Microsoft responds to Windows 8's secure boot requirement concerns

By on September 23, 2011, 2:30 PM

Microsoft has provided more information regarding its plans for secure boot support in Windows 8, responding to concerns that the move might block users from dual-booting Linux or older versions of Windows. In a nutshell, the company explains that it is simply taking advantage of UEFI to protect against boot loader attacks, and that it supports OEMs having the flexibility to decide whether users can manage security certificates and/or disable secure boot.

Microsoft does require computer manufacturers conforming to the Windows 8 logo program to ship their devices with UEFI and secure boot enabled. So in other words, as speculated yesterday, there are no guarantees that OEMs will give users with the ability to disable secure boot or the option to run unsigned code on their systems -- nor there is any indication of the contrary at this point. In fact, Microsoft notes that the Samsung tablet distributed at the BUILD conference with Windows 8's Developer Preview release allows for secure boot to be easily disabled.

Red Hat developer Matthew Garrett, whose postings originally raised the issue, responded to the clarification saying, "Microsoft's rebuttal is entirely factually accurate. But it's also misleading." According to Garret, the equipment manufacturer is under no obligation to provide users with the ability to disable secure boot. That difference between supporting OEMs having the flexibility to include this option and mandating it on Windows 8 machines is a big one.

Beyond the use of third-party OSes, he argues that the approach might also hamper the ability of users to upgrade components such as graphics cards, because there is no requirement to provide the user with the capability of installing additional keys. "Microsoft claims that the customer is in control of their PC. That's true, if by customer they mean hardware manufacturer," he adds. Garrett makes some valid points but for now it's hard to know how things will play out. The concern is that if OEMs can cut costs by cutting the option to disable secure boot then some probably will.

For users who will want to dual-boot another OS on their Windows 8 machine, or plan to upgrade certain components down the road, it would be wise to do some research on this before buying.




User Comments: 23

Got something to say? Post a comment
RH00D RH00D said:

I'm pretty sure that Dell has shown good support of Linux in the past so I'm leaning towards the scenario that Dell will allow secure boot to be disabled. Anyway, the only real problem is with laptops and/or tablets. Any self-respecting computer enthusiast that is also into Linux would likely build their own desktop.

lawfer, TechSpot Paladin, said:

This is all being blown out of proportion. There is no legitimate reason for OEMs to not give the user the option. I would understand if its set by default, but giving the option is relatively easy, especially since OEMs have absolutely no problem with adding sometimes useless crap onto their BIOS firmwares.

This topic is being unnecessarily over-discussed, and in many places over the web, people are worried, speculating, and throwing evil innuendos as if Microsoft meant it to be some sort of stealthy attack towards third-party bootable software (mainly Linux and its flavors). Apparently, it's not busy enough in the technology world for news outlets (not directly to you Techspot) to be making such a big deal out of something so blatantly trivial.

Instead of asking "Will they give us the option?" Ask "Why wouldn't they?" Like, really, how hard could it be?

gwailo247, TechSpot Chancellor, said:

lawfer said:

This is all being blown out of proportion. There is no legitimate reason for OEMs to not give the user the option. I would understand if its set by default, but giving the option is relatively easy, especially since OEMs have absolutely no problem with adding sometimes useless crap onto their BIOS firmwares.

This topic is being unnecessarily over-discussed, and in many places over the web, people are worried, speculating, and throwing evil innuendos as if Microsoft meant it to be some sort of stealthy attack towards third-party bootable software (mainly Linux and its flavors). Apparently, it's not busy enough in the technology world for news outlets (not directly to you Techspot) to be making such a big deal out of something so blatantly trivial.

Instead of asking "Will they give us the option?" Ask "Why wouldn't they?" Like, really, how hard could it be?

You definitely have a point, but the last few announcements from MS regarding W8 have been indicative of a shift towards a "we know what's best for you" attitude espoused by Apple. I'm glad they're announcing them before the release, but still, I wouldn't be surprised if a few more tidbits of this nature get disclosed before the release of the program.

mosu said:

@gwailo247: my experience with latest Windows "achievements" makes me believe you're right

SammyJames said:

Isn't it true that most mainboard manufacturers include UEFI BIOS flash ROMs with their products?

In other words: If you are going to buy a Dell or HP or Acer or whatever, why would you expect to be able to configure much of anything anyway?

Aren't most of the people who would want such configurability -- the enthuiast/professional types of people who would really NEED such functionality -- buy separate mainboards that you can do whatever you want to with?

