Windows 8 “Secure Boot mode” locks Linux out of ARM tablets
Some time ago, it emerged that Windows 8 would support a new “Secure Boot” mode. In this mode, only operating systems with a cryptographic key signed and stored in the machine’s firmware would be bootable. Linux users and kernel hackers like my old pal Matthew Garrett feared this would lead to a wave of machines that Linux was not bootable on, as it’s unlikely to ever have a blessed boot key.
Ed Bott had stern words for these folk:
Microsoft has specified that this feature must be enabled by default for new systems that are sold with Windows 8 to qualify for logo support. OEM sales historically represent more than 90% of all Windows sales, making this a crucial requirement. If this feature has to be enabled manually by users, or if OEMs have the option to install Windows 8 with this feature turned off, the security feature is meaningless.
So the real question becomes this: Will PC makers make it possible for end users to toggle this option in the UEFI settings? And the answer is painfully obvious: Of course they will. They would be insane not to.
A non-trivial percentage of PC buyers will want to replace the installed operating system with either an older Windows version or an alternate operating system (like Linux). If they are unable to do so, they will call the manufacturer’s support line asking why this seemingly simple task cannot be accomplished
And Ed was right — Microsoft confirmed that it wasn’t going to force the issue, and it seems most or all OEMs will implement a disable switch for Secure Boot that the user can use at their discretion. Ed was also perfectly correct when he described the improved security that Secure Boot allows (read his post for a summary of these arguments).
However, it’s now emerged that Microsoft’s certification requirements for Windows 8 (via Aaron Williamson) says:
On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable. … Disabling Secure [Boot] MUST NOT be possible on ARM systems.
So companies designing systems with an ARM CPU — used in small, lightweight systems like tablets and smartphones — will not be able to be “Windows 8 certified” unless they require Secure Boot. Not being Windows certified is tantamount to commercial suicide, so it looks like Microsoft did indeed just lock some number of new machines down to boot Windows only. If you accept the argument that the iPad and its progeny is going to change the face of personal computing, the affected new machines are also the most interesting ones to run alternative OSs on. If you buy a tablet that runs Windows 8 but decide you’d prefer to run Android, you will be out of luck.
This is not good. Cory Doctorow (as is often the case) verges on the hysterical, but I think he’s on to something with his post the coming war on general purpose computing. Computers are becoming more and more locked down. Consider two recent neologisms: “jailbreaking”, to mean “unlocking a device to run any application we want to install”, and “sideloading”, to mean “installing an app that didn’t come from the device vendor’s approved list”.
These were features that were taken so much for granted, were ingrained so deeply into our ideas of what a computer was, that we didn’t need words for them during the first 35 years of the personal computer revolution. Now we must invent words for them. As someone with a doctorate in computer science, and as a nerd with going on for three decades of enjoying computers and computing, I’m worried about this trend.
