Linux and Windows 8's secure boot: What we know so far

It's still early in the game, but Linux users could face limited options on Windows 8 certified PCs.

Ever since it was first brought to light that Windows 8's secure boot mechanism could cause problems for Linux users, speculation has been running rampant as to the exact nature of the difficulties that may arise.

Will it mean that Linux users can't use Windows 8 PCs at all? Will users be able to disable secure boot in the Unified Extensible Firmware Interface (UEFI) protocol, effectively removing the problem?

Those and many related questions have been voiced repeatedly in the blogosphere over the past week or so, even as Linux Australia reportedly announced it's considering petitioning the Australian Competition and Consumer Commission (ACCC) with a claim that Microsoft's behavior is anti-competitive.

We probably won't know for some time still exactly how this is going to unfold, since Windows 8 is still on the distant horizon. In the meantime, though, it looks like “Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems,” in the words of Red Hat developer Matthew Garrett.

Of course, there's a big difference between “difficult” and “impossible,” and further comments have been made by both Garrett and Microsoft since my original coverage.

Wondering where things stand? Here's a rundown of what appears to be the case so far.

1. Enabled by Default

Microsoft's Windows Certification program will require that all certified Windows 8 systems have secure boot enabled by default, according to a blog post published late last week by Steven Sinofsky, president of Microsoft's Windows division. To prevent malware from disabling the firmware's security policies, Microsoft's program will also require that firmware not allow "programmatic," or software-level, control of secure boot, as well as stipulating that OEMs prevent any unauthorized attempts at changing the firmware in ways "that could compromise system integrity,” the blog post explained.


At the heart of Microsoft's approach is the UEFI secure boot protocol, a BIOS alternative that “permits one or more signing keys to be installed into a system firmware,” Red Hat's Garrett explained. “Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys.”

The problem for Linux, as I noted last week, is that it won't have any such signature by default, meaning that it wouldn't naturally be allowed to run on a Windows 8 certified machine.

Further, as Garrett says, “Windows 8 certification does not require that the system ship with any keys other than Microsoft's. A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.”

Linux currently doesn't support UEFI secure booting, though that could change once hardware that uses it becomes available. “Adding support is probably about a week's worth of effort at most,” Garrett added.

3. Disabling Secure Boot

UEFI can be modified to disable secure boot, at least in theory, and the Windows 8 tablet Microsoft demonstrated at its BUILD conference earlier this month did include the ability to do that.

However, “doing so comes at your own risk,” Sinofsky's post asserted. Even more significant, his post noted that it's up to OEMs to choose how to enable such capabilities.

Whatever method vendors choose to make it possible to disable secure boot, users will still have choices as a result, Sinofsky added, such as the option to run older operating systems if they want.

4. Depends on Hardware Makers

Microsoft's overall message was to assuage concerns by asserting as Microsoft program manager Tony Mangefeste did, that "At the end of the day, the customer is in control of their PC." This has been echoed by some in the tech press. The reality, though, is that it sounds like it will ultimately be up to PC makers to decide whether or not they give users the ability to disable secure boot.

In fact, there is no requirement that certified PC makers give users the capability to disable UEFI secure boot, Garrett notes. And not only that, but "we've already been informed by hardware vendors that some hardware will not have this option."

The result, he wrote, is that "the end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.”

5. Options for Linux

So what are Linux users' prospects, given all of this? Once again, it's important to remember that this is all very preliminary, since Windows 8 won't be out for a long time still.

Working with what we've seen so far, though, not buying a Windows 8 certified PC is certainly one obvious option for avoiding any potential problems, as is simply upgrading from Windows 7 on an existing dual-boot machine. Building your own machine is always an option as well.

Assuming Microsoft does allow hardware vendors to give users the option of disabling secure boot, it may also end up being a matter of shopping carefully to ensure that the Windows 8 machine you buy includes that capability.

Signed versions of Linux don't sound likely, as I noted last week, due to licensing issues with the Grub and Grub 2 bootloaders and the fact that self-signed Linux keys would then have to be included by every PC maker--a logistical nightmare if ever there was one.

Of course, Linux fans tend to be pretty savvy users. If things do indeed continue on this path, I'm betting a variety of other workarounds will soon emerge.

Join the PC World newsletter!

Error: Please check your email address.

Tags open sourceLinuxWindows 8MicrosoftWindowssoftwareAustralian Competition and Consumer Commissionnon-Windowsoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Katherine Noyes

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?