Fears that Microsoft would abuse the UEFI Secure Boot feature for their own ends are coming true.
Advice from Microsoft to makers of ARM hardware says that allowing the disabling of the contentious UEFI Secure Boot feature required for Windows 8 must NOT be possible.
The back story
Late last year Microsoft revealed that Windows 8 would require ‘Secure boot’ in order to start up. the UEFI standard has been around for several years. It works works by keeping ‘secret keys’ within the system itself. These keys are then used to “sign” anything that wishes to run – such as operating systems. If an operating system is not signed by a matching key then it won’t be allowed to boot.
The Linux community was concerned that persuading device makers to ships ‘keys’ for Linux would be difficult, thus making it nigh-on-impossible to install Linux on Windows 8 hardware.
Microsoft sought to calm fears by clarifying their position, and Canonical also weighed in with their take on the issue. Microsoft would not require hardware manufacturers to prevent disabling of the Secure Boot feature.
But it now seems that that advice only extended to traditional PC hardware and not anything running on ARM hardware.
“Disabling Secure MUST NOT be possible on ARM systems”
ComputerWorldUK‘s Glyn Moody trawled through a recent document outlining Microsoft’s official guidelines to manufacturers who seek to receive Windows 8 certification for their devices – and he found something surprising.
On Page 116 of the guide is a paragraph detailing how and when supporting the enable/disable of Secure Boot should be permitted: –
MANDATORY: Enable/Disable Secure Boot.
On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible.
Disabling Secure MUST NOT be possible on ARM systems.
The wording is hardly ambiguous or open to interpretation – so just what are Microsoft playing at? And does this even matter?
With a number of forthcoming Ultrabooks – superthin laptops with extra long battery life – to be ARM based and ship Windows 8, Linux users could be barred from using an entire device category based on the ‘requirements’ of one company.
Here’s hoping they apply salve to the situation as before – but let’s just hope there’s no fly in the ointment this time.