I'm just sayin' is all...

Guest said:

Still think this whole thing isn't as bad as some make it sound. I've seen worse crap from OEMs in a normal BIOS and if you do want to run parallell OSes you probably aren't getting those computers anyway. Now if this 'feature' was coming in stand-alone Motherboards with no way of turning it off...

JudaZ said:

reminds me of that old bios thing with virus protection built in to the BIOS that made no difference what so ever after 6 months of implementation

for instance CIH destroyed the BIOS just fine no matter if it was activated or not.

lawfer, TechSpot Paladin, said:

gwailo247 said:

lawfer said:

This is all being blown out of proportion. There is no legitimate reason for OEMs to not give the user the option. I would understand if its set by default, but giving the option is relatively easy, especially since OEMs have absolutely no problem with adding sometimes useless crap onto their BIOS firmwares.

This topic is being unnecessarily over-discussed, and in many places over the web, people are worried, speculating, and throwing evil innuendos as if Microsoft meant it to be some sort of stealthy attack towards third-party bootable software (mainly Linux and its flavors). Apparently, it's not busy enough in the technology world for news outlets (not directly to you Techspot) to be making such a big deal out of something so blatantly trivial.

Instead of asking "Will they give us the option?" Ask "Why wouldn't they?" Like, really, how hard could it be?

You definitely have a point, but the last few announcements from MS regarding W8 have been indicative of a shift towards a "we know what's best for you" attitude espoused by Apple. I'm glad they're announcing them before the release, but still, I wouldn't be surprised if a few more tidbits of this nature get disclosed before the release of the program.

As far as I've read, Microsoft never implemented secure boot; it is simply taking advantage of it by using Windows 8. As they've stated on their website: "Secure boot is a UEFI protocol not a Windows 8 feature." I believe that in their mind, using UEFI's boot security mechanism was solely used to protect consumers from emerging threats.

Alternatively, Microsoft did not exactly dictate what is best for us, it is simply leaving the decision to OEMs whether to implement an option for secure boot or not. If MS really thought that what was best for us was security (as I'm sure it does), then OEMs wouldn't have a say, or even more importantly (and perhaps, highly unlikely) they would have required the UEFI specification as mandatory on the hardware's firmware for, you know, "our protection."

So, invariably, the questions have to be asked to OEMs. Now that UEFI is soon going to become mainstream, many features and security parameters are going to be introduced. One of them is secure boot as we all know; sadly, it brings the known collateral damage... But we all (or not all, as some crazy conspiracy theorists around the web have shown) know Microsoft is simply looking at this protocol as a fundamental piece of security that will further help improve the software. Microsoft is not imposing the use of the newer specification, but it's allowing OEMs to make a decision whether they'll let the user control this option.

TL; DR

My only point is this: Microsoft is only looking for a way to secure the boot process of Windows 8. Using secure boot has the known shortcoming, but Microsoft is allowing OEMs to choose whether to give the consumer the option. Granted, MS could just dictate OEMs to enable the option on all their hardware, but doesn't that correspond to the fact that, supposedly, Microsoft being all authoritative is the very problem? Dictating OEMs (who MS relies on) what to do with their software, is like going to your mechanic and tell him how to fix your car. But more importantly, perhaps, <i>its just that this isn't a big deal...</i>

Guest said:

Remember when every PC built had to have a MS license?

Remember the browser wars?

Governments forced MS to change it practices.

Now Apple is making "closed environments" popular again, so why shouldn't MS try

the same thing.

Guest said:

See System76 for Linux friendly laptops.

SammyJames said:

Guest said:

Now Apple is making "closed environments" popular again, so why shouldn't MS try

the same thing.

Apple is NOT making closed environments "popular." They simply hold a patent on several operating systems, including iOS and OSX. It will be interesting to see whether patent laws could prevent all of these companies from enjoying the benefits of their respecitve offerings for longer than 17 years.

However, the larger point that some have made about Microsoft trying to "play Apple" has a false premise. You can install Windows, legally, on any home-made PC. The only way to do this with Mac OSX is to use a Hackintosh -- which is more work than most of us feel like putting in on a Sunday.

So, sure -- Mac OSX Lion is 30 bucks on the App store. Windows 7 is about 100 bucks on NewEgg. But when you figure in your hardware costs, which will be at least 50% lower with the PC components, and when you consider that Windows 7 works fine for what about 99% of us use computers for, well -- the choice is simple.

