Whether you plan on using Windows 8 or not, everyone buying a PC in the future will end up with the Microsoft-driven Secure Boot feature enabled. Secure Boot prevents “unauthorized” operating systems and software from loading during the startup process.
Secure Boot is a feature enabled by UEFI – which replaces the traditional PC BIOS – but Microsoft mandates specific implementations for x86 (Intel) and ARM PCs. Any computer with a Windows 8 logo sticker has Secure Boot enabled.
Image Credit: Kiwi Flickr
The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.
Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
For more technical information about how Secure Boot works, check out Microsoft’s post on the subject.
Image Credit: Paul Schultz on Flickr
What You Can Control
If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft operating system on your PC. Luckily, you can control secure boot in UEFI (like your computer’s BIOS today). You can disable secure boot entirely or add additional certificates. You should even be able to remove Microsoft’s certificate – remove Microsoft’s certificate, add your own, and your computer will only launch boot loaders that you’ve signed yourself.
There’s nothing stopping computers from also shipping with Ubuntu’s certificate. Linux distributions can also publish their own certificate and ask users to install it – or ask them to disable secure boot entirely. Fedora will be paying $99 for Microsoft’s signing services, so Fedora will install on any Windows 8-certified PC with no additional configuration required. Other Linux distributions could also take this route.
For more information about the situation for Linux distributions, check out this post by a Fedora developer.
Image Credit: Tomasz Przechlewski on Flickr
x86 vs. ARM
Here’s the bad news: Everything above about how you can control Secure Boot and install your own operating system only applies to x86 (Intel) Windows PCs and tablets, which run the standard Windows 8 operating system.
There will also be ARM-based machines running Windows RT – initially a handful of tablets, but we’ll likely see ARM-based Windows laptops and maybe even desktops. In addition to not supporting third-party applications on the traditional Windows desktop and being limited to Metro apps, ARM-based Windows RT machines will have a locked boot loader. You won’t be able to disable Secure Boot and install your own operating system – Microsoft mandatesthat every ARM device with Windows RT won’t allow you to disable Secure Boot. Microsoft wants you to think of ARM-based Windows RT systems as “devices,” not PCs. As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”
Image Credit: Odi Kosmatos on Flickr
The good news is that Secure Boot brings security benefits to everyone – even Linux users – on Intel PCs. The bad news is that Secure Boot is being used to lock down ARM devices.