Redhat employee claims Windows 8 may lock out Linux from OEM machines

By Tom Warren, on 22nd Sep 11 10:35 am with 20 Comments

A Redhat employee has gone on record to speculate that OEM machines that ship with copies of Windows 8 may lock out support for Linux installations.

The claims focus on the new UEFI secure boot protocol that is part of a new wave of system firmware Microsoft plans to support in Windows 8. Matthew Garrett, a power management and mobile Linux developer at Red Hat, revealed his concerns in a blog post earlier this week. “Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled,” says Garrett.

The Secure Boot technology means that OEMs must ship their systems with UEFI keys that will allow the installation and boot of Windows 8. Garrett explains that there’s two ways OEMs and Microsoft could approach this. Windows could be signed with a Microsoft key and the public part of that key would ship with all systems or each OEM would include their own key and sign the pre-installed version of Windows 8. “The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware,” notes Garrett. It would also make it impossible to install future versions of Windows unless an OEM provided a new signed copy.

The approach would also mean that systems that ship with just OEM and Microsoft keys could not boot a standard copy of Linux. ZDNet’s Mary Jo Foley noticed that Microsoft revealed in a BUILD session on UEFI that the following requirements must be met for Windows 8:

  • All firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)
  • Required for Windows 8 client
  • Does not require a Trusted Platform Module (TPM)
  • Reduces the likelihood of bootkits, rootkits and ransomware

Microsoft's Windows 8 Secure Boot requirements

Garrett does note that Red Hat and others could provide signed versions of Linux but that this approach poses several problems. He explains that Linux distributions would need a non-GPL bootloader which differs throughout GPLv3 and v2 requirements. “Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical,” he explains. The last hurdle is that Red Hat and others companies would have to get their keys included by every OEM.

The other option is for OEMs to allow end users to disable the feature. “There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code,” notes Garrett. Despite this being an option for OEMs, it’s possible that some will offer the ability to disable the feature whilst others will not. Microsoft’s Samsung Windows 8 developer tablet includes the option to disable Secure Boot, a good indication of Samsung’s plans for the feature. Microsoft has refused to comment on the situation.

  • Anonymous

    Looks to me like it’s more of a problem with the architecture of the Linux kernel than with Microsoft’s policy…

    • Yahoo

      read again

  • AoE

    I really don’t see this as a problem…

    For the majority of people, running Windows in a secure, stable and robust manner is far more important.

    If there are folks who want to dual boot then fine – don’t buy a “Windows PC”.

    Look at what Apple have done, theysetup their Macintosh computers to run OS-X in a secure, stable and robust manner – if you want to circumvent things then you need a degree in astrophysics (or just determination) to do so – then they call it Hackintosh. (kind of thing).

    Perhaps Microsoft need to come up with a brand along the lines of Macintosh – “Windows Logo Certified” kind of thing isn’t really any good, but, it’s a name people can associate with it being a decent Windows PC (if you want something that’s not Windows only then get a generic version).

    • Grannyville7989

      I think I heard something about Microsoft doing “Signature Edition” PCs that sort of fits your descritpion of a “Windows Logo Certified” PC.

    • Tom

      Signature PCs have been available since 2008. Have you bought one?  Has anyone?

      The right way to go is for EVERY Windows PC to be a Signature PC.  No craplets.  Decent drivers.  Non-annoying anti-virus (the new Windows Defender).  One consistent user experience.

  • http://twitter.com/DavidElroyGreen Antonio Raga

    I don’t see what’s the problem with this.
    Can I install in dual boot Linux on an iPad? So, why is this a relevant matter only on Windows PCs?

    • Guest

      Antitrust, for one.

    • Guest

      Then it’s up to the OEMs to offer their systems with Linux.

      It’s like microsoft going out of their way to make sure I can install Android on my HD7

  • http://twitter.com/Paul_IRL1 Paul Hill

    I see a problem, especially if all PC’s get made like this. EU lawsuit pending :P

    • AoE

      But, if there is a branding that’s “I’m a Windows PC” where would the problem be?  OEM’s can make “Windows PC’s” and “Multi-Platform PC’s”  If Apple can do it, then why can’t others?  If Red-Hat want computers to be able to run their OS, then as GroundPeak mentioned, make them hardware compatible or, ensure that hardware is available with specific systems.  (This won’t be financially viable as there is such low demand for it I’d punt)

    • http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

      And it will be a lawsuit against who? MS, or whoever is responsible for UEFI? It’s UEFI that prevents unsigned bootloaders, not Windows.

    • Guest

      Yeah, MS probably never considered that. Boy, aren’t you the smart one?

  • Anonymous

    Or, buy a microsoft device is you want windows and a linux device if you want redhat. Even better, buy a windows 8 device and use Hyper V.

  • Anonymous

    Linux advocates have always been complaining that Microsoft should improve Windows security. Be careful what you wish for ;)
    Seriously, OEMs aren’t dumb. If they see a demand for an optional secure boot feature, they’ll offer it. 

  • http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

    So, this guy claims Microsoft is responsible for a feature that’s actually implemented by the UEFI… makes total sence… or NOT!

  • Anonymous

    awww…. does this mean the year of linux will be delayed again?

  • GP007

    This is a non-issue.  This redhat employee needs to learn more about UEFI.  This has ZERO to do with Windows 8 and MS.  The fact is, if UEFIs  secure boot option is turned on then it will only boot code that is “trusted” and thus signed, the signed cert is something the OEM building the PC itself has to do and apply.   Now, theoretically, if you try to boot something unsigned then it won’t, but hey, a linux distro can just get a signed cert that will run, problem solved.

    Again, this has ZERO to do with Windows itself.  Windows 8 is just take advantage of a built in security feature of UEFI which is good for everyone.

  • http://profiles.yahoo.com/u/6G3ZZJCHOLYP3S5CRCIHQ7WDSE MVIM

    I wish the media would stop portraying UEFI as if it is some Microsoft-proprietary invention to lock-out competition. The UEFI was established by a consortium of companies including Apple and Microsoft as a replacement for the IBM-compatible BIOS.

  • Anonymous

    this is utterly crap from a redneck monkey! jk xD

    really… if a HP or dell or asus or Lenovo, or gigabyte or whatever company makes or computer hardware or the ones that build them and then sells them, decides to use UEFI its not like you can blame Microsoft for it.

    when Microsoft released directx11 companies HAD to make new cards directx11 compatible?? NO! they made it because it was a good new thing that was released and would be used, not much but its used.

    so this is crap but those people… i like this part thought “Linux distributions would need a non-GPL bootloader which differs throughout GPLv3 and v2 requirements”

    i wonder how many would want to install Linux though. not because Linux is bad but because if they see ” this computer has UEFI” and they are like “oh i want to install Linux along with windows 8″

    do you think Asus or Gigabyte or other companies will only release UEFI motherboards? no! just like they don’t with usb3, like they still release am2+ motherboards, like they release with crossfire or Sli.

    and its not like Microsoft wouldn’t let people without UEFI install Windows 8.

    its like if Asus decided to stop making motherboards with usb and only add thunderbolt ports… would it be Intel fault? no!
    that means people have to check what they are buying. and see if it fits their needs…

  • Anonymous

    I don’t see the issue!  Get your own stuff Linux.  Quit Piggy Backing off of MS.