Yeah, again -- I know. 30 bucks versus 100 (or more for the "Pro" version of Windows.) If you are that jazzed to see the smiley face at a startup, sure -- go to town. I won't try to stop you. Because I'm an American, and Americans let each other blow their hard-earned cash on all kinds of crazy crap -- like bungee-jumping escapades, trips to Vegas, and buying shares in Enron.

gwailo247, TechSpot Chancellor, said:

lawfer said:

My only point is this: Microsoft is only looking for a way to secure the boot process of Windows 8. Using secure boot has the known shortcoming, but Microsoft is allowing OEMs to choose whether to give the consumer the option. Granted, MS could just dictate OEMs to enable the option on all their hardware, but doesn't that correspond to the fact that, supposedly, Microsoft being all authoritative is the very problem? Dictating OEMs (who MS relies on) what to do with their software, is like going to your mechanic and tell him how to fix your car. But more importantly, perhaps, <i>its just that this isn't a big deal...</i>

I'm not disagreeing with you that this is not a big deal, what concerns me is MS' outlook. For instance, I knew Steve Jobs' outlook. He wanted to control everything. Once I knew what his outlook was, it was easy for me to see past "ooh, look how cool this is" and try to figure out what his angle is.

For example, the ability for local businesses to track your location and send you coupons to your phone if you're near is a "ooh cool" idea. But if you look at the fine print and see that this "ooh cool" idea also allows for your location to be sold to third parties in order to determine where you're shopping, it becomes more of an issue, one that offsets the "ooh cool" factor in my book.

Or look at Ubisoft and their DRM. When it started with 'must be online to install the game' some people bitched and some said not a big deal. That ended up getting turned into, must be online ALL the time to play the game. That became a big deal, but if you looked back to their original concept, their plan became pretty evident.

So far I had no ideological problems with MS. I did not think that bundling WMP with Windows was some monopolistic power play, et al.

Companies tend to enact these changes slowly, as not to freak out their whole customer base. My concern, and that's all it is as this point, is that Microsoft is trying to change the way that Windows has been running so far, into something less desirable for me. So I'm just watching for clues as to what their big picture plans are and how their philosophy has shifted.

fyrfaktry fyrfaktry said:

Even more reason NOT to buy OEM-Shit builds, and just roll your own boxes.

MrAnderson said:

This just seems to make buying a PC for people who like to modify a pain in the ascott. I'm always upgrading my PC. Especially a new video card or two over its life time.

lawfer, TechSpot Paladin, said:

gwailo247 said:

lawfer said:

My only point is this: Microsoft is only looking for a way to secure the boot process of Windows 8. Using secure boot has the known shortcoming, but Microsoft is allowing OEMs to choose whether to give the consumer the option. Granted, MS could just dictate OEMs to enable the option on all their hardware, but doesn't that correspond to the fact that, supposedly, Microsoft being all authoritative is the very problem? Dictating OEMs (who MS relies on) what to do with their software, is like going to your mechanic and tell him how to fix your car. But more importantly, perhaps, <i>its just that this isn't a big deal...</i>

I'm not disagreeing with you that this is not a big deal, what concerns me is MS' outlook. For instance, I knew Steve Jobs' outlook. He wanted to control everything. Once I knew what his outlook was, it was easy for me to see past "ooh, look how cool this is" and try to figure out what his angle is.

For example, the ability for local businesses to track your location and send you coupons to your phone if you're near is a "ooh cool" idea. But if you look at the fine print and see that this "ooh cool" idea also allows for your location to be sold to third parties in order to determine where you're shopping, it becomes more of an issue, one that offsets the "ooh cool" factor in my book.

Or look at Ubisoft and their DRM. When it started with 'must be online to install the game' some people bitched and some said not a big deal. That ended up getting turned into, must be online ALL the time to play the game. That became a big deal, but if you looked back to their original concept, their plan became pretty evident.

So far I had no ideological problems with MS. I did not think that bundling WMP with Windows was some monopolistic power play, et al.

Companies tend to enact these changes slowly, as not to freak out their whole customer base. My concern, and that's all it is as this point, is that Microsoft is trying to change the way that Windows has been running so far, into something less desirable for me. So I'm just watching for clues as to what their big picture plans are and how their philosophy has shifted.

I see your position, but there's is something you seem to be confusing. The examples you mentioned, such as Apple's, it's clear their reasoning behind their actions was clear since the beginning; granted they never explicitly said they wanted a closed system, you kind of got that reasoning behind most--if not all--their decisions.

