21 stories
today

Microsoft explains Windows 8’s secure boot

Recent reports are suggesting that Microsoft has been shutting the door on those wishing to dual boot Linux on Windows 8 PCs. Now, Microsoft offers an explanation that denies these claims. Instead, Microsoft is simply focused on improving the security of the operating system during its pre-OS stage and giving the end user full control.

“There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI[Unified Extensible Firmware Interface] enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available,” Micosoft explains.

Here is how Microsoft plans on protecting the pre-operating system environment using the Unified Extensible Firmware Interface:

  • UEFI allows firmware to implement a security policy
  • Secure boot is a UEFI protocol not a Windows 8 feature
  • UEFI secure boot is part of Windows 8 secured boot architecture
  • Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
  • Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
  • OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
  • Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

“In most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software. Windows 8 addresses this vulnerability with UEFI secure boot, and using policy present in firmware along with certificates to ensure that only properly signed and authenticated components are allowed to execute.” Microsoft states.

So what is the bottom line here? According to Microsoft, the user is in control of their PC. “At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.”

As far as compatibaility with other operating systems like Linux? “Of course Windows is usable without secure boot — just like the post stated :-) How secure boot works with any other operating systems is obviously a question for those OS products :-) We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality,” Steven Sinofsky stated.

Further reading: ,