Microsoft announced a change to the UEFI Secure Boot standard in Windows 10 that has the Linux faithful upset that it might eliminate dual-booting and shut Linux out of their machines.
The change, announced at the revived WinHEC conference taking place in China, seemed innocuous enough. Windows 10 will ship with support for the UEFI Secure Boot standard, just as it did in Windows 8, but this time, the off switch is now optional instead of mandatory.
The fear is that OEMs will simply turn on UEFI Secure Boot and not give people the option to turn it off. Doing so would shut out any non-Windows 10 OS from booting.
For those of you still running XP, UEFI is the replacement to the ancient BIOS firmware. While the rest of the PC had steadily advanced since the original IBM PC in 1981, the BIOS never changed. It was a tiny, 1MB firmware written in Assembly language. UEFI, which had its roots in Itanium, eventually replaced BIOS in recent years, providing a far more advanced firmware for PCs.
Secure Boot was one of those advances. It's meant to protect PCs from specific malware that are loaded before the OS boot process has begun or from OSes that have been modified by malware. When Secure Boot is active, the UEFI checks the cryptographic signature of any program that it's told to load, including the OS bootloader.
So if it doesn't find an unmodified Windows 10 bootloader, it won't start the machine. When this was introduced with Windows 8, the Linux community complained that Secure Boot could be used as a way to shut out Linux on desktops. After all, Microsoft mandated that PCs with Secure Boot ship with it enabled.
Microsoft smoothed things over then by also mandating that all x86 systems ship with the ability to disable Secure Boot. It also partnered with VeriSign to create a method of signing third-party binaries for a $99 fee.
With Windows 10, the situation is changing. Ars Technica was the first to note that the option of enabling Secure Boot is now a must. This doesn't shut out Linux, but it does make things harder. Major Linux distros will likely have the VeriSign signature and won't be affected. Also, this will be more of an issue with brand-name PCS – in other words, HP, Dell, and Lenovo.
But if you are a home builder like me, it won't be a problem. Just hit the delete key on startup, go into UEFI, and shut off Secure Boot. Problem solved. I don't like to use broad brushes, but I suspect if you are smart enough to use Linux, you are smart enough to shut off Secure Boot in the UEFI.
Still, it's a PR hit for Microsoft, a company that has been earning a lot of goodwill lately.