Also with Ubisoft, you knew exactly why they wanted to implement the always-on DRM: because they wanted to protect their IPs from online piracy.

But when you are confronted with the fact that Microsoft's only reasoning behind choosing EUFI's secure boot was simply to further secure the boot process from boot threats, which are pretty common nowadays, you then have to differentiate choosing that and It just so happens that such feature does not allow third-party bootable sofwatre unless they have a securely signed by OEMs. Most software are signed, but not third party OSes. Hence the big deal the web seems to be taking about proportion.

What I'm saying is that Microsoft has no ulterior motive here against Linux or other OSes, nor this is a shady move to keep control over PCs. I assume it is a big deal to people who wish to dual boot, I don't deny that. But it's not a big deal in the sense that it's all a plot to have some sort of Apple-like, anti-Linux control over our PCs.

gwailo247, TechSpot Chancellor, said:

lawfer said: What I'm saying is that Microsoft has no ulterior motive here against Linux or other OSes, nor this is a shady move to keep control over PCs. I assume it is a big deal to people who wish to dual boot, I don't deny that. But it's not a big deal in the sense that it's all a plot to have some sort of Apple-like, anti-Linux control over our PCs.

I'm looking at this with an eye to the future, as a series of events, not focusing on each instance in and of itself.

Would it be unreasonable for me to assume that if they're going to have a locked down app store for the Metro portion of the OS, that a locked down app store for the Explorer portion of the OS is next? Like Ubisoft, that would be only a natural progression of the Metro only lockdown. They see how much money Apple is making. When you consider the user base of Windows software, 30% of EVERYTHING would be huge. MS would be stupid not to want those profits. And while companies such as Adobe or Oracle would probably negotiate volume based deals that only channeled a few percentage points to MS, your small indie programmer would find that he just lost 30% of his income. And unlike iOS, these people were already around, sometimes for decades, so it would be a meaningful hit.

Would it be unreasonable to assume that once the OEMs are given the power to lock down dual boot, they're going to further lock down the motherboard, and not allow you to install, for instance, a video card you bought on NewEgg, and instead force you to buy a video card from Dell or HP? They would love to force you to only buy marked up hardware from them. And if they lock down one thing on the BIOS, why can't they lock down other stuff? What is stopping them?

When a landlord wants to evict you, he's not going to raise your rent by $500 in one month. He'll raise it $100 a month until you get the picture and leave.

So my concern is that MS is, with these two announcements, starting on that path that Apple is currently on. I do hope that I'm wrong, but I don't think that I'm "not getting it". Maybe this is it, or maybe they're gauging people's reactions before they drop some shit we really don't want to see.

Guest said:

Why shouldn't I be able to go into a store instead to save the money and see what I am buying! What planet are you from?

lawfer, TechSpot Paladin, said:

gwailo247 said:

lawfer said: What I'm saying is that Microsoft has no ulterior motive here against Linux or other OSes, nor this is a shady move to keep control over PCs. I assume it is a big deal to people who wish to dual boot, I don't deny that. But it's not a big deal in the sense that it's all a plot to have some sort of Apple-like, anti-Linux control over our PCs.

I'm looking at this with an eye to the future, as a series of events, not focusing on each instance in and of itself.

Would it be unreasonable for me to assume that if they're going to have a locked down app store for the Metro portion of the OS, that a locked down app store for the Explorer portion of the OS is next? Like Ubisoft, that would be only a natural progression of the Metro only lockdown. They see how much money Apple is making. When you consider the user base of Windows software, 30% of EVERYTHING would be huge. MS would be stupid not to want those profits. And while companies such as Adobe or Oracle would probably negotiate volume based deals that only channeled a few percentage points to MS, your small indie programmer would find that he just lost 30% of his income. And unlike iOS, these people were already around, sometimes for decades, so it would be a meaningful hit.

Would it be unreasonable to assume that once the OEMs are given the power to lock down dual boot, they're going to further lock down the motherboard, and not allow you to install, for instance, a video card you bought on NewEgg, and instead force you to buy a video card from Dell or HP? They would love to force you to only buy marked up hardware from them. And if they lock down one thing on the BIOS, why can't they lock down other stuff? What is stopping them?

When a landlord wants to evict you, he's not going to raise your rent by $500 in one month. He'll raise it $100 a month until you get the picture and leave.

