With the discussion of how Microsoft’s new UEFI secure boot would effect Linux and worries the researches buzzing on the internet, Building Windows 8 decided to settle this down with a post describing in detail how UEFI enables secure boot and the options available to PC manufactories.
In short, here are the highlights:
- UEFI allows firmware to implement a security policy
- Secure boot is a UEFI protocol not a Windows 8 feature
- UEFI secure boot is part of Windows 8 secured boot architecture
- Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
- Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
- OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
- Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
To use secure boot, you need a firmware that meets or exceeds UEFI version 2.3.1. It would be transparent to the consumer. The whole benefit having this in place is to make sure the system has an added measure of reliability from bootkit and rootkit attacks that target system vulnerabilities before the operating system even loads.
However, despite all these advanced technology that enhances the security level on the new hardware,
At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.
As the screenshot below shows, the customer still has the control whether or not taking advantage of this enhanced. Though OEMs have the choice of how to enable this support, they shouldn’t leave them unchangeable.
It’s definitely a right and good move that shows how seriously Microsoft takes the security matter.