Thanks to Mary Jo Foley, we now know that in the name of "security," Microsoft will be trying to use UEFI (Unified Extensible Firmware Interface) to block Linux, older versions of Windows, and other alternative operating systems from booting on Windows 8 PCs. Thanks Microsoft we appreciate it.
In a new Microsoft blog, Building Windows 8, by Steven Sinofsky, Microsoft's president of the Windows division, Linux isn't mentioned, and he tries to place the blame on the UEFI security protocol. Behind all his dodging, the facts are that Microsoft UEFI secure boot is requirement for Windows 8 certification and that, while "OEMs [original equipment manufacturers) are free to choose how to enable this support," they still have to have it. In turn, that will make it harder for OEMs to support alternative operating systems and, if the OEM does bow down to Microsoft's demands, it will make it almost impossible for end-users to run Linux, older versions of Windows, or other alternative operating systems on Windows 8 certified PCs.
In short, if Microsoft has its way, all Windows 8 PCs will be even more locked into their pre-installed operating systems than Macs are into Mac OS X. Indeed, a better comparison would be how phone companies lock you into their smartphone operating systems. Just like them the Windows 8 PC you buy in 2013 will be permanently locked into Windows 8. And, like smartphones, only expert firmware hackers will be able to switch out operating systems or even enable dual-booting operating systems.
This isn't the first time Microsoft has tried to lock out competitors from Windows PCs. In the early 2000s, Microsoft tried to combine Windows and the BIOS with a Digital Right Management (DRM) scheme called Next Generation Secure Computing Base (NGSCB), AKA Palladium. At the time, the point wasn't so much as to block operating systems as it was to build DRM into PCs so you couldn't play any music or video content unless you had a license for it. That effort failed.
That isn't stopping Microsoft from once more trying to stop you from using your computer the way you want to use it though.
Matthew Garrett, the Red Hat engineer who first spotted Microsoft's new sneak attack on alternative operating systems, has taken a new look at Microsoft's latest announcements and Garrett and Red Hat after "discussing the problem with other Linux vendors, hardware vendors and BIOS vendors [to make] sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:"
- Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
- Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
- Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
- A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.
Garrett explains that this is a problem "Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's."
Indeed Microsoft still owns the desktop market. Macs still have less than 5% of the world desktop market according to Gartner and the Linux desktop has proven to be a non-starter, PC vendors will have little choice but to kowtow to Microsoft's Windows 8 demands.
"What does this mean for the end user?" continued Garrett. "Microsoft claims that the customer is in control of their PC. That's true, if by 'customer' they mean 'hardware manufacturer.' The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognize their hard drive in the firmware. The end user is no longer in control of their PC."
Garrett concluded, "So, the truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft [is] misusing to gain tighter control over the market. And the truth is that Microsoft [hasn't] even attempted to argue otherwise."
Garrett is, understandably, most concerned about how this will effect desktop Linux. I wonder though if what Microsoft really wants is to avoid a repeat of the Vista fiasco by making sure OEMs and end-users can't go back to Windows 7 or XP. As Windows 7's slow adoption and Vista's flop has shown, users really haven't been that interested in moving off Windows XP. Since Windows 8's Metro interface adds an entirely new level of complications for both independent software vendors (ISV)s and end-users, I can see why Sinofsky would want to force Windows 8 down the throats of Windows users "for their own good."
So what does it all boil down to? As it stands now Microsoft is saying OEMs don't have to do it. They just have to do it if they want to sell PCs with Windows on them. Paging the anti-trust lawyers, I think Microsoft's latest attempt to abuse their PC monopoly power bears investigation. Welcome back Evil Empire, I knew you couldn't really be that far away.