So my concern is that MS is, with these two announcements, starting on that path that Apple is currently on. I do hope that I'm wrong, but I don't think that I'm "not getting it". Maybe this is it, or maybe they're gauging people's reactions before they drop some **** we really don't want to see.

But that's the thing, you see, OEMs are not given the power, they are given the choice. Two different things. Remember that this boot "lock down" is not something that comes with Windows 8, but something the Windows 8 OS embraces as means to protect the boot process. Please recall that secure boot is a feature of UEFI, not Windows 8. So here it is where I'm confronted with the disparity of what you mean, and what actually is:

Only OEMs who manufacture motherboards, and design UEFI firmware, can say whether to allow the user to choose secure boot or not on their BIOS options, if such system is run by Windows 8. It is completely unrelated to Windows 8 itself; in fact, the only reason Windows 8 is even mentioned, it is because, like I said, it is the first OS that's embracing the specification that was already inherently integrated into UEFI.

So, in essence, the feature has already been there, it's just that Windows 8 is the only one to actually use it. Had it been Apple, or Linus Torvalds himself, it would still be up to OEMs to allow users to tinker with the option. Granted, in contrast, it would also be up to any of the aforementioned examples to tell OEMs whether it is mandatory to include the option or not; but like I mentioned in my last comment, you don't give orders to those you need for business. So it's not that just because Microsoft hasn't told OEMs it's mandatory to include the option (but has given them the choice), that this is all part of a progressive, apple-like plan to take control, and subsequently monopolize the PC ecosystem.

Not that with the clearly increased competition, such move would be far-fetched to consider--hence why I admitted I see your point--, but it's just that when I see that such reasoning (one which can equally apply to any other OS) comes from something that is clearly unaffiliated with any Microsoft software, I find it hard to take part in the conceptualization of a monopolistic theory that includes a specification that was, supposedly, shoddily used to control an specific ecosystem, by a company that never even made it in the first place!

lawfer, TechSpot Paladin, said:

Double post.

SNGX1275 SNGX1275, TS Forces Special, said:

Yeah, again -- I know. 30 bucks versus 100 (or more for the "Pro" version of Windows.) If you are that jazzed to see the smiley face at a startup, sure -- go to town. I won't try to stop you. Because I'm an American, and Americans let each other blow their hard-earned cash on all kinds of crazy crap -- like bungee-jumping escapades, trips to Vegas, and buying shares in Enron.

I was with you until that. What you said is just typical of nearly all Apple/Mac bashers. It plays on old information. Mac's haven't booted an OS with a Smiley Face boot screen since 2002 with OS X.

caravel said:

I was with you until that. What you said is just typical of nearly all Apple/Mac bashers. It plays on old information. Mac's haven't booted an OS with a Smiley Face boot screen since 2002 with OS X.

Come along now... no need to point that out. Since when were 'the facts' even a consideration when it comes to some good old fashioned bullshit and rhetoric loaded trolling?

Guest said:

When I first read this it reminded me of Microsoft's position on OEM refunds on it's operating system, where you according to their terms and conditions you could get a refund from the manufacturer; thus trying to show Microsoft were not a monopoly. No one in the PC OS space apart for Microsoft has the capability to act as a monopoly - including Google.

In reality it was near as impossible to get a refund from the manufacturer. Microsoft had had created a policy where consumers who might have switch to another OS due to the financial benefits decided not to do so. In economics we call this a decision at the margin; Microsoft moved this margin in their favour. Now everyone is used to the statuesque it appears the new contract do not allow for refunds, solidifying this skewed market.

This new policy also falls between the crack between the Microsoft and the manufacturers. The manufacturers are likely to charge more for an unlocked BIOS, or not provide that capability at all - as it will be cheaper (as in some HP Pavilions Laptops where you cannot switch graphic cards in the BIOS). Microsoft can again play the non-monopolistic card, although it is possible that they have engineered this situation. It is likely in future that locked Microsoft PC will become the norm, as per the non refunds on OEM software - especially in the growth markets of laptop and tablets where you cannot physically change very much.

It really is up to the government to regulate and ensure a free market by ensuring OS are not locked to PCs and whilst government is looking at this they might as well split the purchase of hardware from OEM software by splitting them into separate transaction; either at the time of purchase of afterwards through online registration, where in both occasions the consumer purchases key to unlock the software.

Guest said:

Don't forget the finest dream of every shop-owner is to be the seller

of everything 24 h. a day 7 d. a weak and no others allowed.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.