Microsoft and its vendor friends said that there's no Windows 8 plot to lock other operating systems from Windows 8 devices, but now we know Microsoft was not telling the whole truth.
Journalist Glyn Moody dug around Microsoft's Windows Hardware Certification Requirements for Windows 8 client and server systems and found on page 116 that will Windows 8 Secure Boot can be disabled: on Intel systems, "Disabling Secure [Boot] must not be possible on ARM systems."
What does that mean? According to Aaron Williamson, a lawyer with the Software Freedom Law Center an organization that provides pro-bono legal services to developers of Free and open-source software, Microsoft has wasted no time in effectively banning most alternative operating systems on ARM-based devices that ship with Windows 8.
Microsoft will be doing this by using Unified Extensible Firmware Interface (UEFI), to block block all other operating systems from Windows 8 systems. UEFI is the 21st century's replacement to PC and other devices' BIOS. It's used to set up your computer and make it ready to boot.
Williamson explains, "The Certification Requirements define ... a 'custom' secure boot mode, in which a physically present user can add signatures for alternative operating systems to the system's signature database, allowing the system to boot those operating systems. But for ARM devices, Custom Mode is prohibited: 'On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable." [sic] Nor will users have the choice to simply disable secure boot, as they will on non-ARM systems: "Disabling Secure [Boot] MUST NOT be possible on ARM systems.' [sic] Between these two requirements, any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot."
In short, Microsoft insists that any Windows 8 ARM-powered device can not be rebooted or rooted with the user's choice of operating system. And you thought rooting some Android phones was troublesome!
Williamson went on to say that while "While UEFI secure boot is ostensibly about protecting user security, these non-standard restrictions have nothing to do with security. For non-ARM systems, Microsoft requires that Custom Mode be enabled-a perverse demand if Custom Mode is a security threat. But the ARM market is different for Microsoft in three important respects"
Microsoft's hardware partners are different for ARM. ARM is of interest to Microsoft primarily for one reason: all of the handsets running the Windows Phone operating system are ARM-based. By contrast, Intel rules the PC world. There, Microsoft's secure boot requirements-which allow users to add signatures in Custom Mode or disable secure boot entirely-track very closely to the recommendations of the UEFI Forum, of which Intel is a founding member.
Microsoft doesn't need to support legacy Windows versions on ARM. If Microsoft locked unsigned operating systems out of new PCs, it would risk angering its own customers who prefer Windows XP or Windows 7 (or, hypothetically, Vista). With no legacy versions to support on ARM, Microsoft is eager to lock users out.
Microsoft doesn't control sufficient market share on mobile devices to raise antitrust concerns. While Microsoft doesn't command quite the monopoly on PCs that it did in 1998, when it was prosecuted for antitrust violations, it still controls around 90% of the PC operating system market-enough to be concerned that banning non-Windows operating systems from Windows 8 PCs will bring regulators knocking. Its tiny stake in the mobile market may not be a business strategy, but for now it may provide a buffer for its anticompetitive behavior there.
It doesn't have to be this way. As Williamson points out UEFI's secure boot isn't meant to be used to block user's choice. In addition, the Linux Foundation has explained in detail how UEFI secure boot could be implemented by Microsoft so that freedom of choice would be preserved.
Microsoft isn't listening. The Linux Foundation made its proposal in October; Microsoft published its document in December. As Williamson said, "It is clear now that opportunism, not philosophy, is guiding Microsoft's secure boot policy."
Don't think this is about smartphones and thus, given Microsoft's tiny share of the smartphone market of no real importance. Williamson concluded, "Before this week, this policy might have concerned only Windows Phone customers. But just yesterday, Qualcomm announced plans to produce Windows 8 tablets and ultrabook-style laptops built around its ARM-based Snapdragon processors. Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers' choices. SFLC predicted in our comments to the Copyright Office that misuse of UEFI secure boot would bring such restrictions, already common on smartphones, to PCs. Between Microsoft's new ARM secure boot policy and Qualcomm's announcement, this worst-case scenario is beginning to look inevitable."
That's the one point I disagree with Williamson on. This isn't the worse case. The worse case is that Microsoft decides, "What the heck" and introduces lock out style UEFI secure booting on Intel PCs. While flirting with fire from the anti-trust action, I wouldn't put it pass them.
Prison Cell image by Tim Pearce, Los Gatos, CC 2.0.
Leading PC makers confirm: no Windows 8 plot to lock out Linux
Linux Foundation proposes to use UEFI to make PCs secure and free
Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage
Microsoft to stop Linux, older Windows, from running on Windows 8 PCs
Microsoft: Don't blame us if Windows 8's secure boot requirement blocks Linux dual-boot