Will Windows 8 Secure Boot Block Linux?
A security feature designed to block malware could result in PCs no longer booting alternate operating systems, open source advocates warn.
September 26, 2011
Windows 8 Visual Tour: Microsoft's New Desktop
Windows 8 Visual Tour: Microsoft's New Desktop (click image for larger view and for slideshow)
A brand-new security feature to be included in Windows 8, designed to block some types of malware, is drawing fire from advocates of non-Microsoft operating system. In particular, they accuse Microsoft of launching a stealth attack against people who choose to install open source operating systems on their Windows-branded PCs.
The feature in question, unified extensible firmware interface (UEFI), is designed to be a more flexible replacement for the BIOS that's long featured in PCs. "In most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software," said Steven Sinofsky, president of the Windows group at Microsoft, in a blog post. "Windows 8 addresses this vulnerability with UEFI secure boot, and using policy present in firmware along with certificates to ensure that only properly signed and authenticated components are allowed to execute."
Sinofsky's post was written in response to accusations that Microsoft might use UETF to block people from installing non-Windows operating systems on their PCs. But he said that UEFI is managed by the UEFI Forum, a trade organization that counts not just Microsoft, but also AMD, Apple, Dell, Intel, Phoenix Technologies, and other companies as members.
[ Learn more about Windows 8 and whether the planned tablet is too little, too late. ]
Furthermore, how operating systems choose to handle UETF is up to their developers. "We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality," he said. Likewise, according to the UEFI Forum's website, "UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards."
But open source advocates are warning that the Microsoft move to UEFI could disenfranchise people who use PCs to run non-Windows operating systems. "As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems," said Matthew Garrett, who works on power management and mobile development for Linux distributor Red Hat, in a blog posted on Friday.
That's because UEFI will only hand off to an operating system environment using digital certificates that the PC firmware recognizes. Microsoft is reportedly requiring that PC manufacturers who ship machines certified for Windows 8 enable secure boot by default. But that certification program won't require manufacturers to include certificates that authenticate non-Windows operating systems. As a result, people who install other operating systems on "Windows 8 certified" machines may not be able to get their PCs to boot.
"Microsoft can require that hardware vendors include their keys. Their competition can't," said Garrett. "Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's."
See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.
About the Author
You May Also Like