticity of components," Mangefeste said.

"Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," he added.

However, in a subsequent blog post on Friday, Garrett claimed that Microsoft had not contradicted any of the points he had made, and that the situation he had described remained the same.

"Microsoft's rebuttal is entirely factually accurate. But it's also misleading," Garrett said. "The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Show Comments