Microflaccid, Go Cheney Yourself


Click Image for Larger Popup

In Windows 8, Microsoft implemented UEFI secure boot, which was nominally a system to prevent malicious software from loading a low level, but also has the effect of making it very difficult alternate operating systems.
With Win 8, Microsoft required that the hardware vendors include an option to disable the secure mode, though it was buried in the “BIOS”* setup screen.

It appears that Microsoft will no longer require a switch to disable the lockdown, which means that it could lock out many alternate operating systems:

Those of you with long memories will recall a barrage of complaints in the run up to Windows 8’s launch that concerned the ability to install other operating systems—whether they be older versions of Windows, or alternatives such as Linux or FreeBSD—on hardware that sported a “Designed for Windows 8” logo.

To get that logo, hardware manufacturers had to fulfil a range of requirements for the systems they built, and one of those requirements had people worried. Windows 8 required machines to support a feature called UEFI Secure Boot. Secure Boot protects against malware that interferes with the boot process in order to inject itself into the operating system at a low level. When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system won’t boot.

This is a desirable security feature, but it has an issue for alternative operating systems: if, for example, you prefer to compile your own operating system, your boot files won’t include a signature that Secure Boot will recognize and authorize, and so you won’t be able to boot your PC.

However, Microsoft’s rules for the Designed for Windows 8 logo included a solution to the problem they would cause: Microsoft also mandated that every system must have a user-accessible switch to turn Secure Boot off, thereby ensuring that computers would be compatible with other operating systems. Microsoft’s rules also required that users be able to add their own signatures and cryptographic certificates to the firmware, so that they could still have the protection that Secure Boot provides, while still having the freedom to compile their own software.

This all seemed to work, and the concerns that Linux and other operating systems would be locked out proved unfounded.

This time, however, they’re not.

At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

If I am a mass market computer maker, there is no upside to allowing a user to disable UEFI secure boot unless you are specifically are targeting power users.

While this may not be a big deal, for anyone who, for example, wants to retask a old or used PC as a firewall, or a print server, etc., it is likely that the choice of operating systems will be severely constrained.

It’s good for the business of PC manufacturers, it means that used machines are less likely to be repurposed or resold, and it is good for Microsoft, because it means that installing many flavors of Linux on an old box becomes problematic.

For the rest of us, it sucks like a thousand Hoovers all going at once.

*Technically, UEFI is not BIOS, it replaces the exclusively 16 bit BIOS, but “BIOS Setup Screen” is a good shorthand for that screen you get when you hold down the F2 key while booting.

Leave a Reply