With the advent of UEFI and Windows 8 comes some security and usability issues. When Windows 8 is released, UEFI’s “Secure Boot” will be required to be turned on by default and it will be left to the OEM’s on how to implement it. What does this mean to you? Maybe nothing.
Windows is still the most popular PC Operating System in the world. As such, it is highly likely that the computer you are reading this article on is running some version of Microsoft Windows. If you are running Windows 7 and up, your OS is compliant to UEFI specifications. But what if you want to run a different OS, like Linux, older versions of Windows? You could be out of luck.
What is Secure Boot?
Secure Boot is a UEFI 2.3.1 specification that during the boot process verifies certificates (or keys) held in the firmware, and compares them to other Option ROMs and OS boot loaders. If the correct key is not in the firmware, or is in the “Blacklist”, Secure Boot will prevent the OS from loading or could prevent you from upgrading to certain manufacturers option cards. Since it will be up to the OEM (Original Equipment Manufacturer) to implement the Secure Boot feature, it is also up to them whether or not to add an option in the set-up to disable it, or to be able to update the “Allowed” OS list. So, if you were to buy a Windows 8 PC and want to install a new version of Linux, and there is no option to disable Secure Boot, and the key for the version of Linux you are installing is not found in the firmware, the OS will fail to load. This feature is intended to prevent malware such as “rootkits” and “bootkits” to install themselves and run when booting your OS. According to Microsoft, the Windows 8 implementation of Secure Boot, programs will not be able to change Secure Boot security settings to prevent malware from gaining access through reprogramming the firmware.
Are you losing control?
Because it is the OEM’s decision whether or not to include a disable feature for Secure Boot, or a way to update keys, PC’s can effectively be “locked” to one certain OS without the option to install a different OS. This would not affect usability for most people, but for “techies” and “geeks” (such as myself) this poses a very real problem. Canonical and Red Hat wrote a white paper addressing these issues. Microsoft wrote an article in their blog that clarifies Microsoft’s requirements regarding Secure Boot. Microsoft insures that an option to turn off Secure Boot in x86 PC’s setup must be present to be Windows 8 certified. However, that option will not be present in ARM processors (as of this writing). Meaning that, if the specifications are not changed, equipment that use ARM processors, i.e. netbooks, will be “locked” to using Windows 8 if it was installed at the time of purchase.
This could be a very real threat for those who choose to run an alternate OS, and could be difficult for those who are not technically inclined.