Tuesday, September 27, 2011

That Whole Windows 8 Secure Boot Ruckus

It was recently announced that Windows 8 would support a shiny new feature that is known as "secure boot". In case you have been living with your head under a technological rock for the last couple of weeks, this feature would allow hardware vendors would have the option of only allowing operating systems signed with their secure key to boot on the hardware.

This means that Linux, BSD and even older versions of Windows would not be able to boot on the hardware that ships with secure boot enabled.

A good deal of open source operating system users are upset at this announcement - and with good reason. Having a physical hardware lockout to prevent alternative operating systems from being used is very much bad news bears. Now, before I continue I'd just like to say I do not endorse Microsoft in any way, in fact I don't have any of their software installed on any of my (many personal computers). If you don't believe me take a little bit of a closer look around my blog.

That being said - I think everyone that is crying foul on Microsoft about this whole secure boot thing really needs to reexamine what is going on here.

Microsoft is simply adding a feature to their operating system. What do I mean by pointing this out? Simply that if a market lockout does happen at the hardware level it is the hardware makers you need to be outraged at. Just as easily as they can give their hardware key to Microsoft they can also give it to Linux distributions. In fact it will ultimately be up to the hardware maker whether they have secure boot enabled in their hardware at all.

Meaning that if you are really worried about the future of this feature - start contacting hardware vendors and stop attacking Microsoft for adding a feature to their operating system. In reality only time will tell what will happen with the addition of this feature to Windows 8.

I don't see anyone getting outraged at Google because they allow device makers to lock down ARM hardware. In fact ARM hardware is one of the hardest things around to install an alternative operating system to. Where is the outrage over this if we really want to see true software freedom for all devices?

If you are looking for more reading on this subject check out this excellent post.

So until we see how things pad out just chill out and keep using your favorite penguin powered operating system.

~Jeff Hoogland


  1. I hope this didn't duplicate. But I think this is very much like MS's strongarm tactics for IE years ago. That landed them in court for a long time and many were lost by MS. I agree but we should add an important point. Do not buy any equipment from vendors that support this idea. If I buy it I should decide what is run on it. And we definitley should be enmasse contacting the vendors now that this is not something we as consumers want and we will not pruchase any product with these restrictions. Period.

  2. I agree with this post with one caveat; I'd say, "Don't attack Microsoft until and unless Microsoft puts pressure on OEMs to only pre-install non-Linux security keys." A lot of the fear and anger is driven by fears of what Microsoft might do given its past history, as JRaz points out.

  3. I believe the original alarm bells started ringing at how Microsoft *require* secure boot for the Windows logo licensing program.

    We all know how this works: if a sheepish customer looks down a row of PCs in store, they're gonna pick the one "Made for Windows 8" - the one that silently has secure boot enabled.

  4. The author seems to think that Microsoft are not able to put any pressure on hardware vendors or make them 'toe the line'. I'm unsure if this is naivety or ignorance, but it is most certainly inaccurate.

  5. I don't know exactly how the keys work. except that the way I understand it, is that the key built into the firmware will have to match the key in the OS, before the computer will reboot. Which implies the use of additional software built into a o.s.
    That means this software has to be added to every OS on the planet including old windows OS's, in order for them to run. There is only one Microsoft company which oems have to please and only one OS (Windows 8).
    In order for secure boot to stay secure, some kind of program would have to be set up for other operating systems, by which to obtain a key from the oems. There are many oems, and many other OS's. Some how I doubt the oems will want to spend the time or resources, to keep up with a key database.
    A couple of weeks ago Microsoft announced that Linux was no longer a threat. Then just recently, they announced secure boot. I wonder if this is why Linux is no longer a threat?

  6. I posted comments on this over the past few days (mostly on Google+ since I seem to hang out there lately), and my take on it is this:

    It could be an opportunity for some OEMs if others are stupid enough to actually lock out everything but Windows 8 (and beyond).


    Think about it - could you use Windows 8 to run a highly technical machine or for some very critical scientific work?

    I am thinking along the lines of the Large Hadron Collider (which uses Linux, of course), or various supercomputer applications, or even smaller stuff.

