Microsoft isn't the enemy when it comes to blocking Linux on Windows 8 PCs

... it's the OEMs you have to watch out for.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

The Free Software Foundation seems to have caused a bit of a stir the other day by calling on PC users to stand up for their freedom to install free software onto their systems and demand that OEMs be responsible in how they use the UEFI 'secure boot' feature on Windows 8 PCs.

Note: For background on UEFI and 'secure boot' check out some of my previous posts on the matter:

Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCsMicrosoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCsWindows 8 certification will make it 'difficult or impossible' to install Linux on PCs

This call to action seems to have created a rift here on ZDNet. In the 'Open Source' corner is Steven J. Vaughan-Nichols, who calls UEFI a 'cage' and urges everyone to sign the FSF's petition so that 'your PC remains in your hands and not Microsoft's'. In the 'Windows' corner is Ed Bott, who wonders who 'Linux fanatics' want to make 'Windows 8 less secure'.

Can't we all just get along? No ... oh well, it was worth a try.

Note: It's worth pointing out that 'secure boot' wouldn't just prevent PC owners from installing Linux on their system, but it would also block the installation of older versions of Windows too.

See, the problem here is that in order to see the real issue, you have to look beyond party lines. If you see this issue as a 'Windows vs. Linux' or 'Windows vs. Open Source' issue, then you FAIL, and you FAIL hard. Why? Because the 'enemy' (and I use that word loosely) here isn't Microsoft or Linux or even 'secure boot' - it's the PC OEMs who will be responsible for building the Windows 8 PCs.

It is true that Microsoft is making 'secure boot' a mandatory part of the Windows 8 logo certification program, which means that if any OEM wants to slap that Windows 8 logo on the PCs they're shoveling out of the door, those systems are going to have 'secure boot' enabled. And no big-box OEM is going to sell uncertified PCs because that would put them at an enormous disadvantage from a marketing point of view.

So 'secure boot' is coming.

But what's important to note here is that Microsoft making 'secure boot' mandatory isn't part of some grand plan at world domination. 'Secure boot' is a good thing because it will be a valuable line of defense against rootkit malware infection. Rootkits are nasty are damn hard to remove, so anything that blocks them from being installed is a good thing. Bott is right, 'secure boot' will make Windows 8 more secure.

But ...

Next -->

(Image creditSilly Little Man)

The problem is that Microsoft is putting the decision as to whether 'secure boot' can be disabled in the hands of the OEMs (even UEFI firmware makers won't get a say in this). While a Windows 8 certified PC must have the 'secure boot' enabled, there's no requirement that OEMs fit a kill-switch.

And there's the root of the problem.

OEMs are in a race-to-the-bottom to build the cheapest PC possible at a specific price point, and that often means cutting corners and features. One feature that could get the chop (both for cost reasons and to keep users safe from themselves) is a kill-switch for 'secure boot'. Bott actually backs up this point, albeit inadvertently, with the following statement:

PC profit margins are razor thin. A single 10-minute support call can eat through the entire profit that an OEM makes on a computer sold in the retail channel. If the call goes on for long enough, it gobbles up the profit for 10 PCs.

Do OEMs really want users having the ability to disable 'secure boot'? How long is a support call related to a rootkit infection going to take? What's more likely - calls from people who have hosed their systems after goofing around with UEFI settings, or calls from people wanting to install Linux on their new PC?

Think OEMs wouldn't cut out a feature out of a system for no reason? Ponder on this example for a moment. I've come across numerous PC systems from a number of different OEMs where the CPU supported hardware virtualization but for some inexplicable reason it was hard disabled in the BIOS with no mechanism to switch it on. Unlike Bott, who says that OEMs 'would be insane not to' make fit a 'secure boot' kill-switch, I never assume that OEMs won't do stupid, bone-headed things because I've seen them do plenty of stupid, bone-headed things in the past.

This is why Vaughn-Nichols is also right. We do need to sign the FSF petition to make sure that OEMs use 'secure boot' responsibly on Windows 8 systems. There's no technical reason for them not to (the Windows 8 tablets handed out to //BUILD/ participants had an option to disable the feature), but since we can't just assume that the OEMs will always do the right thing, we need to put pressure on them to do the right thing and make sure that a 'secure boot' kill-switch is present in the UEFI firmware of all systems they ship.

So, Vaughn-Nichols and Bott are both right - That's not the sort of thing that happens every day.

Note: Alternatively, build you own system. Any UEFI motherboard that you buy will have a 'secure boot' option that can be toggled.

(Image credit: L. Marie)

<< Home >>

Editorial standards