Some W8 PCs won't turn off secure boot, Red Hat warns

Red Hat warns that some Windows 8 PCs will offer no way to turn off secure boot and let users load their own operating systems and drivers

Last week, I alerted readers how Microsoft was requiring OEMs to implement, by default, UEFI secure boot on new Windows 8 machines. The Linux community had been worried for months that secure boot could lock Linux off PC hardware and when Microsoft announced that secure boot would be required by all new Windows 8 hardware the red flags flew. Late last week, Microsoft responded to these concerns in a blog post by declaring how much more security secure boot provides and then saying that it would be up to the OEMs in how to best implement it.

Windows 8 on ARM tablet

In my opinion, the situation is still in wait-and-see mode. Will OEMs be given the freedom to make secure boot an option -- and still qualify for the Windows 8 logo? On the positive side, the firestorm created by the news reports caused Microsoft to kinda-sorta publicly declare a softer position. Microsoft points out that the Samsung Windows 8 developer tablet it gave away to BUID attendees included an option to turn off secure boot. Of course, giving developers this option in a specially crafted tablet designed to encourage them to develop for Windows 8 makes a lot of sense. You don't want developers to be locked out of loading drivers onto the tablet as they develop the Windows 8 software. And if they can't turn secure boot off, then the keys would have to be somehow distributed and managed, the classic PKI system dilemma.

But the issue was never that OEMs didn't have the technical ability to allow uses to turn off secure boot. The issue was the Microsoft was telling OEMs at its BUILD conference that if they didn't design their systems to use secure boot by default, those systems wouldn't qualify for the Windows 8 logo program and all the benefits it confers on them.

It wasn't clear -- and still isn't -- what Microsoft meant by that. And it wasn't clear, and still isn't, if OEMs will be distributing the necessary keys to users so that they can use secure boot, and still load drivers and/or operating systems of their own choosing onto Windows 8 hardware. It wasn't clear, and still isn't, how many OEMs will not offer an easy way to disable secure boot, and to include only Microsoft's key, disallowing operating system other than Windows from being loaded onto the machine at all.

Last week, Microsoft implied that the answer was no: Windows-8-logo-qualified OEMs could add an off switch to secure boot without penalty. But the company never came straight out and said so. The post, written by Steven Sinofsky said:

"At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision. .... However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers."

In the meantime ... no Linux distros currently support secure boot, but Red Hat's Matthew Garrett says that this isn't a problem yet, because no 1) no hardware out there yet supports it either and 2) its only about a week's worth of work to add it.

Garrett insists that the first round of Windows 8 PCs will be "buyer beware." While Microsoft requires that secure boot be enabled, it is not requiring OEMs to include an a method to disable it, he notes. And Red Hat has already heard from some OEMs that no option to disable will be available in their Windows 8 PCs, he says.

Users who buy systems that ship with no way to turn secure boot off, and only Microsoft's key installed, will not be able to load Linux or any other non-Microsoft operating system. Users who buy systems that allow secure boot to be disabled, but only Microsoft's key installed, will have to give up the rootkit protection secure boot offers if they want to run unsigned operating systems or drivers.

Again, enterprise IT professionals should let their OEMs know that they want the choice and control in their own hands, and not in the operating system vendor's. You shouldn't have to give up the benefits of secure boot to have authority over your own fleet of PCs.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)