The Windows 8 Linux lock out conundrum

Discussion has been rife this week after Red Hat’s Matthew Garrett made his venturesome comments over Windows 8 and its possible move to lock out support for dual boot installations of Linux on PCs.

Garrett’s comments were made in light of the Windows 8 super-engineered booting specification, which is known as Unified Extensible Firmware Interface (UEFI).

As super slick and secure as UEFI is supposed to be, its ability to lock out rootkit infections has been highlighted as a possible barrier to Linux installs, should a user want to run a second (open source) operating system on his or her machine.

With keys being required before executables or drivers can be loaded, UEFI should provide an additional layer of device security robustness.

Robust enough to keep Linux out of action then?

Garratt writes variously as follows, “This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it’s signed with a key that’s included in the system firmware…… Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled…… Now, obviously, we could provide signed versions of Linux. This poses several problems.”

Microsoft has not been backward in coming forward to respond to Garratt’s ‘worry-mongering’.

Windows grande fromage Steven Sinofsky used carefully picked words to democratically admit that recent comments could, “Synthesize scenarios that are not the case.”

“The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available,” wrote Sinofsky.

Sinofsky then used his MSDN musings to introduce the colourfully named Tony Mangefeste from the Windows Ecosystem team who detailed the following “facts” for us.

• UEFI allows firmware to implement a security policy
• Secure boot is a UEFI protocol not a Windows 8 feature
• UEFI secure boot is part of Windows 8 secured boot architecture
• Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
• Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components

The upshot of Mangefeste’s comments is that he goes on to explain that Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates.

“Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility,” he said.

Has this served to merely highlight some sterling work going on in the back office labs of the Windows 8 developer teams? Or is this a case of Microsoft slipping it a little anti open source insurance one layer below the operating system itself.

My money is on the former; Microsoft knows open source is here to stay and wouldn’t do something that stupid — these days.