Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft tightens Windows 10's Secure Boot screws: Where does that leave Linux?

Chris Hoffman | March 26, 2015
The news sounds ominous for open-source aficionados: Windows 10 PCs are going to be locked down even tighter than ever before.

The news sounds ominous for open-source aficionados: Windows 10 PCs are going to be locked down even tighter than ever before.

Manufacturers will be able enable UEFI Secure Boot without giving you a manual kill switch, as they have to do with Windows 8 systems. If that happens, you'll only be able to boot Microsoft-approved operating systems on these locked-down PCs. Microsoft is turning the Secure Boot screws tighter, and Linux users are right to be concerned — but the issue is more complicated (and probably less disastrous) than it seems at first blush.

Secure Boot 101

First, let's back up a little bit and look at Secure Boot and how it functioned in Windows 8.

When you boot a new Windows 8 PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they're signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer's manufacturer. This prevents low-level malware like rootkits from interfering with the boot process.

But the same feature that blocks rootkits will also block other software, like Linux boot loaders. And, in fact, on Windows RT devices like the original Surface and Surface 2, Secure Boot was locked down tight to only allow Windows RT to boot.

The Linux community was understandably up in arms about this, and Microsoft tossed it a bone. As part of the certification process that allowed manufacturers to pre-install Windows and put little Windows logos on new PCs, Microsoft forced hardware makers to give users a way to disable Secure Boot and add their own signing keys on Windows 8 PCs. So you could always disable Secure Boot and still install any Linux distribution you liked. Or you could tweak Secure Boot and only allow operating systems signed with your own personal signing key to boot.

Windows 10 gives manufacturers an option

Windows 10 makes the user-configuration toggle optional. On a PC, Microsoft allows manufacturers to choose whether or not a user can disable Secure Boot. That's the information that Ars Technica noticed in a slide presented at Microsoft's WinHEC conference.

In other words, it's up to every manufacturer to include the toggle or not. Theoretically, this provides some choice — you can choose to buy a computer without a toggle in the UEFI firmware, locking it to only boot Windows and other approved OSes. If someone gets their hands on your PC, they can't boot into UEFI and disable or try to install their key. And, if you want the ability to disable Secure Boot and install whatever operating system you want, you can just buy a PC with such a toggle.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.