Home Microsoft Defends Windows 8 Secure Boot Without Mentioning the L-Word

Microsoft Defends Windows 8 Secure Boot Without Mentioning the L-Word

Microsoft has moved to allay fears that Windows 8-certified PCs might prevent users from booting into Linux. Without mentioning the open source operating system by name, the company suggests end users will be able to disable the required “secure boot” aspect of the Unified Extensible Firmware Interface (UEFI) if they really want to.
Microsoft cheered Windows users earlier this month when it demonstrated the upcoming Windows 8 operating system booting in eight seconds. Part of the technology behind the fast boots, however, could enable Microsoft and its PC vendor partners to block users from loading Linux on a Windows 8 PC, Matthew Garrett, a mobile Linux developer at Red Hat, wrote in a Sept. 20 blog post.

When secure boot is turned on, UEFI will only launch verified boot loaders

To gain Windows 8 certification, PCs will be required to use the Unified Extensible Firmware Interface (UEFI) in revision 2.3.1 or later. This firmware includes a secure boot mode, intended to block malware such as rootkit infections. When this mode is turned on, the only boot loaders that will run are those whose signatures match those stored in a database within the firmware, according to Microsoft.
Garrett charged that this mechanism could not only keep users from installing alternative operating systems such as Linux, but also prevent them from using hardware — a new graphics card, for example — that didn’t come with appropriately signed drivers. He further complained that there is no central signing authority for the keys employed in UEFI secure boot, effectively giving each PC vendor control over what software its products can load.
In a Sept. 22 posting on the Building Windows blog, Microsoft Program Manager Tony Mangefeste responded. He writes, “At the end of the day, the customer is in control of their PC. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.”
MicrosoftBiosvsuefi-Sm-MeeGoExperts-1
The Windows 8 tablet given to BUILD attendees lets secure boot be turned off

Mangefeste pointed out that the Samsung tablet presented to developers at the recent BUILD conference included Microsoft-designed firmware (above) allowing secure boot to be disabled. “Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows,” he added.
In his posting, however, Mangafeste appears to admit that a given OEM could make secure boot non-defeatable if it really wanted to. He also defends the lack of a central signing authority, as follows:
Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.
“A growing trend in the evolution of malware exploits is targeting the boot path as a a preferred attack vector. This class of attack has been difficult to guard against, since antimalware products can be disabled by malicious software that prevents them from loading entirely,” Mangafeste adds.
“There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code,” Red Hat’s Garrett admitted in his Sept. 20 blog posting. But, he added, “experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It’s almost certainly the case that some systems will ship with the option of disabling this.”
Faced with a lock-out, Linux distributions could possibly work around the problem by providing signed versions of Linux. Due to Grub licensing issues, this would require a non-GPL boot loader, Garrett explained.
Complicating the issue further are future plans for the Linux kernel to be further integrated with the boot loader. In this case, any such workaround would also require that the kernel be signed as well, he added.
Steve Sinofsky, president of Microsoft’s Windows and Windows Live division, added the following comment to Mangafeste’s blog posting, again avoiding the dreaded L-word: “How secure boot works with any other operating systems is obviously a question for those OS products We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality.”
Leaving the MS-DOS era behind
In a Sept. 20 blog posting of her own on the Building Windows 8 blog, Microsoft Program Manager Billie Sue Chafins didn’t address the concerns of Linux developers directly. But she did confirm that Windows 8 will “continue to support the legacy BIOS interface,” and will also allow users to boot into other operating systems installed on a single machine (as pictured below).
MicrosoftBiosvsuefi-Sm-MeeGoExperts-3
UEFI will let Windows 8-equipped machines boot into Windows 7 (and maybe even Linux!)

Mentioning secure boot capabilities in passing, Chafins said UEFI is also preferable because it allows systems to “render rich graphical experiences in native resolution via the Graphic Output Protocol (GOP) driver.” Instead of old-fashioned menus that look like they are from the MS-DOS era, therefore, users can configure their systems using a user interface (below) that’s mouseable or touchable.
MicrosoftBiosvsuefi-Sm-MeeGoExperts-2
UEFI will also let Windows 8 computers be configured via a GUI

According to Chafins, Windows 8 will even make a soft keyboard available from the command prompt in Windows RE (Windows Recovery Environment) mode. Thanks to this, it will be possible to perform field repairs of devices that have no keyboard, she notes.



MicrosoftBiosvsuefi-Sm-MeeGoExperts-4
Windows 8 users can access a soft keyboard in recovery mode
 
 
Source linux Devices.Com

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.