OS and Software > All Things Unix > Windows 8 Secure Boot Would 'Exclude' Linux

Referring to a presentation (PowerPoint .pptx file) at the Build developer conference, Garrett said that all client systems – desktop PCs, notebooks, tablets – with a Windows 8 logo must support UEFI Secure Boot and have this feature enabled. However, the way it is described in this document, the second condition at least isn't necessarily mandatory: it could also be that the function must explicitly be enabled by the computer's owner or administrator. Also, as has so far been the case, most systems with UEFI will probably be able to load an optional Compatibility Support Module (CSM) that allows operating systems to be booted in BIOS mode. This is a prerequisite for installing 32-bit versions of Windows because only the x64 versions of Windows since Vista can be installed in UEFI mode. Microsoft refers to systems that can boot either in UEFI or in BIOS mode as "Class 2" systems; systems without CSM are referred to as "Class 3".

However, the situations that will allow multiple operating systems, where some start in UEFI mode while others start in BIOS mode, to be installed on the same hard disk remain unclear – this will probably make it difficult to install dual-boot systems on notebooks, tablets and other devices that only have one mass storage device. There may be no choice in some circumstances; the Windows 8 mobile computers with ARM SoCs that have been announced will only ever be available as Class 3 devices. On these devices, however, Microsoft plans to increase platform security by allowing only apps from the app store that have been checked and signed to be installed on the Metro user interface.

Another problem when booting alternative operating systems could arise from hard disks that are fully encrypted with TCG Opal or BitLocker, if the boot loader is required to include functions that allow a key to be submitted to a Self-Encrypting Drive (SED).

Who IS the CUSTOMER to Asus, etc.? Just like Broadcom could care less about selling me 30-40 chips, they DO CARE about about selling 300-400,000 to some OEM making some widget..... Same with the OEM MB makers the persons building their own boxes are NOT their customer, OEM builders are.

Pegatron Corporation was established on June 27, 2007. In order to enhance competitiveness and boost productivity, the Company resolved to accept the OEM business from ASUSTeck Computer Inc. on January 1, 2008 to restructure the Company's business. ASUSALPHA Computer Inc. was merged with the Company on April 1, 2008.

Exactly GO NUCLEAR ON THEM NOW, and cut it off before it gets any traction any where, MB OEM's and box OEM's like dell etc.. Tons of boxes purchased from dell etc.. that may come with an infection, but are inoculated by IT to clear it of that disease. Won't be possible with this

Let's say the OEM uses a generic motherboard and flashes their own BIOS on it, wouldn't it be possible to flash it with the generic one which would allow you to disable secure boot?

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs.

In a blog post on Thursday, Microsoft attempted to address these concerns arguing that "complete control over the PC continues to be available" to consumers.

Secure boot is a UEFI protocol, rather than a specific Windows 8 feature, and "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," Microsoft's Tony Mangefeste explains.

"Secure boot doesn’t 'lock out' operating system loaders, but it is a policy that allows firmware to validate authenticity of components. OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform," he adds.

Mangefeste cites the example of a prototype Samsung tablet with firmware designed to allow customers to disable secure boot, an option that is open to OEMs.

Just how many OEMs will take this approach remains unclear. Microsoft has effectively batted the question over to its hardware partners and firmware suppliers. What both Microsoft and critics of UEFI seemingly agree on is that unless secure boot can be disabled then Linux can't be run on Windows 8 PCs.

We asked the UEFI Forum to comment on the issue earlier this week but are yet to hear back from the industry group, which promotes and manages the UEFI standard. Members of the UEFI forum include Apple, IBM and BIOS giant Phoenix Technologies as well as Microsoft.

Microsoft has hit back ...

As for the certificate to verify the signature on the boot code - what makes most sense is that there be a provision to install certificates in flash ROM. If only Microsoft certs were allowed, there would be anti-trust law suits against MS. Installable certs makes the most sense for flexibility for end users.