The Windows 8 Linux lock out conundrum

Discussion has been rife this week after Red Hat’s Matthew Garrett made his venturesome comments over Windows 8 and its possible move to lock out support for dual boot installations of Linux on PCs.

Garrett’s comments were made in light of the Windows 8 super-engineered booting specification, which is known as Unified Extensible Firmware Interface (UEFI).

As super slick and secure as UEFI is supposed to be, its ability to lock out rootkit infections has been highlighted as a possible barrier to Linux installs, should a user want to run a second (open source) operating system on his or her machine.

With keys being required before executables or drivers can be loaded, UEFI should provide an additional layer of device security robustness.

Robust enough to keep Linux out of action then?

Garratt writes variously as follows, “This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it’s signed with a key that’s included in the system firmware…… Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled…… Now, obviously, we could provide signed versions of Linux. This poses several problems.”

Microsoft has not been backward in coming forward to respond to Garratt’s ‘worry-mongering’.

Windows grande fromage Steven Sinofsky used carefully picked words to democratically admit that recent comments could, “Synthesize scenarios that are not the case.”

“The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available,” wrote Sinofsky.

Sinofsky then used his MSDN musings to introduce the colourfully named Tony Mangefeste from the Windows Ecosystem team who detailed the following “facts” for us.

• UEFI allows firmware to implement a security policy
• Secure boot is a UEFI protocol not a Windows 8 feature
• UEFI secure boot is part of Windows 8 secured boot architecture
• Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
• Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components

The upshot of Mangefeste’s comments is that he goes on to explain that Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates.

“Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility,” he said.

Has this served to merely highlight some sterling work going on in the back office labs of the Windows 8 developer teams? Or is this a case of Microsoft slipping it a little anti open source insurance one layer below the operating system itself.

My money is on the former; Microsoft knows open source is here to stay and wouldn’t do something that stupid — these days.


Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Firstly, I have to ask the question, if this was Google who were implementing a standard such as this would there be anything to answer for?No, there wouldn't. This is only a problem because it's Microsoft and once again it's another damned if they do, damned if they don't scenario.IF you are dual booting linux that suggests a certain amount of technical know how and as such, changing a setting to disable this security level surely isn't beyond that technical know-how. Failing that, why not splash the cash and add a second hard drive with your beloved Linux on? There problem solved.Or is there something else afoot that might just expose Linux in someway that those Linuxites would rather it was not exposed???Anyone care to dance?