Biz & IT —

Windows 10 to make the Secure Boot alt-OS lock out a reality

Windows 10 hardware must support Secure Boot and won't have to let you turn it off.

In Windows 8, OEMs must allow Secure Boot to be disabled. They won't have to in Windows 10.
In Windows 8, OEMs must allow Secure Boot to be disabled. They won't have to in Windows 10.

Those of you with long memories will recall a barrage of complaints in the run up to Windows 8's launch that concerned the ability to install other operating systems—whether they be older versions of Windows, or alternatives such as Linux or FreeBSD—on hardware that sported a "Designed for Windows 8" logo.

To get that logo, hardware manufacturers had to fulfil a range of requirements for the systems they built, and one of those requirements had people worried. Windows 8 required machines to support a feature called UEFI Secure Boot. Secure Boot protects against malware that interferes with the boot process in order to inject itself into the operating system at a low level. When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.

This is a desirable security feature, but it has an issue for alternative operating systems: if, for example, you prefer to compile your own operating system, your boot files won't include a signature that Secure Boot will recognize and authorize, and so you won't be able to boot your PC.

However, Microsoft's rules for the Designed for Windows 8 logo included a solution to the problem they would cause: Microsoft also mandated that every system must have a user-accessible switch to turn Secure Boot off, thereby ensuring that computers would be compatible with other operating systems. Microsoft's rules also required that users be able to add their own signatures and cryptographic certificates to the firmware, so that they could still have the protection that Secure Boot provides, while still having the freedom to compile their own software.

This all seemed to work, and the concerns that Linux and other operating systems would be locked out proved unfounded.

This time, however, they're not.

At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

The presentation is silent on whether OEMS can or should provide support for adding custom certificates.

The off switch, which was mandatory before, is now optional.
Enlarge / The off switch, which was mandatory before, is now optional.

Should this stand, we can envisage OEMs building machines that will offer no easy way to boot self-built operating systems, or indeed, any operating system that doesn't have appropriate digital signatures. This doesn't cut out Linux entirely—there have been some collaborations to provide Linux boot software with the "right" set of signatures, and these should continue to work—but it will make it a lot less easy.

We've asked Microsoft if the slides are accurate and OEMs will indeed be able to build machines that essentially lock out other operating systems, especially in light of the visceral reaction to the original Secure Boot requirement. We're still awaiting a reply.

Channel Ars Technica