Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

Microsoft's demand that 'secure boot' is enabled on Windows 8 PCs means that you might not be able to install Linux.
Written by Adrian Kingsley-Hughes, Contributing Writer

An interesting story doing the rounds that, at first glance, looks like FUD, but it's not. Microsoft could indeed use the fact that Windows 8-compliant PCs must replace the BIOS with the more modern UEFI, and this could be used to lock Linux (and even previous versions of Windows) out from new PCs.

Note: This also applies equally to tablets running Windows 8 as well as PCs.

Sebastian Anthony over on ExtremeTech writes:

Dubbed "secure boot," UEFI has the capability to prevent any unsigned executables or drivers from being loaded. In other words, a Windows 8 PC could be set up so that it only boot from files that have been signed by Microsoft or an OEM vendor; and obviously, an open-source, build-it-yourself Linux boot loader isn't going to be signed by Microsoft. The way this works is that every UEFI firmware chip is pre-loaded with a secure key. If the OS knows this key, it can add and remove drivers and executables from a whitelist (or blacklist, in the case of known-bad drivers or malware); obviously this is good (or at least interesting) from a security standpoint.

Will Microsoft demand that 'secure boot' is enabled on Windows 8 PCs? You bet! Red Hat developer Matthew Garrett tells it like it is:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled.

Why would Microsoft do such a thing? Put simply - security. Having 'secure boot' enabled will prevent unsigned code from running at boot up. Good for preventing malware and rootkits at startup, not so good if you're trying to install unsigned code.

Systems can be shipped with multiple keys to run code signed from multiple sources. There's also a whitelist and blacklist mechanism for controlling what gets to run and what doesn't. Along with a Microsoft key a system could have installed one or more OEM keys installed for any stuff that the OEMs wants you to have running (please, not crapware!). However, this won't help you when it comes to installing your own stuff.

Garrett gives us the worst-case scenario:

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

To be able to install something like Linux then one of two things have to happen:

  • You'll need to be able to disable 'secure boot' - which could or could not be allowed by the OEMs
  • You'd need a signed boot loader for Linux and have that key that it is signed with shipped on the system ... which is unlikely to happen

So, is Microsoft or the OEMs going to block you from installing your own OS? I'm going to have to side with Garrett:

It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

It's probably not worth panicking yet. But it is worth being concerned.

The biggest problem is uncertainty. For those who 'build-their-own' systems, I'm certain that motherboard makers will include a mechanism for disabling 'secure boot' or allowing you to add unsigned code to the whitelist, but when it comes to OEM PCs, you'll have to do your homework. See, I don't think that Microsoft is going to be the one who wants Linux (and other OSes) banished from systems, it's going to be OEMs (and it'll be done in the name of keeping users safe from themselves). Some systems might ship with all the information you need to do what you want with it, for other systems you might have to get in touch with tech support, but I'm certain that there will be some systems that, for one reason or another, will be unlockable.

Note: Don't think that OEMs would do their best to prevent you from installing another OS on your system? Look at how many OEMs lock the bootloader on Android handsets to prevent tinkering!

It'll be interesting to see if OEMs mark systems that can have alternative operating systems installed on them.

For all you Linux users out there (all 1% of you, according to market share data), there could be trouble ahead.

More coverage:

Editorial standards