UEFI Secure Boot

Originally Windows 8 required machines to support a feature called UEFI Secure Boot. This UEFI Secure Boot protected against malware that would interfere with the boot process that would inject itself into the operating system at a low level.

When Secure Boot was enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware would verify this before it would let the machine start. If any files had been tampered with, breaking their signature, the system wouldn’t boot.

The UEFI is a good security feature, but would create complications for alternative operating systems: if, you prefer compiling your own operating system, your boot files won’t include a signature that Secure Boot will recognize and authorize, and so you won’t be able to boot your PC.

Microsoft’s rules for designed for Windows 8 logo included a solution to the problem this would cause: Microsoft mandated that every system would have a user-accessible switch to turn UEFI Secure Boot off, allowing computers to be compatible with other operating systems.

Microsoft’s rules for UEFI also allowed users to be able to add their own signatures and cryptographic certificates into the firmware, so that they could still have the protection that UEFI Secure Boot provides, while still having the freedom to compile their own software.

This time, however, Microsoft is changing the rules for UEFI.

Microsoft says that the switch to allow UEFI Secure Boot to be turned off is now optional for them. This would allow OEM Hardware to be Designed for Windows 10 (and only Windows 10) and offer no way for the user to opt out of the UEFI Secure Boot lock down. There is no word on whether OEMS can or should provide support for adding custom certificates.

If Microsoft gets its way, OEMs building machines will offer no easy way to boot self-built operating systems, or any operating system that doesn’t have appropriate digital signatures. This may not cut out Linux entirely since there have been some collaborations to provide Linux boot software with the “right” set of signatures, and these should continue to work—but it will make it a lot more complicated than before.

This is will make the PC less flexible when installing other operating systems and certainly start the process to lock it down for proprietary use.