UEFI, Secure Boot and what it means to you

With the advent of UEFI and Windows 8 comes some security and usability issues. When Windows 8 is released, UEFI’s “Secure Boot” will be required to be turned on by default and it will be left to the OEM’s on how to implement it. What does this mean to you? Maybe nothing.

Windows is still the most popular PC Operating System in the world. As such, it is highly likely that the computer you are reading this article on is running some version of Microsoft Windows. If you are running Windows 7 and up, your OS is compliant to UEFI specifications. But what if you want to run a different OS, like Linux, older versions of Windows? You could be out of luck.

What is Secure Boot?

Secure Boot is a UEFI 2.3.1 specification that during the boot process verifies certificates (or keys) held in the firmware, and compares them to other Option ROMs and OS boot loaders. If the correct key is not in the firmware, or is in the “Blacklist”, Secure Boot will prevent the OS from loading or could prevent you from upgrading to certain manufacturers option cards. Since it will be up to the OEM (Original Equipment Manufacturer) to implement the Secure Boot feature, it is also up to them whether or not to add an option in the set-up to disable it, or to be able to update the “Allowed” OS list. So, if you were to buy a Windows 8 PC and want to install a new version of Linux, and there is no option to disable Secure Boot, and the key for the version of Linux you are installing is not found in the firmware, the OS will fail to load. This feature is intended to prevent malware such as “rootkits” and “bootkits” to install themselves and run when booting your OS. According to Microsoft, the Windows 8 implementation of Secure Boot, programs will not be able to change Secure Boot security settings to prevent malware from gaining access through reprogramming the firmware.

Are you losing control?

Because it is the OEM’s decision whether or not to include a disable feature for Secure Boot, or a way to update keys, PC’s can effectively be “locked” to one certain OS without the option to install a different OS. This would not affect usability for most people, but for “techies” and “geeks” (such as myself) this poses a very real problem. Canonical and Red Hat wrote a white paper addressing these issues. Microsoft wrote an article in their blog that clarifies Microsoft’s requirements regarding Secure Boot. Microsoft insures that an option to turn off Secure Boot in x86 PC’s setup must be present to be Windows 8 certified. However, that option will not be present in ARM processors (as of this writing). Meaning that, if the specifications are not changed, equipment that use ARM processors, i.e. netbooks, will be “locked” to using Windows 8 if it was installed at the time of purchase.

This could be a very real threat for those who choose to run an alternate OS, and could be difficult for those who are not technically inclined.


Image: Stuart Miles / FreeDigitalPhotos.net

4 Responses to “UEFI, Secure Boot and what it means to you”

  • Somewhat Reticent:

    Reduces resale value; gives new meaning to “scrap value”.
    Won’t hardware vendors tend to install this for earlier obsolescence, especially if they can blame it on Microsoft?

  • John Phoenix:

    This article is a year old and now we have a better idea what we are dealing with. Windows 8 systems that come preinstalled have shipped. A search of the various popular Linux forums will tell you most all of these PC users are having nightmares trying to get the systems to dual boot properly – even with Secure Boot disabled and even if the Linux distro has code to support UEFI and or Secure Boot. If you install your distro under Legacy Bios mode you still have tons of problems you must fight due to Windows being installed for UEFI. There is no good way for a boot manager to play nice with both the EFI boot loader and the Bios based MBR at the same time. The best solution is to wipe the entire system, obtain a retail Windows 8 disk (not the disks for Recovery/Factory Install that come with the preinstalled system), switch to Legacy Bios mode (if you have that option, install Windows normally then install your Linux distro as you normally would setting up Grub from Linux or another such boot manager like EasyBCD from Windows. This involves extra cost as you cannot obtain a Windows 8 retail disk from Microsoft with your OEM product key. It has been found that UEFI is very buggy and is not ready for prime time. See this for more details: http://www.youtube.com/watch?v=V2aq5M3Q76U In my opinion, Microsoft was wrong to require the use of UEFI in their systems at this stage due to all it’s problems. This leads people to speculate that Microsoft did this on purpose to force people to only use Microsoft approved operating systems in their non ARM PC’s. I can understand this perhaps in the case with ARM based Surface tablets where both the hardware and software is made by Microsoft. Many believe Microsoft new all this would happen and we were all taken advantage of. Time will tell if the OEM’s and Microsoft make things right for non ARM PC users. Until then, I suggest people stay clear of systems with Windows 8 preinstalled.

  • Vincent Mitchell:

    Couldn’t one do a clean install over the top and override that right out of the box with the original key?

Leave a Reply