If this wasn’t so sad, it would be funny. After Microsoft recently declared victory over Linux, it turns out that Microsoft appears is still trying to arrange it so that Linux won’t even boot on the next generation of PCs that come with Windows 8. Yeah, Linux isn’t on your enemy list anymore right Microsoft? Sure.
Matthew Garrett, a Red Hat engineer, gets the credit for spotting Microsoft’s latest anti-Linux move. In a blog posting, Garrett explains that Windows 8 logo guidelines require that systems have Unified Extensible Firmware Interface (UEFI) secure boot enabled. This, in turn, would block Linux, or any other operating system, from booting on it.
There’s nothing in UEFI that’s wrong. Indeed there’s a lot of good in UEFI. It’s a 21st century replacement for your PC’s basic input/output system (BIOS). Its job is to initialize your hardware and then hand over control over to the operating system.
UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they’re signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.
There is no centralized signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won’t be installable.
This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it’s signed with a key that’s included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that’s included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that’s not in your system firmware, you’ll get no graphics support in the firmware.
Microsoft requires (PowerPoint Link) that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
To sum up: “a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.”
What does Microsoft have to say about the subject? ZDNet’s own Mary Jo Foley asked them and they’ve got nothing to say about UEFI, Linux and Windows 8. That’s reassuring.
Personally, I don’t think it’s going to happen. I think Microsoft is going to have its hands full getting hardware vendors to buy into Windows 8 in the first place nevermind trying to shove a signed UEFI secure boot protocol down their throats as well. The OEMs know darn well that whilenot that many companies will switch out Windows for Linux, a lot of them will switch out Windows 8 for Windows 7 or even XP. Will Dell, Lenovo, et. al. Really want to tick off their corporate customers by locking them into Windows 8? I don’t think so.
In short, this is 2011, not 1998. Microsoft doesn’t get to call the shots to the OEMs anymore. If the OEMs and customers want freedom of operating system choice on their hardware-and they will-Microsoft can’t force Windows 8 on them.