Microsoft tightens Windows 10's Secure Boot screws: Where does that leave Linux?

Secure Boot could lock down Windows 10 PCs to Microsoft operating systems alone. Or not. Chris Hoffman digs in.

The news sounds ominous for open-source aficionados: Windows 10 PCs are going to be locked down even tighter than ever before.

Manufacturers will be able to enable UEFI Secure Boot without giving you a manual kill switch, as they have to do with Windows 8 systems. If that happens, you'll only be able to boot Microsoft-approved operating systems on these locked-down PCs. Microsoft is turning the Secure Boot screws tighter, and Linux users are right to be concerned -- but the issue is more complicated (and probably less disastrous) than it seems at first blush.

Secure Boot 101

First, let's back up a little bit and look at Secure Boot and how it functioned in Windows 8.

When you boot a new Windows 8 PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they're signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer's manufacturer. This prevents low-level malware like rootkits from interfering with the boot process.

But the same feature that blocks rootkits will also block other software, like Linux boot loaders. And, in fact, on Windows RT devices like the original Surface and Surface 2, Secure Boot was locked down tight to only allow Windows RT to boot.

The Linux community was understandably up in arms about this, and Microsoft tossed it a bone. As part of the certification process that allowed manufacturers to pre-install Windows and put little Windows logos on new PCs, Microsoft forced hardware makers to give users a way to disable Secure Boot and add their own signing keys on Windows 8 PCs. So you could always disable Secure Boot and still install any Linux distribution you liked. Or you could tweak Secure Boot and only allow operating systems signed with your own personal signing key to boot.

Windows 10 gives manufacturers an option

Windows 10 makes the user-configuration toggle optional. On a PC, Microsoft allows manufacturers to choose whether or not a user can disable Secure Boot. That's the information that Ars Technica noticed in a slide presented at Microsoft's WinHEC conference.

In other words, it's up to every manufacturer to include the toggle or not. Theoretically, this provides some choice -- you can choose to buy a computer without a toggle in the UEFI firmware, locking it to only boot Windows and other approved OSes. If someone gets their hands on your PC, they can't boot into UEFI and disable or try to install their key. And, if you want the ability to disable Secure Boot and install whatever operating system you want, you can just buy a PC with such a toggle.

In practice, this will probably end up harder than it looks, as one recent example drives home. The firmware-checking feature in Intel processors allows manufacturers to choose whether or not to lock CPUs down to run manufacturer-provided firmware alone. And every single hardware maker chose to lock it up tight until the free- and open-obsessed Purism recently realized that manufacturers could choose to disable the feature. There is no way to get your hands on a PC that doesn't require proprietary firmware beyond having a boutique manufacturer like Purism build it.

There's much more demand for Linux than free and open source processor firmware, so it probably won't be quite as hard to find Windows 10 PCs with the option to disable Secure Boot intact -- but still. It's possible that standard laptops will be locked down tight, keeping Secure Boot enabled and not allowing you to install your own key. If you want fancy Secure Boot toggles, you may have to purchase a more expensive notebook like Dell's "Developer Edition" line of Linux laptops. Businesses that would like such a feature may need to choose expensive business laptops. Forget just grabbing any old PC off the shelf and trying to install Linux.

But perhaps Linux will be fine!

In this future, the worst-case scenario means you'll need to hunt down special PCs designed for Linux -- ones that will likely be more expensive. Say goodbye to running Linux on all those PCs that came with Windows, just as you can't install Linux on an iPad today. Linux PCs will exist, but they'll be specialty, expensive bits of kit.

But is that bleak future really so possible? We're leaving out a big piece of the puzzle here. Modern versions of some Linux distributions, including Ubuntu and Fedora, will install just fine on a Windows PC that has Secure Boot enabled. Microsoft actually signs Canonical's Ubuntu boot loader and Fedora's boot loader with a Microsoft corporation key.

The rise of mandatory, locked Secure Boot could create a problem for smaller Linux distributions or custom Linux systems -- but the Linux Foundation Secure Boot System is a generic loader signed by Microsoft that should allow any Linux system to boot on PCs with Secure Boot enabled.

So, perhaps this isn't a big problem. Perhaps so many of the kinks have been worked out that Microsoft can now start tightening the Secure Boot screws without locking out Linux at all. Perhaps everyone wins!

Want to stay up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.

Even so, it's impossible to peer into the future at this point. Will Microsoft really continue signing these Linux loaders and allowing them to function in Secure Boot mode in the future, or will they eventually stop doing that, too? If "for security reasons" is a good enough reason to block Linux from installing on a Windows RT device or Windows 10 phone, perhaps that logic will be extended to full Windows PCs in the future.

We'll have to wait and see. But there's no reason to pick up your pitchforks and torches quite yet.

Join the CSO newsletter!

Error: Please check your email address.

Tags LinuxMicrosoftsecurityWindows 10softwareoperating systems

More about DellFedoraIntelLinuxMicrosoftModernUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chris Hoffman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place