Windows 8 secure boot: Is it really Microsoft vs. Linux?

Microsoft's Windows 8 "secure boot" feature is the controversy that just won't die, at least among Linux users.

Initial fears by the Linux community -- that Microsoft's requirements for secure boot on future Windows 8-based machines would thwart Linux use -- appear to be half-correct. The catch seems to be that Linux will have trouble dual booting on Windows 8 ARM-based hardware only. Unfortunately, Microsoft has added nothing new to clarify this confusing matter.

Related coverage:

Windows 8 to appease users with fewer reboots

Secure boot is part of the Unified Extensible Firmware Interface (UEFI) specification. It's an optional security procedure in the UEFI spec that promises to address a security hole in current BIOS boot-up procedures. With secure boot, initial system-checking software can talk with the operating system, and it can ensure that malware doesn't get loaded when a computer starts by verifying a Certificate Authority. This process is seen as advance in security because antimalware software today typically does not check the BIOS firmware upon bootup. BIOS is considered old software technology, and it's static enough that it's like an open book for hackers to attach malware to systems in an undetected manner.

The Linux community has complained that Microsoft will make it difficult, or impossible, to dual-boot Linux on Windows machines by requiring secure boot. By requiring hardware makers to enable secure boot on Windows 8 machines, future use of Linux will be thwarted, they have argued. The Linux Foundation, along with Red Hat and Canonical, has described some alternative plans to Microsoft's secure boot requirement to address this potential problem.

Microsoft denied in a September blog post that using secure boot on Windows 8 PCs would prohibit dual boot to Linux. However, the company did indicate that users would have to turn off secure boot first before booting to Linux. They also claimed that OEMs had complete control over the decision to enable secure boot when producing new PCs.

This argument seemed somewhat settled until Computerworld author Glyn Moody noticed something a little different from Microsoft's line of argument on page 116 of Microsoft's "Windows Hardware Certification Requirements" for client and server systems, which bears a publish date of December 2011. On that page, it appears that Microsoft is telling OEMs producing ARM-based machines that secure boot is mandatory, whereas it can be disabled on non-ARM (x86) machines.

"On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable [sic]," the document reads.

"21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems."

The reference to Custom Mode in Microsoft's document represents another option closed off to Linux users on ARM-based machines. With Custom Mode enabled, users can write their own signatures for custom loaders, but Microsoft is precluding that option for ARM systems. This point is explained in an excellent overview of UEFI by Woody Leonhard in this Windows Secrets story.

Microsoft Jan. 18 offered no comment on its Windows 8 certification requirements for ARM hardware and whether it indicates that secure boot is required on those systems. A spokesperson for Microsoft just pointed to the September blog post. However, based on Microsoft's requirements document, that blog post appears to mislead with regard to ARM hardware.

It could be argued that by using the word, "PCs," in the blog post Microsoft meant x86 machines only. However, that might amount to semantic quibbling given recent trends. Future ARM machines are expected to have multiple form factors. An ARM-based desktop model is part of the strategy for ARM Holdings, according to its CEO.

Device makers at the Consumer Electronics Show the week of Jan. 16 mostly displayed tablet devices running Windows 8, according to a Computerworld article. However, Microsoft has argued in previous direction statements about enabling "create" kinds of experiences on tablets with its next-generation operating system. The idea is to make tablets akin to PCs in computing power.

Microsoft's "Windows Hardware Certification Requirements" for client and server systems is offered as a guide to hardware builders, but they are likely to construe the word "must" in it as similar to contractual language. Barring any clarification from Microsoft, it looks like future users of Windows 8 on ARM-based computers won't have an option to boot to Linux on their tablet or ultrabook computers.

Microsoft also published a December 2011-dated document called "Windows Hardware Certification Requirements" for devices. However, this 943-page document apparently does not discuss any secure boot requirements.

The Software Freedom Law Center offers interesting speculation about why the secure boot requirement is different between the two platforms (x86 and ARM). The group, which advocates for the use of software without any proprietary restrictions, suggested in a blog post that Microsoft would have angered Windows XP or Windows 7 users if it had blocked the use of those OSes on future x86 hardware, whereas there's no previous hardware support legacy to worry about with forthcoming Windows 8 on ARM systems.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Tue, Mar 27, 2012 Kostya

Neither do I see WHY someone bying a MS Win running device should have to dual boot it with Linux. Just let them buy Adroid devices right away?

Sat, Jan 28, 2012

Many people who use their grey matter prefer Linux, not only 'servers and routers' It's of course perfectly ok on desktop, only MS trolls will always say something else. Well, it really doesn't matter. MS is in the corner of their own greed and pathetic imitations of what OS should be. If they continue their current path, then even the biggest MS supportes will abandon it. I really hope MS releases that Metro obscurity soon. Can't wait for that mistake to happen. :)

Wed, Jan 25, 2012

When will these linux heathens learn that Bill Gates invented computing when he wrote Windows. It is the ONLY thing that computers need to run for our Bosses.

Tue, Jan 24, 2012 Col. Panek

"It will fail again, as it has done in the past.." I don't know about your country, but here you can't buy a laptop without paying the Microsoft tax, unless it's an overpriced apple. Now all their lawyers and marketers are after locking up tablets.

Tue, Jan 24, 2012 SoutheastUS

The reason it is an issue, Luke, is that Microsoft is trying to get a lock on tablets. Tablets are the new laptop. Many of the first generation of tablets have been made with ARM processors and run the Android OS (built on a Linux kernal). If a technically capable consumer wants to change the OS on their tablet now, they can. If manufacturers of Windows 8 based tablets using the ARM processors comply with the Microsoft "guidelines", that will not be possible. Even consumers that are not technically savvy might want to convert their tablets to Android (or another OS built on a Linux kernal) by having a technician do the work for them. It's all in the "apps", and right now Android and Apple's iOS have most of them. So Microsoft is trying to corner the tablet OS market with an anti-competitive hardware certification requirement.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group