    I work in the nuclear industry, and sure, for what I do, Windows is what we are given (if I had a choice, though... it would not be what I would run, even though all I do is write documents) - however, for anything serious, it is Linux.

    So bring it on, I would say - some *serious* OEM with guts could step up to the plate and do very well.

    (Lenovo perhaps?)

  7. As the ones above stated you are neglecting the fact that MS demands UEFI and secure boot enabled in order to show that little logo. We all know that manufactures will do that and that they probably won't jump through any hoops to satisfy any other OS than Windows (just think of all the acpi and other BIOS and technology incompatibility with Linux because of only caring about MS).
    We need to put enough pressure on the manufacturers but MS caused this.

  8. "Simply that if a market lockout does happen at the hardware level it is the hardware makers you need to be outraged at."

    What? For competing with each other for market share by making their machines display "Windows 8" on the front? By having to jump through Microsoft's hoops to get this (Putting a Microsoft signing key into the BIOS and marking it as trusted?)

    That kind of reaction just makes consumers sound like fools, whilst Microsoft laugh all the way to the bank. Ever think this is the reason why Microsoft disregarded Linux as a danger on it's SEC filings this year?

  9. For those that are disagreeing with me - I just added this chunk to the post:

    "I don't see anyone getting outraged at Google because they allow device makers to lock down ARM hardware. In fact ARM hardware is one of the hardest things around to install an alternative operating system to. Where is the outrage over this if we really want to see true software freedom for all devices?"

    I assume you are hating Google and don't use Android as well then correct?

  10. Jeff,

    Google doesn't specify bootloader lockdown as a condition for running Android. If I am not mistaken (and I admit that I might be), Chrome has an opt-out specification where the secure boot can be disabled in the hardware. There's also M$'s track record of bullying OEMs into putting hardware locks and changing specs to make it difficult to run anything but Windoze... Remember Foxconn, anyone?!?! Even if they say they are going to leave it up to the vendors, you know darn well that there will be some back-room deals. When presssed about this possibility, they conveniently do not answer to that question. I trust M$ implicitly... I trust them to do the underhanded and most deceitfull thing... And so wonserful are they that they haven't let me down yet...


  11. I'd just like to also say here that I am NOT ruling out the fact that Microsoft could pressure OEMs. All I am saying is that:

    1.) It hasn't happened yet.

    2.) It is just as much the OEM's fault as it is Microsoft's if push does come to shove.

    At this current point in time Microsoft is just doing what Google does - putting the option on the table for OEMs to lock down hardware. So until Microsoft "requires" you to use the secure boot to sell Windows 8 it isn't their fault.

  12. Microsoft does not require that oem's make it possible for the user to be able to disable secure boot. So the end user is at the mercy of the hardware vendors. This is something to cry foul over.

  13. Agreed. But again that is on the hardware vendor not Microsoft.

  14. Microsoft does not require secure boot to sell Windows 8 they will simply charge more for Windows 8 to vendors that do not have secure boot.

  15. You have a source for that information?

  16. Jeff, Here's an article that explains the situation much better than yours does:


  17. Solid read. I'll add a link to it at the end of my post. It was not my goal to re-summarize everything here - it is simply to point out that people need to be as angry at hardware makers as they are at Microsoft over this issue.


    It is well known that Microsoft has the OEM's by the shorthairs and can force them to do anything it wants to.

    Microsoft will force OEM's to ship machines with secure boot enabled, and over time will gently "encourage" them (using kickbacks and such) to ship machines on which secure boot cannot be disabled, all the while telling the public "this is an OEM decision not a Microsoft one"

    The OEM's have a decision, of course, but until the Microsoft desktop monopoly is broken, the decision is not whether to allow secure boot to be disabled -- it is whether to ship with secure boot or to go out of business.

  19. Linux/BSD... how about VMware ESX/ESXi? Are they locked out as well?

  20. Windows logo program, in which

    Microsoft give incentives to vendors to sell hardware that meets their certification requirements.

    Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace.

  21. Those who "know the deal" won't buy the hardware. However, what happens to the hapless person who gets fed up with Windows in a month/year/couple of years and decides to try something different. Also, what happens to the old hardware that Microsoft has decided not to support anymore. This is a disguised lock in / planned obsolescence play designed to shift the blame to the hardware vendors.

