If this wasn't so sad, it would be funny. After Microsoft recently declared victory over Linux, it turns out that Microsoft appears is still trying to arrange it so that Linux won't even boot on the next generation of PCs that come with Windows 8. Yeah, Linux isn't on your enemy list anymore right Microsoft? Sure.
Matthew Garrett, a Red Hat engineer, gets the credit for spotting Microsoft's latest anti-Linux move. In a blog posting, Garrett explains that Windows 8 logo guidelines require that systems have Unified Extensible Firmware Interface (UEFI) secure boot enabled. This, in turn, would block Linux, or any other operating system, from booting on it.
There's nothing in UEFI that's wrong. Indeed there's a lot of good in UEFI. It's a 21st century replacement for your PC's basic input/output system (BIOS). Its job is to initialize your hardware and then hand over control over to the operating system.
UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.
There is no centralized signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.
This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.
Microsoft requires (PowerPoint Link) that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
To sum up: "a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux."