Windows 8

Windows 8 secure boot to block Linux

Windows 8-certified 64-bit hardware will be forced to carry security measures to stop the installation of other operating systems, such as Linux, until the software is regarded as trusted, according to Microsoft.

Instead of using BIOS for booting Windows 8, hardware carrying the 64-bit version of Microsoft's newest operating system has to use the Unified Extensible Firmware Interface (UEFI) with a secure-booting feature enabled.

In a video describing the new boot process, Microsoft Principal Lead Program Manager Arie van der Hoeven said that the decision to force UEFI use was based on security; the company hopes to reduce the likelihood of bootkits, rootkits and ransomware.

"It's something that could sting me or you; it's something we really don't feel that we can ship Windows 8 without protecting the end-user from," said van der Hoeven.

But as well as protecting Windows 8, the secure boot process' "chain of trust" will make it harder to install an alternative operating system, or possibly even another copy of Windows, as any software or hardware that is to run on the system will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute.

"A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," wrote Red Hat developer Matthew Garrett in a blog post.

Without a signature, at a bare minimum the user would need to get into the UEFI and disable secure boot to prevent the firmware from blocking other operating systems from booting.

"If you are dual booting, it depends on whether you are booting into another trusted operating system...If you want to have secure boot, and you want to dual boot Windows 8 and Windows 7, you'll need to turn secure boot off in firmware," said van der Hoeven.

This isn't a guarantee that Microsoft would definitely allow vendors to provide firmware support to disable the secure boot functionality. Garrett believed, however, that it would.

"There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code," wrote Garrett.

"It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

"It's probably not worth panicking yet. But it is worth being concerned."

Linux could create its own signature keys, called self signing, but it would still need to get its keys included in the firmware by every OEM or Microsoft.


Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...