SEARCH

How-To Geek

HTG Explains: How Windows 8′s Secure Boot Feature Works & What It Means for Linux

windows 8 laptop in auditorium

Whether you plan on using Windows 8 or not, everyone buying a PC in the future will end up with the Microsoft-driven Secure Boot feature enabled. Secure Boot prevents “unauthorized” operating systems and software from loading during the startup process.

Secure Boot is a feature enabled by UEFI – which replaces the traditional PC BIOS – but Microsoft mandates specific implementations for x86 (Intel) and ARM PCs. Any computer with a Windows 8 logo sticker has Secure Boot enabled.

Image Credit: Kiwi Flickr

Security Advantages

The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.

Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.

For more technical information about how Secure Boot works, check out Microsoft’s post on the subject.

starting windows 7

Image Credit: Paul Schultz on Flickr

What You Can Control

If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft operating system on your PC. Luckily, you can control secure boot in UEFI (like your computer’s BIOS today). You can disable secure boot entirely or add additional certificates. You should even be able to remove Microsoft’s certificate – remove Microsoft’s certificate, add your own, and your computer will only launch boot loaders that you’ve signed yourself.

Installing Linux

There’s nothing stopping computers from also shipping with Ubuntu’s certificate. Linux distributions can also publish their own certificate and ask users to install it – or ask them to disable secure boot entirely. Fedora will be paying $99 for Microsoft’s signing services, so Fedora will install on any Windows 8-certified PC with no additional configuration required. Other Linux distributions could also take this route.

For more information about the situation for Linux distributions, check out this post by a Fedora developer.

installing fedora on netbook

Image Credit: Tomasz Przechlewski on Flickr

x86 vs. ARM

Here’s the bad news: Everything above about how you can control Secure Boot and install your own operating system only applies to x86 (Intel) Windows PCs and tablets, which run the standard Windows 8 operating system.

There will also be ARM-based machines running Windows RT – initially a handful of tablets, but we’ll likely see ARM-based Windows laptops and maybe even desktops. In addition to not supporting third-party applications on the traditional Windows desktop and being limited to Metro apps, ARM-based Windows RT machines will have a locked boot loader. You won’t be able to disable Secure Boot and install your own operating system – Microsoft mandatesthat every ARM device with Windows RT won’t allow you to disable Secure Boot. Microsoft wants you to think of ARM-based Windows RT systems as “devices,” not PCs. As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”

windows rt tablet

Image Credit: Odi Kosmatos on Flickr


The good news is that Secure Boot brings security benefits to everyone – even Linux users – on Intel PCs. The bad news is that Secure Boot is being used to lock down ARM devices.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 06/14/12

Comments (38)

  1. Tom

    I wonder how long it takes before the boot loader for arm devices is unlocked by someone.

  2. Citrus Rain

    @Tom
    Depends on how strongly motivated they are to try it.

    ———

    I just realized something… Wouldn’t it make more sense for the certificate listing to be managed by some 3rd party? Like the chip manufacturers or someone more neutral that could enable either Microsoft or Linux distros to get certified for no cost?

  3. Irish_IT

    @Citrus Rain
    No! Clearly, it is the responsibility of monopolistic Microsoft to have ALL SAY as to what goes on your machine……..Clearly! lol

  4. Srivatsan Venkatesh

    @Irish_IT
    At least its not Google or Facebook monitoring your OS installs, right?

  5. Citrus Rain

    @Srivatsan Venkatesh

    I don’t see anything wrong with google holding that, but I also don’t see how they would or why they would.

    I was thinking Apache or GNU…. or something else that’s more of an organization rather than a corporation… FTC?

  6. T

    I don’t understand the issues with locking down arm? Isn’t that already what every other tablet manufacturer does (or attempts to do)? How many people are running IOS on their Galaxy tab or want to throw Windows RT on their Ipad? All tablets attempt to lockout the ability to change the operating system, don’t they?

    Of course, the x86 aspect of this is ridiculous, and shame on Fedora for handing any money over to Microsoft to maintain rights they already have! There has to be a route that doesn’t involve paying the guys who are forcing the hardware manufacturers to force you out.

  7. Irish_IT

    I suggest that we have to now rename a PC (personal computer) to the new term MC (microsoft computer). Any takes?

  8. Anonymous

    Yoy can thank Apple for this. Seems the poisionious thinking from Apple has now infected Microsoft. Both camps now want us to think of cmputers as “devices”. And last time I looked, my toaster (also a device) had very little I wanted to modify. (Problem is, toasters usually don’t have any software or very little code a person could adjust.)

    So, the way I see it, we can either boycot Microsoft or just be good little serfs and accept it. The smart serfs will at least find their jars of Vasoline for the rectal action our masters Microsoft/Apple will be thrusting at us. (Google, Adobe, etc. are only part of the nobility class. But you can be sure that they all see everyone else as plain old serfs, not unlike 10th century Europe.)

    Linux is pretty much our last hope for freedom in this (coming) age of digital domination. And now, Linux appears to be loosing whatever foothold it ever had (thanks in part to very little unification even within many of the distros).

  9. 4ensicPenguin2

    I bought a new laptop with the Secure Boot feature. I disabled it and dual-boot with Ubuntu. Ubuntu works better in my opinion. :-)

  10. Ashwin Rao

    Thanks to MicroSoft for being much monopolistic and closing it’s doors(Windows?). It’s better for the growth of FOSS and Linux. Is MicroSoft scared of competition? or is it dying slowly as we are seeing in server segment?

  11. sid

    I have problems with your statement that Secure Boot provides benefits to everyone. How is paying MS a “tax” of $99 a benefit? And what happens when MS boosts the price to, say, $1000? Or more?

  12. tmlambert13

    I don’t really see the issue with this. As someone that works in IT disinfecting viruses and dealing with security issues at public usage computers, I look forward to embracing this new feature. If you don’t like the concept here, you can disable or modify secure boot as noted. ARM doesn’t mean that much to me, so I’m not worrying about it :)

  13. Loren Barrett

    You state “You can disable secure boot entirely or add additional certificates. You should even be able to remove Microsoft’s certificate – remove Microsoft’s certificate, add your own, and your computer will only launch boot loaders that you’ve signed yourself.”
    Whats to stop a hacker from turning it off & creating a cert for the malware boot loader?

  14. teruble

    I’ll be building my own systems. Not paying Microsoft to tell me how and what I can use.

  15. Aaron

    Agreed, When Vista came out and was preloaded on PC’s and Laptops that couldn’t handle it I decided then I will build all my PC’s from then on. If i have to stay stuck on Wind 7 and Ubuntu for a very long time as long as they run games I will be fine.

  16. Marcel

    Unless MS makes it impossible to by the hardware needed to custom build PCs I think we’re okay. I don’t personally use “tablets” or “smart(ass)” phones and windows 8 on a desktop or laptop is not satisfying, I’ve tried both and hated it. I use MS PCs for school and some programming, but for everyday use I much prefer Linux Distros, like Mint or Suse (depending on the tasks at hand).
    MS and Apple both helped bring computing to where it now is and deserve some credit. But as long as free minded people are willing to work on projects, such as Linux, no “for profit” will ever control the complete market! OpenOffice/LibreOffice makes MS Office (any release) look like the overpriced software MS has been selling for years.

  17. Marcel

    I meant buy not by. Just another typo, confound it!

  18. dads

    Just a word from an old PC user, ARM I understand will be for company computers.
    Not all PCs will come with this feature, so watch what you buy!
    The most PCs are sold for personal use these will be the ones you can turn off this feature.

  19. Ray Cooke

    I’ve been building my own PC’s as long as I can remember. My 1st was a 286 with a DX2 cpu and 8m ram. Dos 6.22 + Windows 3.1. As long as companies carry on producing the hardware EG: Boards/CPU’s/Ram etc etc us self-builders will carry on regardless without being reliant on Microsoft/Apple to shove their OS’s into us via ‘branded’ PC’s. As for some hacker being able to ‘sneak’ into my machine and shove another ‘mishmash’ loader into my machine I worry not. I guess Microsoft will always ‘worry’ us with their scaremongering but they should, at least, remember that there are people that will always choose their own way of protection and detection etc.
    I tried out Windows 8 when they 1st offered the Beta version to me… I sacked it after 24hrs and it will stay that way until they get it right.
    I resent the way they half-build an OS…market it at horrendous prices…and then repair all the faults they find there-after after the end user has endured all these faults and ‘informed them’ of the bits that they forgot.
    Lovely day isn’t it…

  20. James

    Hmm I wonder what this will mean for Mac users who previously used bootcamp?

  21. David

    This will be another freedom lost. What else can they try to take away?

  22. RH

    This is talking about one hard drive not 2, so you boot to a different hard drive controlled by the BIOS

    It’s not a show stopper

  23. robert

    wonder if you’ll still be able to swap the bios chip out ??

  24. Miss.Andrea Borman.

    Well I have installed Windows 8 RP on one of my netbooks that came with Windows 7. So it does not have secure boot.And when they release the final version of Windows 8 that will be on sale to the public.i will install that over the RP version.

    And if ever I wanted to go back to Windows 7 I can just install it on my netbook again.the best thing is to just buy the Windows 8 full install CD and install it on your existing Windows 7 laptop. Then you won’t have to worry about secure boot. Andrea Borman.

  25. Chris Hoffman

    @sid

    Fedora doesn’t have to do this, but they’re making a choice to make installing Fedora easier to end users. It is ridiculous that they’re paying for certificate-signing, although I believe all that money goes to the certificate authority. Like I said, you could remove the MS cert and add your own custom cert to ensure your computer only runs boot loaders you’ve personally signed, if you like. That’s a security feature even Linux users can benefit from.

    @Loren Barrett

    They need physical access to your computer to do this. It can’t be accessed programatically from an operating system.

  26. Redde

    Who cares? Oh, right, the nerds who use Linux and make up 1% of the market share… as if those people’s opinions were relevant.

    Get over yourselves. MS has no reason to remove a feature that improves security just to please a vocal minority that doesn’t care about their products anyway.

  27. badger_fruit

    Quote: As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”
    So why is it called _WINDOWS_ RT? If it’s not Windows, why not call it “Microsoft RT”?

  28. Ted

    So this stops rootkits? Never known anybody or had any problems with rootkits. Read it online but never had the displeasure of getting one on my ‘puter. Isn’t the real problem here infected websites, email. porn,and on and on, and yeah I’ve had those especially on my wife’s computer until I installed Mint .My point is this seems to be a win for Microsoft, and really nothing else. We need to stop looking at computers as devices and look at them as cars, you know something we OWN and can do with as we please. Microsoft or apple want to GIVE me something they own to play with ok, but if they expect me to pay for it, it better bet MINE in all its ramifications of OWNERSHIP!

  29. Knowpe

    I suspect this could be aimed at trying to prevent BIOS emulation loaders for SLIC activation.

  30. Jacques

    From what I understand when you buy the signing service you pay Verisign, not Microsoft. Don’t worry, you will pay the tax anyway since you will be forced to pay for the OS when you buy the “device”.

  31. A

    For me, the key difference is Microsoft is trying to require other manufacturers to lock them in as the only option on compatable ARM devices. Are they worried about real side-by-side comparisons? I don’t think there would be as much ire with them locking down their Surface, as Apple does with their devices (though being UNIX based, people have rooted iPads and iPhones). They want to stretch that to lock other people’s devices to them, and set up a new certificate authority they will have to approve of on the x86 side.

  32. A

    Macs should still be fine. As far as I know, you can still install Windows, Linux and additional clean copies of OSX on Macs with Boot Camp or Parallels. I’m thinking Apple won’t care if Microsoft “certifies” them or not…

  33. D

    Social engineering will compromise secure boot. Like the dialog for fake antivirus. Compromised digital certs like for websites will compromise secure boot.
    More important is how well,if at all will work done on a rt device be able to be continued on a win8 lappy or phone?
    Will a win8 phone be able to remote control an rt device? Or lappy? Will any of them be able to control the phone?
    Will the work I do in app on win8 phone be available via wifi instantly on my lappy. 3g 4g cloud will not suffice because of the high cost of data but both will be necessary for in a pinch when the salesman on the road has no wifi for 100 miles. Or the constantly out of town construction project manager building the next cloud data center or govt hydro/solar project.

  34. D

    Just what is this device? A ceo toy? Your secretary, that pushes all your appointments to your phone and autoreminds your patients or clients? Will it aggregate all your photos,vids,docs ,calanders emails sms’s from your phone and lappy?Will the movies I rent on my phone push to and play on the device or lappy? Is it a mini local cloud device that enhances productivity of other equipment I own or is if another $300 paperweight? Is it a buy it and wait for developers to fullfill all your dreams device? Can your IT Department fulfill your desires on these 3 platforms? Will it samba? With a mac? Just who gets to decide whats important and what formats we all have to switch too etc etc etc? Huh?

  35. Steve

    Quote from Redde,

    “Who cares? Oh, right, the nerds who use Linux and make up 1% of the market share… as if those people’s opinions were relevant.

    Get over yourselves. MS has no reason to remove a feature that improves security just to please a vocal minority that doesn’t care about their products anyway.”

    1%?????? Wrong! The U.S. is the ONLY country that mainly uses M$!! M$ knows its dying worldwide

    http://www.focus.com/fyi/50-places-linux-running-you-might-not-expect/

    If schools start to follow Indiana’s lead, M$ and Mac would die over night.

  36. John

    If the linux comunity would make their os practical such as making installing third party software just as easy like windows and mac and getting peripherals to work just as easily as as the two os mention, then atleast they would stand a chance in compitition. Insted they might have sealed their fate with their tarball/gz files crap. They can atleast provide a one step compiler for us since their too lazy to provide instruction for us.

  37. PlasticFish

    Hi John,

    1995 called. They asked me to let you know that installing Linux in *this* decade requires not much more effort than dropping a CD in the drive and rebooting the machine. About 45 minutes later, you’ll have a functioning system with heaps of applications ready to use.

    Have you ever actually installed Windows and all your programs from scratch? Takes 3-4 hours–assuming that you have all your drivers and installers handy. (And good luck finding the drivers for your network card on the Internet and downloading them… when you don’t have the drivers for your network card.)

    Any reputable Linux distribution provides software repositories with point-and-click installation of thousands of useful applications. The only people who actually need to compile anything are those who actually *write* software. (And just so you know: In most cases, if you ever do want to compile something from source, it requires nothing more than typing ‘make install’.)

    As far as getting information and help with Linux goes, just try googling for “linux help”.

    I’ve been using Linux full-time since 2004. FYI, I’m running openSUSE 12.1 on my new laptop. Installation was a breeze, and everything just works.

    There is nothing standing between you and a successful Linux experience except for an hour or two of your time–and your poor attitude.

  38. @Loren Barrett

    Physical Access.

    Just like the BIOS, UEFI is not something that can be modified from within Windows/Linux/OSX or whatever operating system you have. You would need to physically power off the computer, enter the UEFI configuration screen (before the Windows or Linux kernel ever booted up), and change the settings.

Enter Your Email Here to Get Access for Free:

Go check your email!