Microsoft tightens Windows 10's Secure Boot screws: Where does that leave Linux?
The news sounds ominous for open-source aficionados: Windows 10 PCs are going to be locked down even tighter than ever before.
Manufacturers will be able enable UEFI Secure Boot without giving you a manual kill switch, as they have to do with Windows 8 systems. If that happens, you’ll only be able to boot Microsoft-approved operating systems on these locked-down PCs. Microsoft is turning the Secure Boot screws tighter, and Linux users are right to be concerned—but the issue is more complicated (and probably less disastrous) than it seems at first blush.
Secure Boot 101
First, let’s back up a little bit and look at Secure Boot and how it functioned in Windows 8.
When you boot a new Windows 8 PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they’re signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer’s manufacturer. This prevents low-level malware like rootkits from interfering with the boot process.
But the same feature that blocks rootkits will also block other software, like Linux boot loaders. And, in fact, on Windows RT devices like the original Surface and Surface 2, Secure Boot was locked down tight to only allow Windows RT to boot.
The Linux community was understandably up in arms about this, and Microsoft tossed it a bone. As part of the certification process that allowed manufacturers to pre-install Windows and put little Windows logos on new PCs, Microsoft forced hardware makers to give users a way to disable Secure Boot and add their own signing keys on Windows 8 PCs. So you could always disable Secure Boot and still install any Linux distribution you liked. Or you could tweak Secure Boot and only allow operating systems signed with your own personal signing key to boot.
Windows 10 gives manufacturers an option
Windows 10 makes the user-configuration toggle optional. On a PC, Microsoft allows manufacturers to choose whether or not a user can disable Secure Boot. That’s the information that Ars Technica noticed in a slide presented at Microsoft’s WinHEC conference.
In other words, it’s up to every manufacturer to include the toggle or not. Theoretically, this provides some choice—you can choose to buy a computer without a toggle in the UEFI firmware, locking it to only boot Windows and other approved OSes. If someone gets their hands on your PC, they can’t boot into UEFI and disable or try to install their key. And, if you want the ability to disable Secure Boot and install whatever operating system you want, you can just buy a PC with such a toggle.
In practice, this will probably end up harder than it looks, as one recent example drives home. The firmware-checking feature in Intel processors allows manufacturers to choose whether or not to lock CPUs down to run manufacturer-provided firmware alone. And every single hardware maker chose to lock it up tight until the free- and open-obsessed Purism recently realized that manufacturers could choose to disable the feature. There is no way to get your hands on a PC that doesn’t require proprietary firmware beyond having a boutique manufacturer like Purism build it.
There’s much more demand for Linux than free and open source processor firmware, so it probably won’t be quite as hard to find Windows 10 PCs with the option to disable Secure Boot intact—but still. It’s possible that standard laptops will be locked down tight, keeping Secure Boot enabled and not allowing you to install your own key. If you want fancy Secure Boot toggles, you may have to purchase a more expensive notebook like Dell’s “Developer Edition” line of Linux laptops. Businesses that would like such a feature may need to choose expensive business laptops. Forget just grabbing any old PC off the shelf and trying to install Linux.
But perhaps Linux will be fine!
In this future, the worst-case scenario means you’ll need to hunt down special PCs designed for Linux—ones that will likely be more expensive. Say goodbye to running Linux on all those PCs that came with Windows, just as you can’t install Linux on an iPad today. Linux PCs will exist, but they’ll be specialty, expensive bits of kit.
But is that bleak future really so possible? We’re leaving out a big piece of the puzzle here. Modern versions of some Linux distributions, including Ubuntu and Fedora, will install just fine on a Windows PC that has Secure Boot enabled. Microsoft actually signs Canonical’s Ubuntu boot loader and Fedora’s boot loader with a Microsoft corporation key.
The rise of mandatory, locked Secure Boot could create a problem for smaller Linux distributions or custom Linux systems—but the Linux Foundation Secure Boot System is a generic loader signed by Microsoft that should allow any Linux system to boot on PCs with Secure Boot enabled.
So, perhaps this isn’t a big problem. Perhaps so many of the kinks have been worked out that Microsoft can now start tightening the Secure Boot screws without locking out Linux at all. Perhaps everyone wins!
Even so, it’s impossible to peer into the future at this point. Will Microsoft really continue signing these Linux loaders and allowing them to function in Secure Boot mode in the future, or will they eventually stop doing that, too? If “for security reasons” is a good enough reason to block Linux from installing on a Windows RT device or Windows 10 phone, perhaps that logic will be extended to full Windows PCs in the future.
We’ll have to wait and see. But there’s no reason to pick up your pitchforks and torches quite yet.