Posted by: Eric Hansen
linux, Secure Boot, UEFI, Windows 8
While I normally don’t write about Windows on here, ITKE asked me via Twitter to write down my thoughts about the controversy surrounding Linux and Secure Boot, Windows’ answer to what TrueCrypt and BitLocker have been doing for a while now. I’m not going to be biased and say that Windows is the spawn of all that is evil, as there are good and bad things involving all of this mess. What I’m going to be doing is outlining some of the finer grained details and expand on them from an article I read on ZDNet.
First and foremost, I personally think all of this is nonsense. The whole issue at hand is that Windows’ Secure Boot (which is a motherboard feature, not OS) is going to completely ruin chances of running a dual-booted system. But, there’s two things with this:
- Secure Boot is optional, and can be disabled from the motherboard settings like most options/features
- This only affects newer models (i.e.: OEM machines that come set up for Windows 8)
Lets start off with point #1:
You can disable this feature in the motherboard set up (can’t really call it BIOS as UEFI [which Secure Boot uses] replaces the BIOS):
Basically, unless people are not willing to change a setting in the BIOS, then Windows 8 will be using Secure Boot. But, the change takes a whole matter of roughly 5-10 seconds (assuming), so why not make the change?
I’m not sure what the system specs are for Windows 8, but I’m pretty sure even those systems running the (now) archaic BIOS is going to be able to boot Windows 8. If you don’t have UEFI on your system, then Secure Boot isnt’ going to make a difference anyways.
Now, on to something else. Secure Boot itself.
The whole ideal behind Secure Boot is simple: make the booting experience into the OS as safe as possible. If this feature was developed back in the good ol’ DOS and Windows 3.x and 9x days, we’d have something to write home about. But, nowadays, unless I missed something, Windows (and Linux) had safety features put into place that reduced or zilched the possibility all together of writing to the MBR or any other part of the disk that would cause such incidents to happen. Even on top of that, all Microsoft is doing is re-hashing and re-branding their BitLocker feature set into a “new and improved” security feature. Its the same thing TrueCrypt does as well by encrypting your drive, essentially. The only difference is that Secure Boot works with public key authentication, as well as generating keys based on the hardware and software.
Now, with all this said, how does this involve Linux? Well, in the short term, it doesn’t. The big uproar about all of this is that Microsoft refuses to directly answer whether this is basically a ploy to gain more hold on the computer market (seeing Linux as a viable threat now), or just them trying to be overly secure cautious. I feel the biggest confusion in the end is something that Steven Sinofsky, an employee at Microsoft, said:
Of course Windows is usable without secure boot — just like the post stated
How secure boot works with any other operating systems is obviously a question for those OS products We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality.
The vagueness of it all is what bothers me, and I don’t see Microsoft going for blocking a Linux boot all together. They’ve worked hard over the years to clear their name and image from all the legal hassles that they’ve gotten themselves into, and this would be 10 steps backwards. But, as no one is actually speaking directly about this, no one knows for sure…which, I can’t say is the best business strategy for this right now.
Steven Sinofsky’s comment: http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx#10215592