Microsoft's UEFI Rules Could Be Used To Block Linux Installation

Microsoft's UEFI Rules Could Be Used To Block Linux Installation

Microsoft discussed the upcoming changes to Windows 8's boot process at BUILD last week, but Matthew Garrett, a mobile Linux developer and blogger at Red Hat has pointed out that the company's new requirements could be used in ways that harm the Linux community. One of Microsoft's new rules for Windows 8 is that any company that ships a windows 8 device must enable UEFI secure boot.

Secure boot uses signing keys to ensure that only verified, trusted hardware (and associated drivers) are allowed to boot the system or run once the system has booted. There are separate sets of keys for the boot process and OS/firmware communication. Garrett writes:
An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.


Whether or not this becomes a problem depends more on device manufacturers than it does on Microsoft. The UEFI secure boot functionality is something end users can enable or disable at will from within the UEFI framework--provided that the manufacturer leaves this option available. Not doing so would prevent the installation of Linux, Windows 7, or any other OS. It would also prevent unauthorized driver updates or certain software installations.


Windows 8's use of UEFI is essential to speeding up the boot process. The current model is literally decades old

Anyone wanting dual-boot a tablet OS, install something other than Windows 8, or just concerned about device freedom will want to keep an eye on which manufacturers intend to offer a toggle and which don't. Microsoft's rules state that a windows 8 device must ship with Secure Boot enabled, but do not state that the mode must be locked on. Garrett also notes that Red Hat could potentially provide its own signed code, but not in a way that's consistent with Linux design philosophy or the idea of rolling one's own kernel.
+1
+ -

Thanks for the story was checking this out and keeping an eye on this when checking out the Win 8 preview on multi boot rig.

previous post and discussion with some comments and def going to be keeping an eye on this.

http://hothardware.com/cs/forums/t/57921.aspx  

yep does not hurt to be able to roll your own -kernel and have control over the boot process.

+1
+ -

Well I like dual booting & I've tried Linux based operating systems also. So I guess that I will have something to worry about also.

0
+ -

@gazd1  Don't worry if you would like to work with Win 8 preview with a multi boot the solutions that are working now are mentioned in the above referenced link to a thread in HH .

+2
+ -

I think the keyword here is that they must be shipped with the UEFI security setting enabled. But this does not mean that manufacturers cannot include an option in the BIOS to disable that setting thus allowing Linux to be installed without issue.

My other thought is the amazing Linux community will find some programmatic ways around this problem. BOO! Microsoft for this requirement.

0
+ -

likely the option to keep some folks from 'hosing ' there Win installing te OEM may have it locked. 

somewhat amusing instead of Boo ther is BUM [boot up manager] that has been around for quite a while that controls the actual sequence of the boot process . Linux never has to hide anything from it;s users and maybe that can be the 'root' of the problem for others   ...sorry about the lame pun but having to much fun Smile

+1
+ -

This is very interesting. So, the question that comes up, in my mind, is, "If you have a mac and want to dual boot, would windows 8 work in a Virtual machines and/or boot camp?" If it did, would the keyboard even work? or the mouse? Would the screen even turn on?

+1
+ -

@lifeasjosh Boot Camp is compatible with UEFI but very few people know this. I mean mainstream users will probably not mind the feature as much seeing as how they only want to install Windows and not Ubuntu.

In any case, I'm guessing that the only thing Apple has to do is sign it's UEFI bootloaders with it's own private code compatible with Windows 8 and it'd be all set for the future.

0
+ -

I'm not sure I'm understanding fully... so this will only be on devices that ship with windows 8 preinstalled on them? Or does upgrading your current (pre win 8) computer put the Secure boot in to play also?

0
+ -

Pre-installed but likely nothing to worry about as it's intended as a security feature to prevent malware, etc that can mess with the boot process...

http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

Login or Register to Comment
Post a Comment
Username:   Password: