Windows 10 to make the Secure Boot alt-OS lock out a reality

[Reefa]

In Windows 8, OEMs must allow Secure Boot to be disabled. They won't have to in Windows 10.

Those of you with long memories will recall a barrage of complaints in the run up to Windows 8's launch that concerned the ability to install other operating systems—whether they be older versions of Windows, or alternatives such as Linux or FreeBSD—on hardware that sported a "Designed for Windows 8" logo.

To get that logo, hardware manufacturers had to fulfil a range of requirements for the systems they built, and one of those requirements had people worried. Windows 8 required machines to support a feature called UEFI Secure Boot. Secure Boot protects against that interferes with the boot process in order to inject itself into the operating system at a low level. When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.

This is a desirable security feature, but it has an issue for alternative operating systems: if, for example, you prefer to compile your own operating system, your boot files won't include a signature that Secure Boot will recognize and authorize, and so you won't be able to boot your PC.

However, Microsoft's rules for the Designed for Windows 8 logo included a solution to the problem they would cause: Microsoft also mandated that every system must have a user-accessible switch to turn Secure Boot off, thereby ensuring that computers would be compatible with other operating systems. Microsoft's rules also required that users be able to add their own signatures and cryptographic certificates to the firmware, so that they could still have the protection that Secure Boot provides, while still having the freedom to compile their own software.

This all seemed to work, and the concerns that Linux and other operating systems would be locked out proved unfounded.

This time, however, they're not.

At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

The presentation is silent on whether OEMS can or should provide support for adding custom certificates.

The off switch, which was mandatory before, is now optional.

Should this stand, we can envisage OEMs building machines that will offer no easy way to boot self-built operating systems, or indeed, any operating system that doesn't have appropriate digital signatures. This doesn't cut out Linux entirely—there have been some collaborations to provide Linux boot software with the "right" set of signatures, and these should continue to work—but it will make it a lot less easy.

We've asked Microsoft if the slides are accurate and OEMs will indeed be able to build machines that essentially lock out other operating systems, especially in light of the visceral reaction to the original Secure Boot requirement. We're still awaiting a reply.

http://arstechnica.com/information-technology/2015/03/windows-10-to-make-the-secure-boot-alt-os-lock-out-a-reality/

[stylemessiah]

I really cant see OEM's not offering the ability to switch this off in the BIOS

I wouldn't panic.

[CODYQX4]

I really cant see OEM's not offering the ability to switch this off in the BIOS

I wouldn't panic.

If it costs them one red cent to so so they won't.

Profit margins supposedly suck bad enough that they go for scum practices like bundling garbage, and the McAfee bundles weren't cutting it so they had to put actual tried and true malware on it.

People only bitched about Superfish loudly when a big company did it, but smaller devs have been allowed to cram it into Chrome extensions on the down-low.