Microsoft addresses Windows 8 secure boot issue

Microsoft is trying to shed light on the new secure boot process in Windows 8 to address concerns from people who may want to dual-boot a non-Windows OS, such as Linux.

In an update posted Thursday to the Building Windows 8 blog , Tony Mangefeste, a member of Microsoft's Ecosystem team, discussed how secure boot attempts to protect the PC against boot loader attacks, which can compromise a system before the OS even loads.

Secure boot is actually a feature of Unified Extensible Firmware Interface (UEFI), a new type of boot environment that has gradually been replacing the standard BIOS process. As Mangefeste explained, Windows 8 taps into UEFI's secure boot to ensure that the pre-OS environment is safe and secure.

Related stories:
• Getting a Windows PC to boot in under 10 seconds
• How Microsoft sped up the Windows 8 boot process
• Windows 8 to offer built-in malware protection

The concern raised by some--in particular, Matthew Garrett, a Linux developer at Red Hat--is that the security certificates used by Microsoft to authenticate the boot environment will support only a Microsoft operating system.

"A system that ships with only OEM [original equipment manufacturer] and Microsoft keys will not boot a generic copy of Linux," Garrett said in a blog posted Tuesday.

The problem may also stretch beyond just the OS, according to Garrett. Since any hardware in the PC also needs to be authenticated, installing new components in a Windows 8 PC may pose a challenge.

"A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware," wrote Garrett. "If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware."

In his blog, Mangefeste countered such a position by saying that PC makers will have the option of giving customers the ability to disable secure boot and manage the security certificates if they wish to run other systems or potentially change the hardware.

"Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot," wrote Mangefeste. "We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems."

Specifically, hardware makers would be able to customize how users can manage the security certificates and policies. Mangefeste also pointed out that people who want to run "older operating systems" would then have the flexibility to disable secure boot or otherwise modify the certificates if they chose to do so.

However, the blog did state that "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," which again goes back to the issue of dual-booting an OS such as Linux.

Microsoft's blog prompted a response from Garrett, who labeled the company's explanation as "factually accurate" but "misleading." Since Microsoft is working with the OEMs, the company can require that PCs include the necessary security certificates for Windows, something that other OS vendors, such as Red Hat, cannot do. As a result, the user would not be able to run a secure boot on a non-Microsoft operating system, argued Garrett.

"The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors," Garrett wrote. "The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market."

Responding to a request for comment, Microsoft told CNET that it doesn't have any additional details to share at this time beyond what's included in the blog post.