Linux and Windows 8

It looks like a side effect, probably a desired one, of Windows 8′s new “secure booting” feature will be preventing users from installing Linux on their machines. This means that to get a “Windows 8 Compatible” sticker, a device will have to block Linux from booting and even if that can be solved, a dual boot setup will never be possible.

Red Hat’s Matthew Garrett was one of the first to notice that according to the new logo rules, all Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time. EFI, and the later UEFI specification, is not the problem for Linux. The problem is Microsoft’s other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that “all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA),” according to slides from a recent presentation on the UEFI boot process made by Arie van der Hoeven, Microsoft Principal Lead Program Manager.

The slides, posted on Garrett’s in a blog Tuesday afternoon, reveal Microsoft’s plan to lock down the boot process, which Microsoft rightly points out has become a high-value target vector for injecting malware onto Windows PCs. To combat this, Microsoft is requiring all Windows 8 devices to have a hardened boot. Right now, even though there are EFI-ready Linux bootloaders and distros available, none of them are signed, Garrett reminded me. It’s not just a matter of replacing the UEFI system on the device with other, unencrypted, firmware. If all parts of the chain need to have a CA signature, then swapping out a machine’s signed EFI layer with, say, an unsigned BIOS or EFI would not work.

Garrett, for his part, is not panicking about the new requirement. He’s hopeful that OEMs will be able to include an option in their UEFI firmware to disable the secure booting feature. Even if that is allowed by Microsoft, one thing is clear: dual-booting systems will be out of the picture if Windows 8 boots always require a hardened boot environment. It may very well be that once you turn off secure boot (if you can), you won’t be able to run Windows 8 again on that machine, until you re-secure the boot process.

Even if Microsoft isn’t able to totally block Linux from the marketplace, at the very least, they will cripple the ability to dual boot on systems and I’m sure they’ll use this as a reason to start another “Linux is just too insecure” FUD campaign. The first voices are already calling for the EU to investigate these new requirements as anti-trust violations, not entirely unjustified, I might add.

Comment via this conversation.

Back to Microsoft Documentation Forum


Add a New Comment