Feeds

MS denies secure boot will exclude Linux

Lock-out security tech can be disabled, if OEMs want

Mobile application security vulnerability report

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs.

Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers to verify digitally signed OS loaders before booting. The feature in UEFI, the successor to BIOS ROM, is designed as a countermeasure against rootkits and other bootloader nasties.

However computer scientists, including Professor Ross Anderson of Cambridge University, warned earlier this week that the approach would make it impossible to run "unauthorised" OSes such as Linux and FreeBSD on PCs. A signed build of Linux would work, but that would mean persuading OEMs to include the keys.

In addition since the kernel itself is part of the boot process, kernels will also have to be signed, a huge bureaucratic hurdle for developers that runs wholly against the grain of open source software development, as explained in more depth by tech blogger Matthew Garrett here.

If the draft for UEFI is adopted without modification, then systems with secure boot enabled simply will not run a generic copy of Linux. Disabling the feature would allow unsigned code to run. However Garrett argues that since "firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market" this may not be possible, a concern shared by Anderson.

"The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate," he said. Anderson concludes that the approach is even worse than previous attempts to force feed Windows users with DRM technology.

In a blog post on Thursday, Microsoft attempted to address these concerns arguing that "complete control over the PC continues to be available" to consumers.

Secure boot is a UEFI protocol, rather than a specific Windows 8 feature, and "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," Microsoft's Tony Mangefeste explains.

"Secure boot doesn’t 'lock out' operating system loaders, but it is a policy that allows firmware to validate authenticity of components. OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform," he adds.

Mangefeste cites the example of a prototype Samsung tablet with firmware designed to allow customers to disable secure boot, an option that is open to OEMs.

Just how many OEMs will take this approach remains unclear. Microsoft has effectively batted the question over to its hardware partners and firmware suppliers. What both Microsoft and critics of UEFI seemingly agree on is that unless secure boot can be disabled then Linux can't be run on Windows 8 PCs.

We asked the UEFI Forum to comment on the issue earlier this week but are yet to hear back from the industry group, which promotes and manages the UEFI standard. Members of the UEFI forum include Apple, IBM and BIOS giant Phoenix Technologies as well as Microsoft. ®

The Essential Guide to IT Transformation

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.