Secure Boot

Before a computer boots Windows, OS X, Linux, or any other operating system it loads system-level firmware. For the past few decades most PCs have used something called BIOS to recognize your hardware and load the appropriate operating system. But there’s a new kid in town called UEFI, (which is what Macs have been using for the past few years). It’s faster, more flexible, and offers more advanced security features — and Microsoft wants Windows 8 computers to use UEFI instead of BIOS.

In fact, in order to qualify for the Windows Certification program, a computer will have to use UEFI 2.3.1 or newer and have “secure boot” enabled by default. This feature is designed to prevent malware from infecting your bootloader by preventing unuathorized code from running when you first boot your computer.

That sounds like a good thing — and for most people it will be. Unfortunately since secure boot looks for signed code, you could have problems trying to run Linux, older versions of Windows, or other operating systems on a system with secure boot enabled. If the feature is turned on you may not be able to replace Windows 8 with the operating system of your choice or create a dual boot setup.

Earlier this week Red Hat Linux developer Matthew Garrett raised this point, and the issue gained a bit of traction in the blogosphere. The original post wasn’t particularly alarming, since there was no suggestion that Microsoft was trying to kill Linux. But it certainly raised some cause for concern. Now Microsoft’s Steven Sinofsky has weighed in to clarify the company’s stance on the matter.

In a nutshell it comes down to this: In order to slap a Windows logo on a Windows 8 PC, hardware makers will have to ensure that secure boot is turned on by default. But there’s absolutely nothing preventing PC makers from giving customers the option to turn off that setting.

Of course, there’s also nothing requiring them to do so. That was kind of Garrett’s point in the first place. It’s not that the HPs, Acers, Dells, and Lenovos of the world are likely to ship computers that intentionally prevent users from installing Linux alongside Windows 8. It’s just that this is something most customers won’t bother to do… and so it’s possible that some companies won’t bother to make sure the UEFI included with their prebuilt computer systems include an option to disable secure boot.

In other words, we won’t really know if there’s a problem for Linux users until Windows 8 computers start to ship — or you can just build a computer yourself using components that are known to work with the operating system you choose to use.

We could also eventually see various Linux distributions take steps to enable support for UEFI secure boot features, but this is a tricky process since secure boot requires signed code — and that’s something that may conflict with the GPL (General Public License) used by most open source Linux-based operating systems.

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,547 other subscribers

6 replies on “Windows 8 won’t prevent you from dual booting with Linux, but hardware vendors might”

  1. CyberGusa!It looks like you have not understood anything from that article!read it again  

  2. Please every one!!!!! –  Microsoft has try to do things like this in the past. I would not have try Linux if I could not install Ubuntu my old HP computer. Please think about this, it’s an economic incentive for OEM’s to not support Linux. How many OEM computers had Linux installed by the end user over the last ten years. Business is war.
    Do you want to lose Linux??

  3. Most Linux users will have to disable this “secure boot” option; with Linux, not only does any kernel-related security update change the kernel loaded (which would have to be re-signed), but also there are custom Linux kernels that enable features “stock” kernels do not have (OpenVZ, etc.).  One option to stop viruses would be to allow someone to add their own signing key to the BIOS.

    Where “secure boot” will be really useful is with systems with Lojack for Laptops; this will allow the relevant Lojack drivers to be hidden in a password-protected BIOS that won’t allow non-signed non-Windows kernels to boot.  This will make it a royal pain in the butt for a thief to remove the relevant Lojack software that will track them down every time they connect online.

    1. I wouldn’t rule out people modding the BIOS to provide the control even if it’s not officially supported by the manufacturer.

      While Windows 8 support for VM and the fact you can use Windows boot loader instead of Grub to boot Linux should mean more flexibility than perhaps those worried are considering.

  4. Shouldn’t effect custom system builders, they aren’t likely to not provide the BIOS option.

    While many companies are providing dual boot systems with a version of Linux these days and would be more likely to provide the option as well.

    Leaving the primary concern being products from Telecom companies, which are known to put proprietary limits on products they sell.  Like they are the primary reason you have to root a Android device for full control of the device, but that’s more likely to be a issue for ARM devices than x86 hardware systems.

    Intel for example is already investing in a company that makes a version of Android that can easily switch to another OS and will likely offer dual boot solution for Windows 8 systems they will be offering.

    While ARM has more of a history of locking devices…

Comments are closed.