  22. Here's another piece of evidence that Linux crowd is the biggest FUDster on the planet.

  23. Would this not be a violation of the Sherman Antitrust Act? If by buying one item (the hardware) I must purchase a secondary item (Windows), this might just run afoul of current trade law.

    Though I am not a lawyer, if this goes through, I would hate to be an OEM doing business with MS because the DOJ would probably come knocking at both doors...

  24. "I would hate to be an OEM doing business with MS because the DOJ would probably come knocking at both doors..."

    What would be more damaging to OEMs would be the fact that they COULD easily allow the end user to disable the UEFI secure boot option but chose not to. Then the question would be "Why not?" And that might reveal a trail leading back to Redmond.

    It is in the better interests of OEMs to either allow disabling of this feature or easily supply keys for Linux and other OSs.

  25. @Mr. Pink: I quote George Santayana.

    "Those who cannot remember the past are condemned to fulfill it."

    Don't be that guy.

  26. Since I work in an environment that uses Windows, currently still XP, we do refresh harware muc faster than the OS. Mostly for budget and training issues but there is still an issue with compatibility with proprietary software we have to use in our business. Not being able to choose would definitely affect us. As a consumer I have been around long enough to see MS and their strong arm tactics. Can anyone remember Navigator?

    We as consumers cannot let this happen. I have to agree that it is a point being made that has yet to happen but that alone should not stop us as consumers to voice our opinions.

    The functionality of handhelds and Android devices at this point are still in a category all their own. Phones as such have been proprietary from the start. Computers have not. And I may be in the minority but do not own a smartphone and have been very eluctant to change. It is simply not what I choose for my phone to do.

  27. From my reading of other articles, you've got the info on keys backwards. It's not the OEM that provides the key to the OS maker, but the OS maker that provides it to the OEM, and the OEM decides which keys they want to include in their firmware. This means that every distro could potentially create their own signed versions, but then they would need to persuade the OEMs to include those keys in their firmware. This technology has been around for awhile and OEMs have ignored it, until MS announced it would be required for inclusion in the Windows 8 logo program, which gives the OEMs discounts on their Windows licenses. This is the reason for the anger against MS.

  28. You have a link to something saying the keys worked in that manner? I was under the impression that the hardware maker created the key.

  29. Jeff, since the first mobile devise was placed on sale, it had its exclusive o/s. Those who followed, did the same. Today that is the logic on THAT market.

    The Personal Computer is different. MS would not be able to implement that in the beginning, otherwise they would never become what they are today.

    Now, look at the actual MS position: (almost) total control on the o/s pc's, but: IE is coming down, Mobile o/s almost zero, search engines quite nothing, Tablets o/s almost zero, Games (xbox) nothing special, Gadgets a.s.o, nothing. In other words, MS is out on the dominant present and future technologies. Also, as we saw with android, Linux is a huge concern for them.

    Now, lets look at the present and past MS behave with pc hardware makers. MS completely dominate them with the o/s pricing policy.

    What I think is that MS want to turn all pc's as an exclusive MS thing, because they don't have much else left of them.

    Look at the Android tax.

    Linux consumers have any power to influence oem's. M$ has lots of power $$$ for that.

    Your article has a reference here, in case you want to follow up


  30. Guys,

    Your angst is utterly unjustified as the free market will address this problem. In other words, there is nothing here that would prevent a hardware manufacturer from offering Windows 8 PC's which, although sold with secure boot enabled, would also contain a hard switch on the motherboard that, when modified along with a setting in the BIOS, would disable the feature.

    The motherboard business if one of rather thin profit margins. Since hardware vendors who made this option available would surely reap a windfall by capturing all the business of the anti-secure boot crowd, there is no reason to believe that such a model would not be available, even if it costs a few hundred dollars more. If you guys knew how low the margins were in the motherboard business, you would know that these companies would jump at the chance to make more $$$ bucks per board as the people seeking this capability would likely be willing to shell out hundreds of more dollars for the machine (I know that I would).