FSF Campaigns Against Windows 8's Secure Boot

By design, the feature is intended to keep unwanted and potentially malicious software off a system by preventing unauthorized binaries to load during the boot process. However, the FSF believes that this technology could be abused and simply be used to not allow users to load certain free software.

"We are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows," wrote Matt Lee in a post on the FSF website. "In this case, a better name for the technology might be Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all."

Lee suggests that users should keep their ability to decide whether they want to enable or disable boot restrictions and there should be a way that will allow users to install a free OS.

"Computer owners must not be required to seek external authorization to exercise their freedoms," Lee wrote. If Windows 8 will prevent users from installing a free OS, Lee believes the result may be "complicated and risky measures to circumvent the restrictions", and the " popular trend of reviving old hardware with GNU/Linux would come to an end."

It's a good idea to keep an eye on such new features, but I would think that it is rather unlikely that Microsoft will shut out other OS from its Windows 8 platform. If Microsoft was almost broken up over the integration of IE in Windows, it's fairly easy to imagine the potential antitrust effects if it were to shut out other operating systems.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
62 comments
    Your comment
    Top Comments
  • There's an option in BIOS/UEFI to disable this, no? Maybe the main the worry is that some manufacturers will take out that ability. Other than that... how is this more secure? I'm tempted to believe that this is like the key thing with Blu-Ray. It'll only be a matter of time before someone gets a valid key.
    15
  • Here are the facts:

    There is currently no way to prevent a rootkit from loading before an OS. Since Windows is the most popular OS, most rootkits are written to target it. Since a rootkit loads before the OS, it is free to modify OS files and is able to run in such a way as to remain undetectable.

    To remedy this, the new UEFI bios supports a secure certificate service. This service checks to ensure the OS boot files have not been tampered with before handing the system over to the boot loaders on the hard drive.

    Because the UEFI bios is able to step in before the OS/rootkits are loaded, it can securely ensure the OS has not been tampered with.

    The whole uproar is because Microsoft, as part of their logo requirements, is dictating that this feature be enabled by default on all PCs shipping with Windows 8.

    Since the motherboard manufacturers are responsible for the BIOS implementation, it is up to them as to whether to allow a BIOS setting that enables/disables the secure boot service.

    This is where the Linux folks and FSF take issue.

    The reality is that no motherboard manufacturer in their right mind would leave out the option to disable secure boot, as this would restrict the computer to Windows 8. No previous version of Windows, no versions of Linux... nothing else could be used on that computer. The customer outcry would be deafening. There is no incentive to leave this option out of the BIOS.

    I think the uproar is unwarranted for two reasons. One is that the market reality dictates that this should be a customer choice. The other reason is that if the open source movement were smart, they too would integrate secure boot into Linux, since any OS that doesn't support it is vulnerable to rootkits.
    12
  • Actually, there is a very simple solution for this. Add a physical jumper on the motherboard. If the connection is made, then it runs secure boot, if the connection is not made it boots like any current PC. Since it is a physical switch it wouldn't be susceptible to malicious attacks.
    10
  • Other Comments
  • For fear of antitrust Microsoft might be shamed out of this but I could see Apple using this.
    7
  • There's an option in BIOS/UEFI to disable this, no? Maybe the main the worry is that some manufacturers will take out that ability. Other than that... how is this more secure? I'm tempted to believe that this is like the key thing with Blu-Ray. It'll only be a matter of time before someone gets a valid key.
    15
  • spiketheaardvarkFor fear of antitrust Microsoft might be shamed out of this but I could see Apple using this.

    Apple does this already. It's a combination of requiring UEFI (which most PCs don't have) and Intel's TPM chip. I think.
    9