Monday, 25 June 2012 22:29

Microsoft's UEFI Secure Boot Locking Out Choice and The Competition In The Name of Security

Written by
Rate this item
(1 Vote)

Reading time is around minutes.

untitledA second Linux Distro has joined the Microsoft Secure Booth party. You see Microsoft has come up with what they are calling the UEFI Secure Boot. UEFI Secure boot is somewhat controversial in that once set up it will only allow signed versions of an OS to be installed. This means that if a computer is shipped from an OEM with Windows 8 and UEFI Secure Boot on you could not install a generic version of Linux or indeed any other OS including Windows 7 etc. This would effectively lock someone into using Windows 8 only on these devices. This block would include even downgrading your new system to Windows 7.

Now Microsoft is claiming that there might be a way to turn this off for x86 systems (ARM based systems will be locked to Windows RT), but it has prompted both Red Hat and Canonical to find a way to work within the UEFI Secure boot structure just in case. To do this they are getting a digital signature (from Verisign apparently) which will allow them to work with the UEFI Secure boot.

There is a down side to all of this though. The UEFI secure boot has effectively locked out many third party developers that work on drivers and utilities for Linux. That is unless they pay Microsoft to sign their code so that it will work with the UEFI Secure Boot process. Microsoft is saying that the secure boot is intended to help with security and also to help prevent piracy, but in the end it is looking a lot more like the move is intended to prevent people from running the OS that they want when they buy a new PC.

It will also mean that Microsoft can lock out unsigned drivers and applications if they want to with this feature. Now I am all for security and safety, but at what point does this become too much? The sad part about all of this is that it will hurt the PC industry in more ways that you can imagine. As word of this gets out people will not be buying from Dell, HP, Acer, Asus or any other OEM if they do not want Windows 8. They will instead buy older hardware or build their own. This is even more true in the tablet, ultrabook and notebook markets.

Microsoft should remember what happened with Vista and stay away from this, but unfortunately I just do not see that happening. It seems that Microsoft is on an incredibly self-destructive path with their new OS and eco system at least in the OEM sector. Now what we wonder is if this will extend to boutique dealers that legally buy OEM licenses of Windows. If they are forced to implement the UEFI Secure Boot feature it is possible that it will drive away their business since most people that would buy from a boutique builder is looking for more than they can get from someone like Dell, HP or Acer. The same goes for the enterprise as many of them will not want Windows 8 yet, but might be locked into it if they buy from Dell or HP after the Windows 8 Launch. I can remember the hassles of getting Windows XP installation media for dell and Lenovo products because the companies that I was working for at the time would not allow Vista to be used. With the UEFI Secure Boot lock in I would expect this to be even worse than with the transition from XP to Vista.

On the good side of this there is sure to be a big push with the DIY market though as there is no compulsion to force motherboard makers to implement the UEFI Secure Boot right now and we would not expect to see one any time in the future. We also will not be surprised when the BIOS editors pop back up that will allow you to enable hidden features in your BIOS so that the Secure Boot can be disabled. We will be asking some questions to see what would be involved to get around it and if this poses a security risk since we know that digital signatures like certificates can be compromised and even spoofed now.


Discuss this in our Forum

Read 6785 times Last modified on Monday, 25 June 2012 22:38

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.